Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4iDSIZ8MhI.exe

Overview

General Information

Sample name:4iDSIZ8MhI.exe
renamed because original name is a hash value
Original sample name:459d078aefc37782388eb6c6e1dedb4efc48eb7f3888893ebe1b0962b059a949.exe
Analysis ID:1504853
MD5:01284d3ef501955ac9ed679e5cb32e23
SHA1:b86ead0f46e939b6fbde343520133de2daaac2da
SHA256:459d078aefc37782388eb6c6e1dedb4efc48eb7f3888893ebe1b0962b059a949
Tags:exe
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4iDSIZ8MhI.exe (PID: 2344 cmdline: "C:\Users\user\Desktop\4iDSIZ8MhI.exe" MD5: 01284D3EF501955AC9ED679E5CB32E23)
    • svchost.exe (PID: 5996 cmdline: "C:\Users\user\Desktop\4iDSIZ8MhI.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2e113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17752:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2abf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1422f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2d313:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16952:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17752:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ParentImage: C:\Users\user\Desktop\4iDSIZ8MhI.exe, ParentProcessId: 2344, ParentProcessName: 4iDSIZ8MhI.exe, ProcessCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ProcessId: 5996, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ParentImage: C:\Users\user\Desktop\4iDSIZ8MhI.exe, ParentProcessId: 2344, ParentProcessName: 4iDSIZ8MhI.exe, ProcessCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ProcessId: 5996, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 4iDSIZ8MhI.exeReversingLabs: Detection: 42%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 4iDSIZ8MhI.exeJoe Sandbox ML: detected
          Source: 4iDSIZ8MhI.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0034DBBE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031C2A2 FindFirstFileExW,0_2_0031C2A2
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003568EE FindFirstFileW,FindClose,0_2_003568EE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0035698F
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D076
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D3A9
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00359642
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0035979D
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00359B2B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00355C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00355C97
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0035CE44
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0035EAFF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0035ED6A
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0035EAFF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0034AA57
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00379576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00379576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: 4iDSIZ8MhI.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: 4iDSIZ8MhI.exe, 00000000.00000000.1235773363.00000000003A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a7f39df8-7
          Source: 4iDSIZ8MhI.exe, 00000000.00000000.1235773363.00000000003A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d56120c6-0
          Source: 4iDSIZ8MhI.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a281871b-d
          Source: 4iDSIZ8MhI.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_10e38a6e-0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B5C3 NtClose,2_2_0042B5C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,2_2_03972C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0034D5EB
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00341201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00341201
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0034E8F6
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002EBF400_2_002EBF40
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E80600_2_002E8060
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003520460_2_00352046
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003482980_2_00348298
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031E4FF0_2_0031E4FF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031676B0_2_0031676B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003748730_2_00374873
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0030CAA00_2_0030CAA0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002ECAF00_2_002ECAF0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FCC390_2_002FCC39
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00316DD90_2_00316DD9
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FD0640_2_002FD064
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E90B70_2_002E90B7
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FB1190_2_002FB119
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E91C00_2_002E91C0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003013940_2_00301394
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003017060_2_00301706
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0030781B0_2_0030781B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E79200_2_002E7920
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002F997D0_2_002F997D
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003019B00_2_003019B0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00307A4A0_2_00307A4A
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00301C770_2_00301C77
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00307CA70_2_00307CA7
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00333CD50_2_00333CD5
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0036BE440_2_0036BE44
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00319EEE0_2_00319EEE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00301F320_2_00301F32
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_039935F00_2_039935F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011702_2_00401170
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101B12_2_004101B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101B32_2_004101B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032702_2_00403270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042DA032_2_0042DA03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AC32_2_00416AC3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103D32_2_004103D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E44B2_2_0040E44B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4532_2_0040E453
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024302_2_00402430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5972_2_0040E597
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027592_2_00402759
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027602_2_00402760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E71F2_2_0040E71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393ADE02_2_0393ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 277 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: String function: 00300A30 appears 46 times
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: String function: 002E9CB3 appears 31 times
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: String function: 002FF9F2 appears 40 times
          Source: 4iDSIZ8MhI.exe, 00000000.00000003.1255191705.000000000408D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4iDSIZ8MhI.exe
          Source: 4iDSIZ8MhI.exe, 00000000.00000003.1247077060.0000000003EE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4iDSIZ8MhI.exe
          Source: 4iDSIZ8MhI.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003537B5 GetLastError,FormatMessageW,0_2_003537B5
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003410BF AdjustTokenPrivileges,CloseHandle,0_2_003410BF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003416C3
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003551CD
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0036A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0036A67C
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0035648E
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002E42A2
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeFile created: C:\Users\user~1\AppData\Local\Temp\autE651.tmpJump to behavior
          Source: 4iDSIZ8MhI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 4iDSIZ8MhI.exeReversingLabs: Detection: 42%
          Source: unknownProcess created: C:\Users\user\Desktop\4iDSIZ8MhI.exe "C:\Users\user\Desktop\4iDSIZ8MhI.exe"
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4iDSIZ8MhI.exe"
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4iDSIZ8MhI.exe"Jump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: ntmarta.dllJump to behavior
          Source: 4iDSIZ8MhI.exeStatic file information: File size 1260544 > 1048576
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002E42DE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00300A76 push ecx; ret 0_2_00300A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041802E pushad ; iretd 2_2_00418036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004079FB push ebx; ret 2_2_00407A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004014C0 push FFFFFFC3h; ret 2_2_004014DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CCD5 pushad ; iretd 2_2_0040CCDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403520 push eax; ret 2_2_00403522
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404DCC push esp; iretd 2_2_00404DCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AF5C pushad ; retf 2_2_0040AF5D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A7DC push eax; retf 2_2_0040A85F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A7E3 push eax; retf 2_2_0040A85F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040C7F1 push ds; retf 2_2_0040C7F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002FF98E
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00371C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00371C41
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97296
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeAPI/Special instruction interceptor: Address: 3993214
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeAPI coverage: 3.8 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1416Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0034DBBE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031C2A2 FindFirstFileExW,0_2_0031C2A2
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003568EE FindFirstFileW,FindClose,0_2_003568EE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0035698F
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D076
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D3A9
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00359642
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0035979D
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00359B2B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00355C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00355C97
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002E42DE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A73 LdrLoadDll,2_2_00417A73
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035EAA2 BlockInput,0_2_0035EAA2
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00312622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00312622
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002E42DE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00304CE8 mov eax, dword ptr fs:[00000030h]0_2_00304CE8
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_03993480 mov eax, dword ptr fs:[00000030h]0_2_03993480
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_039934E0 mov eax, dword ptr fs:[00000030h]0_2_039934E0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_03991E70 mov eax, dword ptr fs:[00000030h]0_2_03991E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]2_2_03928397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]2_2_0392E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]2_2_0395438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]2_2_039DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]2_2_039D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]2_2_039EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]2_2_0393A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]2_2_039383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]2_2_039B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]2_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]2_2_039663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]2_2_039403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]2_2_0392C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]2_2_03950310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]2_2_0396A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]2_2_039B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]2_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]2_2_039D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]2_2_039B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]2_2_039D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]2_2_03A0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]2_2_0396E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]2_2_039B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402A0 mov eax, dword ptr fs:[00000030h]2_2_039402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]2_2_039C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]2_2_0393A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]2_2_039402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]2_2_03A062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]2_2_0392823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]2_2_0392A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]2_2_03936259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]2_2_039EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]2_2_039B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]2_2_039B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]2_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]2_2_03934260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]2_2_0392826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]2_2_03A0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]2_2_039B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]2_2_0392A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]2_2_03970185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]2_2_039EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]2_2_039D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]2_2_03A061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]2_2_039AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]2_2_039F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]2_2_039601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]2_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]2_2_039F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]2_2_039DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]2_2_03960124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]2_2_0392C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]2_2_039C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]2_2_03A04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]2_2_03936154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]2_2_039C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]2_2_0393208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]2_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]2_2_039F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]2_2_039280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]2_2_039C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]2_2_039B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]2_2_0392C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]2_2_039720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0392A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]2_2_039380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]2_2_039B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]2_2_0394E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]2_2_039B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]2_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]2_2_039C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]2_2_0392A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]2_2_0392C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]2_2_03932050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]2_2_039B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]2_2_0395C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]2_2_039D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]2_2_039307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]2_2_039E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]2_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]2_2_039B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]2_2_039347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]2_2_039527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]2_2_039BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]2_2_03930710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]2_2_03960710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]2_2_0396C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]2_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]2_2_0396273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]2_2_039AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]2_2_0396C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]2_2_03930750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]2_2_039BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]2_2_03972750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]2_2_039B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]2_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]2_2_0396674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]2_2_03938770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]2_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]2_2_03934690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]2_2_039666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]2_2_0396C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]2_2_0396A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]2_2_039AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]2_2_039B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]2_2_03972619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]2_2_039AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]2_2_0394260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]2_2_0394E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]2_2_03966620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]2_2_03968620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]2_2_0393262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]2_2_0394C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]2_2_03962674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]2_2_039F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]2_2_0396A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]2_2_0396E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]2_2_03932582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]2_2_03932582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]2_2_03964588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]2_2_039545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]2_2_039B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]2_2_039365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]2_2_0396A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]2_2_0396E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]2_2_0395E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]2_2_039325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]2_2_0396C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]2_2_039C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]2_2_03A04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]2_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]2_2_0395E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]2_2_03938550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]2_2_0396656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]2_2_039EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]2_2_039644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]2_2_039BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]2_2_039364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]2_2_039304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]2_2_03968402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]2_2_0396A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]2_2_0392E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]2_2_0392C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]2_2_039B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]2_2_039EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]2_2_0392645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]2_2_0395245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]2_2_0396E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]2_2_0395A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]2_2_039BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]2_2_03940BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]2_2_039E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]2_2_039DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]2_2_03950BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]2_2_03930BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]2_2_03938BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]2_2_0395EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]2_2_039BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]2_2_039AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]2_2_03A04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]2_2_0395EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]2_2_039F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]2_2_03928B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]2_2_039DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]2_2_039E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]2_2_039C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]2_2_039FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]2_2_039D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]2_2_0392CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]2_2_03A02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]2_2_03968A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]2_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]2_2_03A04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]2_2_03938AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]2_2_03986AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]2_2_03930AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]2_2_03964AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]2_2_03986ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]2_2_0396AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]2_2_039BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]2_2_03954A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]2_2_0396CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]2_2_0396CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]2_2_0395EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]2_2_03936A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]2_2_03940A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]2_2_039ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]2_2_0396CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]2_2_039DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]2_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]2_2_039B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]2_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]2_2_039309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]2_2_0393A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]2_2_039649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]2_2_039FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]2_2_039C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]2_2_039629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]2_2_039BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]2_2_039BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]2_2_03928918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]2_2_039AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]2_2_039B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]2_2_039C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]2_2_039B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]2_2_03A04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]2_2_039D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]2_2_039BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]2_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]2_2_039BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]2_2_03930887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]2_2_0395E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]2_2_03A008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]2_2_0396C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]2_2_039FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]2_2_039BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov ecx, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]2_2_03952835
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00340B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00340B62
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00312622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00312622
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0030083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0030083F
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003009D5 SetUnhandledExceptionFilter,0_2_003009D5
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00300C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00300C21

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F71008Jump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00341201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00341201
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00322BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00322BA5
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034B226 SendInput,keybd_event,0_2_0034B226
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_003622DA
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4iDSIZ8MhI.exe"Jump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00340B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00340B62
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00341663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00341663
          Source: 4iDSIZ8MhI.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: 4iDSIZ8MhI.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00300698 cpuid 0_2_00300698
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00358195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00358195
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0033D27A GetUserNameW,0_2_0033D27A
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0031B952
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002E42DE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: 4iDSIZ8MhI.exeBinary or memory string: WIN_81
          Source: 4iDSIZ8MhI.exeBinary or memory string: WIN_XP
          Source: 4iDSIZ8MhI.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: 4iDSIZ8MhI.exeBinary or memory string: WIN_XPe
          Source: 4iDSIZ8MhI.exeBinary or memory string: WIN_VISTA
          Source: 4iDSIZ8MhI.exeBinary or memory string: WIN_7
          Source: 4iDSIZ8MhI.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00361204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00361204
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00361806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00361806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory24
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		12
          Virtualization/Sandbox Evasion          		Security Account Manager12
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          4iDSIZ8MhI.exe42%ReversingLabsWin32.Trojan.Strab
          4iDSIZ8MhI.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1504853
          Start date and time:2024-09-05 14:24:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 55s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:20
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:4iDSIZ8MhI.exe
          renamed because original name is a hash value
          Original Sample Name:459d078aefc37782388eb6c6e1dedb4efc48eb7f3888893ebe1b0962b059a949.exe
          Detection:MAL
          Classification:mal92.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 51
          • Number of non-executed functions: 287
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
          • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: 4iDSIZ8MhI.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          08:25:09API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\autE651.tmp

          Download File
          Process:C:\Users\user\Desktop\4iDSIZ8MhI.exe
          File Type:data
          Category:dropped
          Size (bytes):272384
          Entropy (8bit):7.992558668844852
          Encrypted:true
          SSDEEP:3072:H9SM7JKNestnfJV39/t4Ej+qpBQnuhme/VUBMDdOPEjhBrdkxDai9X9xCFOBbm7X:HYZMstfP3hVX8g/VUW2xDaesqbJJsl/
          MD5:49A73306837E7EC8F98FF8493A824C40
          SHA1:9A82F6D68E5F50A5026E74508B8B503CB0B52B94
          SHA-256:5F53E9001B6262B634D2F91E3B7510CD2A1D8704D942E2A7D23D3B20560E35C2
          SHA-512:104E8CF3991506E39DDEF987F33D5407289DA70CF0B0EC0BC4E2E5C9D309569C59115A019F7F0919E00E0932573B80E5F85105FDD47798C7A3CE53386BAD7F91
          Malicious:false
          Reputation:low
          Preview:.....CIXB...S.....TI..kJP...FZJLWEC5TJWOWCIXBNCFZJLWEC5TJW.WCIV].MF.C.v.By.k.'>0i(0!$4;'l4$-[;>w-2c;-,n*(z...e.Z0/yBZImXBNCFZJ5VL..4-.r7$.e").\..m%$.N...k#..X..f*+..*V<w7(.CIXBNCFZ..WE.4UJ.Fn.IXBNCFZJ.WGB>UAWOAGIXBNCFZJLwQC5TZWOWsMXBN.FZZLWEA5TLWOWCIXBHCFZJLWEC.PJWMWCIXBNAF..LWUC5DJWOWSIXRNCFZJLGEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJb# ;ATJWkBGIXRNCFLNLWUC5TJWOWCIXBNCFzJL7EC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCF

          C:\Users\user\AppData\Local\Temp\autE681.tmp

          Download File
          Process:C:\Users\user\Desktop\4iDSIZ8MhI.exe
          File Type:data
          Category:dropped
          Size (bytes):43526
          Entropy (8bit):7.825035163899341
          Encrypted:false
          SSDEEP:768:gpM+wvNY9cTXXgc6Q9FZj+LiqD1lScFgGNl6GPJVwNT01R:0MZv0cTXXKQ/8L51lDbNl6wJ6p01R
          MD5:627B33F7BECE512A7C9184024BA5141D
          SHA1:9CBCE2C32EA01F5B5F370836965DD5C9CAA25CC2
          SHA-256:C57E74544D9AB7DD67D15163F222B02A7903A739B2643314ED453D71273ED87C
          SHA-512:D17873F85C0240B288DE585462162A782CE94AF6EA04A469F3C840DED85F426246DDB7F499B04ED0D612C5CEDD28118FA23A9D7EE0485404223F0DCF0C86FB0C
          Malicious:false
          Reputation:low
          Preview:EA06..P...)Sy.Jg5......6.V&.Z..gQ..*.9.4.2..u0.&aH......aT..).9.>g5.L....3..f.*$.qU..3i..g0.......g0.L...ebg6......3..fsJ..kO..*.9.Zm2...4..3..@.P...`.(....3.V.....iB.M.%.,.mR.L..i."g7...@.e ....KU)...........h...0.Vp..Qf.*...U.M@0.P...@....G......sU..).",.6..l...&l.hU.%...aL..*.9.6g0....i....T.sJ...l.R..0..6..E.'.@............l.3..&sZ8..8......3.Sfs:d.gC..(.(.d....).-h.x.D..sJ..kB..@?....9...uy..h.0.(...............U.s...d.l.o.i..6...B.....V.=...^g6..K.9........J<.eV...H.`..Y.9...5H..L....fh............*.....wQ...P.-N.6.h@..3.P../...8.....L.6...Z.......8.$.8S.y.l.kU..&..p..3......8....^..Q....-..g9..*.i.H....T ...W.`...8..(.'..b.`...j..mT.M. ...CQ....9..aI......L....4...r.....E..m6.M.B.jm6.....6eN.k@wI.4.....0.j..<..i..qW.<f.0.........6.S.........&.:...o@.e..:.v*@H..x.......mO.M..i.Fl.... W.Zm1..(Si.h.C@6...@.e@.....$...gJ.<.@$u..n.<..@)r.6..,b.......Q.I@..h..E..+3i...v...@...yF....@C......UP........3..@6 ?0.....`....g.z.@...Z..fT@,J...P....!.

          C:\Users\user\AppData\Local\Temp\leucoryx

          Download File
          Process:C:\Users\user\Desktop\4iDSIZ8MhI.exe
          File Type:ASCII text, with very long lines (65536), with no line terminators
          Category:modified
          Size (bytes):86022
          Entropy (8bit):4.178933456920341
          Encrypted:false
          SSDEEP:1536:xZQimDbRJPp/spimyE9j4G0mt2LlxOdpXXUI2G2SmC:ToDp17IR0xOdNkBwx
          MD5:CC6E868FB0F4C38434C49309F30D5DD0
          SHA1:CB6492023654BF0C7290CE22B8D3567539E2089A
          SHA-256:DD157F754207A8FA9A5589744F55FBF06D06DFA496917BAB5A3CFC9163C5D762
          SHA-512:3019EA87EA963453CAC395BBEF74F4FE2FF896273D1E8E57E15DCC2AF150FB1C6068C29EAAC8347B0EDBB7C2C807330159D044BC9C47B3C82EE7E1F4D33820EE
          Malicious:false
          Reputation:low
          Preview:30J78R35A35P38Y62X65Y63Q38W31M65Y63G63S63Q30H32P30J30T30N30O35D36J35J37Q62D38U36A62E30Y30Q30F30V30P30X36C36H38I39M34T35O38T34V62Q39N36F35I30O30J30S30X30G30T36O36X38T39T34B64Q38E36R62U61H37E32F30H30V30O30T30R30E36A36Y38Q39K35S35D38H38E62B38U36U65J30T30P30P30R30J30C36G36Q38V39U34H35A38R61Q62O39U36T35T30G30B30L30W30M30K36V36B38Q39R34U64T38J63E62P61E36S63P30M30O30J30B30T30F36S36O38S39D35G35T38C65I62J38M33L33C30D30Y30Y30O30X30L36J36V38V39W34P35B39F30Z62D39A33W32Q30N30Z30L30R30U30X36L36I38I39P34B64W39Z32Z62R61F32T65A30P30A30J30M30C30S36W36K38C39J35T35T39K34G62V38E36U34L30X30Y30A30D30M30R36A36L38L39J34G35Q39J36G62W39S36K63Y30W30G30C30J30R30N36A36H38B39N34C64H39J38M62O61F36I63L30K30N30V30W30M30G36S36X38O39K35M35U39R61N33C33P63E30S36N36K38Z39K34G35A39P63I62G39L36V65R30S30W30U30B30C30S36X36C38W39U38U64F34B34V66V66U66B66T66Y66U62U61Q37G34J30I30F30P30B30Q30N36Y36B38M39L39H35U34V36D66J66K66Z66M66P66P62N38C36V34M30L30D30Z30S30Z30I36F36N38C39B38W35O34S38U66P66B66B66N66H66L62P39Z36J63W30A30P30G30W30S3

          C:\Users\user\AppData\Local\Temp\scroll

          Download File
          Process:C:\Users\user\Desktop\4iDSIZ8MhI.exe
          File Type:data
          Category:dropped
          Size (bytes):272384
          Entropy (8bit):7.992558668844852
          Encrypted:true
          SSDEEP:3072:H9SM7JKNestnfJV39/t4Ej+qpBQnuhme/VUBMDdOPEjhBrdkxDai9X9xCFOBbm7X:HYZMstfP3hVX8g/VUW2xDaesqbJJsl/
          MD5:49A73306837E7EC8F98FF8493A824C40
          SHA1:9A82F6D68E5F50A5026E74508B8B503CB0B52B94
          SHA-256:5F53E9001B6262B634D2F91E3B7510CD2A1D8704D942E2A7D23D3B20560E35C2
          SHA-512:104E8CF3991506E39DDEF987F33D5407289DA70CF0B0EC0BC4E2E5C9D309569C59115A019F7F0919E00E0932573B80E5F85105FDD47798C7A3CE53386BAD7F91
          Malicious:false
          Reputation:low
          Preview:.....CIXB...S.....TI..kJP...FZJLWEC5TJWOWCIXBNCFZJLWEC5TJW.WCIV].MF.C.v.By.k.'>0i(0!$4;'l4$-[;>w-2c;-,n*(z...e.Z0/yBZImXBNCFZJ5VL..4-.r7$.e").\..m%$.N...k#..X..f*+..*V<w7(.CIXBNCFZ..WE.4UJ.Fn.IXBNCFZJ.WGB>UAWOAGIXBNCFZJLwQC5TZWOWsMXBN.FZZLWEA5TLWOWCIXBHCFZJLWEC.PJWMWCIXBNAF..LWUC5DJWOWSIXRNCFZJLGEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJb# ;ATJWkBGIXRNCFLNLWUC5TJWOWCIXBNCFzJL7EC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCFZJLWEC5TJWOWCIXBNCF

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.1463292677406764
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:4iDSIZ8MhI.exe
          File size:1'260'544 bytes
          MD5:01284d3ef501955ac9ed679e5cb32e23
          SHA1:b86ead0f46e939b6fbde343520133de2daaac2da
          SHA256:459d078aefc37782388eb6c6e1dedb4efc48eb7f3888893ebe1b0962b059a949
          SHA512:bd9dfbd8090b8ad102c811121250829448210ae217c4867b0b19fcc078389a72268583b918f30ee0e7e22dbe8fdbb2e53318cad90536cd435656c39bd76f586b
          SSDEEP:24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8a3ZYTVJeO4M9JvgmG:MTvC/MTQYxsWR7a3m6mx
          TLSH:4945CF0273C1D062FF9B92334B5AF6515BBC6A260123E61F13981D7ABE701B1563E7A3
          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x420577
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66C71EF6 [Thu Aug 22 11:20:22 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:948cc502fe9226992dce9417f952fce3

          Entrypoint Preview

          Instruction
          call 00007F7DA47E9143h
          jmp 00007F7DA47E8A4Fh
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F7DA47E8C2Dh
          mov dword ptr [esi], 0049FDF0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FDF8h
          mov dword ptr [ecx], 0049FDF0h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F7DA47E8BFAh
          mov dword ptr [esi], 0049FE0Ch
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FE14h
          mov dword ptr [ecx], 0049FE0Ch
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          and dword ptr [eax], 00000000h
          and dword ptr [eax+04h], 00000000h
          push eax
          mov eax, dword ptr [ebp+08h]
          add eax, 04h
          push eax
          call 00007F7DA47EB7EDh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 0049FDD0h
          push eax
          call 00007F7DA47EB838h
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          push eax
          call 00007F7DA47EB821h
          test byte ptr [ebp+08h], 00000001h
          pop ecx

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5d200.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1320000x7594.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xd40000x5d2000x5d2008769276b1debf83d12c94133b3b649ebFalse0.9300414219798657data7.8977284601947355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1320000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xdc7b80x544c8data1.0003359514376404
          RT_GROUP_ICON0x130c800x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x130cf80x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x130d0c0x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x130d200x14dataEnglishGreat Britain1.25
          RT_VERSION0x130d340xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x130e100x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:08:24:58
          Start date:05/09/2024
          Path:C:\Users\user\Desktop\4iDSIZ8MhI.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\4iDSIZ8MhI.exe"
          Imagebase:0x2e0000
          File size:1'260'544 bytes
          MD5 hash:01284D3EF501955AC9ED679E5CB32E23
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:08:24:59
          Start date:05/09/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\4iDSIZ8MhI.exe"
          Imagebase:0x890000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.3%
            Dynamic/Decrypted Code Coverage:1.3%
            Signature Coverage:4.8%
            Total number of Nodes:2000
            Total number of Limit Nodes:49
            execution_graph 95287 399295b 95290 39925d0 95287->95290 95289 39929a7 95303 3990000 95290->95303 95293 39926a0 CreateFileW 95294 399266f 95293->95294 95296 39926ad 95293->95296 95295 39926c9 VirtualAlloc 95294->95295 95294->95296 95301 39927d0 FindCloseChangeNotification 95294->95301 95302 39927e0 VirtualFree 95294->95302 95306 39934e0 GetPEB 95294->95306 95295->95296 95297 39926ea ReadFile 95295->95297 95298 39928ca 95296->95298 95299 39928bc VirtualFree 95296->95299 95297->95296 95300 3992708 VirtualAlloc 95297->95300 95298->95289 95299->95298 95300->95294 95300->95296 95301->95294 95302->95294 95308 3993480 GetPEB 95303->95308 95305 399068b 95305->95294 95307 399350a 95306->95307 95307->95293 95309 39934aa 95308->95309 95309->95305 95310 2e1cad SystemParametersInfoW 95311 333f75 95322 2fceb1 95311->95322 95313 333f8b 95314 334006 95313->95314 95389 2fe300 23 API calls 95313->95389 95331 2ebf40 95314->95331 95317 334052 95320 334a88 95317->95320 95391 35359c 82 API calls __wsopen_s 95317->95391 95318 333fe6 95318->95317 95390 351abf 22 API calls 95318->95390 95323 2fcebf 95322->95323 95324 2fced2 95322->95324 95392 2eaceb 23 API calls ISource 95323->95392 95326 2fced7 95324->95326 95327 2fcf05 95324->95327 95393 2ffddb 95326->95393 95403 2eaceb 23 API calls ISource 95327->95403 95330 2fcec9 95330->95313 95416 2eadf0 95331->95416 95333 2ebf9d 95334 3304b6 95333->95334 95335 2ebfa9 95333->95335 95445 35359c 82 API calls __wsopen_s 95334->95445 95337 2ec01e 95335->95337 95338 3304c6 95335->95338 95421 2eac91 95337->95421 95446 35359c 82 API calls __wsopen_s 95338->95446 95341 2ec7da 95434 2ffe0b 95341->95434 95343 347120 22 API calls 95350 2ec039 ISource __fread_nolock 95343->95350 95347 3304f5 95359 33055a 95347->95359 95447 2fd217 236 API calls 95347->95447 95350->95341 95350->95343 95350->95347 95351 2ec808 __fread_nolock 95350->95351 95353 2eec40 236 API calls 95350->95353 95354 33091a 95350->95354 95356 2eaf8a 22 API calls 95350->95356 95350->95359 95360 3308a5 95350->95360 95364 330591 95350->95364 95365 3308f6 95350->95365 95370 2ebbe0 40 API calls 95350->95370 95371 2ec237 95350->95371 95373 2ffddb 22 API calls 95350->95373 95376 2ec603 95350->95376 95382 3309bf 95350->95382 95387 2ffe0b 22 API calls 95350->95387 95425 2ead81 95350->95425 95450 347099 22 API calls __fread_nolock 95350->95450 95451 365745 54 API calls _wcslen 95350->95451 95452 2faa42 22 API calls ISource 95350->95452 95453 34f05c 40 API calls 95350->95453 95454 2ea993 41 API calls 95350->95454 95455 2eaceb 23 API calls ISource 95350->95455 95355 2ffe0b 22 API calls 95351->95355 95353->95350 95482 353209 23 API calls 95354->95482 95386 2ec350 ISource __fread_nolock 95355->95386 95356->95350 95359->95376 95448 35359c 82 API calls __wsopen_s 95359->95448 95456 2eec40 95360->95456 95363 3308cf 95363->95376 95480 2ea81b 41 API calls 95363->95480 95449 35359c 82 API calls __wsopen_s 95364->95449 95481 35359c 82 API calls __wsopen_s 95365->95481 95370->95350 95374 2ec253 95371->95374 95483 2ea8c7 95371->95483 95373->95350 95377 330976 95374->95377 95381 2ec297 ISource 95374->95381 95376->95317 95487 2eaceb 23 API calls ISource 95377->95487 95381->95382 95432 2eaceb 23 API calls ISource 95381->95432 95382->95376 95488 35359c 82 API calls __wsopen_s 95382->95488 95383 2ec335 95383->95382 95384 2ec342 95383->95384 95433 2ea704 22 API calls ISource 95384->95433 95388 2ec3ac 95386->95388 95444 2fce17 22 API calls ISource 95386->95444 95387->95350 95388->95317 95389->95318 95390->95314 95391->95320 95392->95330 95396 2ffde0 95393->95396 95395 2ffdfa 95395->95330 95396->95395 95398 2ffdfc 95396->95398 95404 30ea0c 95396->95404 95411 304ead 7 API calls 2 library calls 95396->95411 95399 30066d 95398->95399 95412 3032a4 RaiseException 95398->95412 95413 3032a4 RaiseException 95399->95413 95402 30068a 95402->95330 95403->95330 95409 313820 __dosmaperr 95404->95409 95405 31385e 95415 30f2d9 20 API calls __dosmaperr 95405->95415 95407 313849 RtlAllocateHeap 95408 31385c 95407->95408 95407->95409 95408->95396 95409->95405 95409->95407 95414 304ead 7 API calls 2 library calls 95409->95414 95411->95396 95412->95399 95413->95402 95414->95409 95415->95408 95417 2eae01 95416->95417 95420 2eae1c ISource 95416->95420 95489 2eaec9 95417->95489 95419 2eae09 CharUpperBuffW 95419->95420 95420->95333 95422 2eacae 95421->95422 95423 2eacd1 95422->95423 95495 35359c 82 API calls __wsopen_s 95422->95495 95423->95350 95426 32fadb 95425->95426 95427 2ead92 95425->95427 95428 2ffddb 22 API calls 95427->95428 95429 2ead99 95428->95429 95496 2eadcd 95429->95496 95432->95383 95433->95386 95437 2ffddb 95434->95437 95435 30ea0c ___std_exception_copy 21 API calls 95435->95437 95436 2ffdfa 95436->95351 95437->95435 95437->95436 95440 2ffdfc 95437->95440 95508 304ead 7 API calls 2 library calls 95437->95508 95439 30066d 95510 3032a4 RaiseException 95439->95510 95440->95439 95509 3032a4 RaiseException 95440->95509 95443 30068a 95443->95351 95444->95386 95445->95338 95446->95376 95447->95359 95448->95376 95449->95376 95450->95350 95451->95350 95452->95350 95453->95350 95454->95350 95455->95350 95461 2eec76 ISource 95456->95461 95457 3000a3 29 API calls pre_c_initialization 95457->95461 95458 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95458->95461 95459 334beb 95516 35359c 82 API calls __wsopen_s 95459->95516 95460 2ffddb 22 API calls 95460->95461 95461->95457 95461->95458 95461->95459 95461->95460 95463 2efef7 95461->95463 95465 334600 95461->95465 95466 334b0b 95461->95466 95467 2ea8c7 22 API calls 95461->95467 95471 2eed9d ISource 95461->95471 95474 300242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95461->95474 95475 2efbe3 95461->95475 95476 2ea961 22 API calls 95461->95476 95479 2ef3ae ISource 95461->95479 95511 2f01e0 236 API calls 2 library calls 95461->95511 95512 2f06a0 41 API calls ISource 95461->95512 95470 2ea8c7 22 API calls 95463->95470 95463->95471 95465->95471 95472 2ea8c7 22 API calls 95465->95472 95514 35359c 82 API calls __wsopen_s 95466->95514 95467->95461 95470->95471 95471->95363 95472->95471 95474->95461 95475->95471 95477 334bdc 95475->95477 95475->95479 95476->95461 95515 35359c 82 API calls __wsopen_s 95477->95515 95479->95471 95513 35359c 82 API calls __wsopen_s 95479->95513 95480->95365 95481->95376 95482->95371 95484 2ea8db 95483->95484 95486 2ea8ea __fread_nolock 95483->95486 95485 2ffe0b 22 API calls 95484->95485 95484->95486 95485->95486 95486->95374 95487->95382 95488->95376 95490 2eaedc 95489->95490 95491 2eaed9 __fread_nolock 95489->95491 95492 2ffddb 22 API calls 95490->95492 95491->95419 95493 2eaee7 95492->95493 95494 2ffe0b 22 API calls 95493->95494 95494->95491 95495->95423 95500 2eaddd 95496->95500 95497 2eadb6 95497->95350 95498 2ffddb 22 API calls 95498->95500 95500->95497 95500->95498 95501 2ea8c7 22 API calls 95500->95501 95502 2eadcd 22 API calls 95500->95502 95503 2ea961 95500->95503 95501->95500 95502->95500 95504 2ffe0b 22 API calls 95503->95504 95505 2ea976 95504->95505 95506 2ffddb 22 API calls 95505->95506 95507 2ea984 95506->95507 95507->95500 95508->95437 95509->95439 95510->95443 95511->95461 95512->95461 95513->95471 95514->95471 95515->95459 95516->95471 95517 39923b0 95518 3990000 GetPEB 95517->95518 95519 3992456 95518->95519 95531 39922a0 95519->95531 95532 39922a9 Sleep 95531->95532 95533 39922b7 95532->95533 95534 2e1044 95539 2e10f3 95534->95539 95536 2e104a 95575 3000a3 29 API calls __onexit 95536->95575 95538 2e1054 95576 2e1398 95539->95576 95543 2e116a 95544 2ea961 22 API calls 95543->95544 95545 2e1174 95544->95545 95546 2ea961 22 API calls 95545->95546 95547 2e117e 95546->95547 95548 2ea961 22 API calls 95547->95548 95549 2e1188 95548->95549 95550 2ea961 22 API calls 95549->95550 95551 2e11c6 95550->95551 95552 2ea961 22 API calls 95551->95552 95553 2e1292 95552->95553 95586 2e171c 95553->95586 95557 2e12c4 95558 2ea961 22 API calls 95557->95558 95559 2e12ce 95558->95559 95607 2f1940 95559->95607 95561 2e12f9 95617 2e1aab 95561->95617 95563 2e1315 95564 2e1325 GetStdHandle 95563->95564 95565 322485 95564->95565 95568 2e137a 95564->95568 95566 32248e 95565->95566 95565->95568 95567 2ffddb 22 API calls 95566->95567 95569 322495 95567->95569 95570 2e1387 OleInitialize 95568->95570 95624 35011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 95569->95624 95570->95536 95572 32249e 95625 350944 CreateThread 95572->95625 95574 3224aa CloseHandle 95574->95568 95575->95538 95626 2e13f1 95576->95626 95579 2e13f1 22 API calls 95580 2e13d0 95579->95580 95581 2ea961 22 API calls 95580->95581 95582 2e13dc 95581->95582 95633 2e6b57 95582->95633 95584 2e1129 95585 2e1bc3 6 API calls 95584->95585 95585->95543 95587 2ea961 22 API calls 95586->95587 95588 2e172c 95587->95588 95589 2ea961 22 API calls 95588->95589 95590 2e1734 95589->95590 95591 2ea961 22 API calls 95590->95591 95592 2e174f 95591->95592 95593 2ffddb 22 API calls 95592->95593 95594 2e129c 95593->95594 95595 2e1b4a 95594->95595 95596 2e1b58 95595->95596 95597 2ea961 22 API calls 95596->95597 95598 2e1b63 95597->95598 95599 2ea961 22 API calls 95598->95599 95600 2e1b6e 95599->95600 95601 2ea961 22 API calls 95600->95601 95602 2e1b79 95601->95602 95603 2ea961 22 API calls 95602->95603 95604 2e1b84 95603->95604 95605 2ffddb 22 API calls 95604->95605 95606 2e1b96 RegisterWindowMessageW 95605->95606 95606->95557 95608 2f195d 95607->95608 95609 2f1981 95607->95609 95616 2f196e 95608->95616 95652 300242 5 API calls __Init_thread_wait 95608->95652 95650 300242 5 API calls __Init_thread_wait 95609->95650 95612 2f198b 95612->95608 95651 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95612->95651 95614 2f8727 95614->95616 95653 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95614->95653 95616->95561 95618 2e1abb 95617->95618 95619 32272d 95617->95619 95621 2ffddb 22 API calls 95618->95621 95654 353209 23 API calls 95619->95654 95623 2e1ac3 95621->95623 95622 322738 95623->95563 95624->95572 95625->95574 95655 35092a 28 API calls 95625->95655 95627 2ea961 22 API calls 95626->95627 95628 2e13fc 95627->95628 95629 2ea961 22 API calls 95628->95629 95630 2e1404 95629->95630 95631 2ea961 22 API calls 95630->95631 95632 2e13c6 95631->95632 95632->95579 95634 324ba1 95633->95634 95635 2e6b67 _wcslen 95633->95635 95646 2e93b2 95634->95646 95638 2e6b7d 95635->95638 95639 2e6ba2 95635->95639 95637 324baa 95637->95637 95645 2e6f34 22 API calls 95638->95645 95641 2ffddb 22 API calls 95639->95641 95642 2e6bae 95641->95642 95643 2ffe0b 22 API calls 95642->95643 95644 2e6b85 __fread_nolock 95643->95644 95644->95584 95645->95644 95647 2e93c0 95646->95647 95649 2e93c9 __fread_nolock 95646->95649 95648 2eaec9 22 API calls 95647->95648 95647->95649 95648->95649 95649->95637 95650->95612 95651->95608 95652->95614 95653->95616 95654->95622 95656 3190fa 95657 319107 95656->95657 95661 31911f 95656->95661 95713 30f2d9 20 API calls __dosmaperr 95657->95713 95659 31910c 95714 3127ec 26 API calls ___std_exception_copy 95659->95714 95662 31917a 95661->95662 95670 319117 95661->95670 95715 31fdc4 21 API calls 2 library calls 95661->95715 95676 30d955 95662->95676 95665 319192 95683 318c32 95665->95683 95667 319199 95668 30d955 __fread_nolock 26 API calls 95667->95668 95667->95670 95669 3191c5 95668->95669 95669->95670 95671 30d955 __fread_nolock 26 API calls 95669->95671 95672 3191d3 95671->95672 95672->95670 95673 30d955 __fread_nolock 26 API calls 95672->95673 95674 3191e3 95673->95674 95675 30d955 __fread_nolock 26 API calls 95674->95675 95675->95670 95677 30d961 95676->95677 95678 30d976 95676->95678 95716 30f2d9 20 API calls __dosmaperr 95677->95716 95678->95665 95680 30d966 95717 3127ec 26 API calls ___std_exception_copy 95680->95717 95682 30d971 95682->95665 95684 318c3e ___DestructExceptionObject 95683->95684 95685 318c46 95684->95685 95686 318c5e 95684->95686 95784 30f2c6 20 API calls __dosmaperr 95685->95784 95688 318d24 95686->95688 95693 318c97 95686->95693 95791 30f2c6 20 API calls __dosmaperr 95688->95791 95690 318c4b 95785 30f2d9 20 API calls __dosmaperr 95690->95785 95691 318d29 95792 30f2d9 20 API calls __dosmaperr 95691->95792 95695 318ca6 95693->95695 95696 318cbb 95693->95696 95786 30f2c6 20 API calls __dosmaperr 95695->95786 95718 315147 EnterCriticalSection 95696->95718 95699 318cb3 95793 3127ec 26 API calls ___std_exception_copy 95699->95793 95700 318cab 95787 30f2d9 20 API calls __dosmaperr 95700->95787 95701 318cc1 95703 318cf2 95701->95703 95704 318cdd 95701->95704 95719 318d45 95703->95719 95788 30f2d9 20 API calls __dosmaperr 95704->95788 95706 318c53 __wsopen_s 95706->95667 95709 318ce2 95789 30f2c6 20 API calls __dosmaperr 95709->95789 95710 318ced 95790 318d1c LeaveCriticalSection __wsopen_s 95710->95790 95713->95659 95714->95670 95715->95662 95716->95680 95717->95682 95718->95701 95720 318d57 95719->95720 95721 318d6f 95719->95721 95803 30f2c6 20 API calls __dosmaperr 95720->95803 95723 3190d9 95721->95723 95726 318db4 95721->95726 95825 30f2c6 20 API calls __dosmaperr 95723->95825 95724 318d5c 95804 30f2d9 20 API calls __dosmaperr 95724->95804 95729 318dbf 95726->95729 95730 318d64 95726->95730 95737 318def 95726->95737 95728 3190de 95826 30f2d9 20 API calls __dosmaperr 95728->95826 95805 30f2c6 20 API calls __dosmaperr 95729->95805 95730->95710 95733 318dcc 95827 3127ec 26 API calls ___std_exception_copy 95733->95827 95734 318dc4 95806 30f2d9 20 API calls __dosmaperr 95734->95806 95738 318e08 95737->95738 95739 318e4a 95737->95739 95740 318e2e 95737->95740 95738->95740 95774 318e15 95738->95774 95810 313820 21 API calls __dosmaperr 95739->95810 95807 30f2c6 20 API calls __dosmaperr 95740->95807 95742 318e33 95808 30f2d9 20 API calls __dosmaperr 95742->95808 95746 318e61 95811 3129c8 95746->95811 95747 318e3a 95809 3127ec 26 API calls ___std_exception_copy 95747->95809 95748 318fb3 95751 319029 95748->95751 95754 318fcc GetConsoleMode 95748->95754 95753 31902d ReadFile 95751->95753 95752 318e6a 95755 3129c8 _free 20 API calls 95752->95755 95756 3190a1 GetLastError 95753->95756 95757 319047 95753->95757 95754->95751 95758 318fdd 95754->95758 95759 318e71 95755->95759 95760 319005 95756->95760 95761 3190ae 95756->95761 95757->95756 95773 31901e 95757->95773 95758->95753 95762 318fe3 ReadConsoleW 95758->95762 95763 318e96 95759->95763 95764 318e7b 95759->95764 95769 318e45 __fread_nolock 95760->95769 95820 30f2a3 20 API calls __dosmaperr 95760->95820 95823 30f2d9 20 API calls __dosmaperr 95761->95823 95768 318fff GetLastError 95762->95768 95762->95773 95819 319424 28 API calls __fread_nolock 95763->95819 95817 30f2d9 20 API calls __dosmaperr 95764->95817 95768->95760 95770 3129c8 _free 20 API calls 95769->95770 95770->95730 95771 318e80 95818 30f2c6 20 API calls __dosmaperr 95771->95818 95772 3190b3 95824 30f2c6 20 API calls __dosmaperr 95772->95824 95773->95769 95778 319083 95773->95778 95779 31906c 95773->95779 95794 31f89b 95774->95794 95778->95769 95781 31909a 95778->95781 95821 318a61 31 API calls 2 library calls 95779->95821 95822 3188a1 29 API calls __fread_nolock 95781->95822 95783 31909f 95783->95769 95784->95690 95785->95706 95786->95700 95787->95699 95788->95709 95789->95710 95790->95706 95791->95691 95792->95699 95793->95706 95795 31f8b5 95794->95795 95796 31f8a8 95794->95796 95799 31f8c1 95795->95799 95829 30f2d9 20 API calls __dosmaperr 95795->95829 95828 30f2d9 20 API calls __dosmaperr 95796->95828 95798 31f8ad 95798->95748 95799->95748 95801 31f8e2 95830 3127ec 26 API calls ___std_exception_copy 95801->95830 95803->95724 95804->95730 95805->95734 95806->95733 95807->95742 95808->95747 95809->95769 95810->95746 95812 3129fc __dosmaperr 95811->95812 95813 3129d3 RtlFreeHeap 95811->95813 95812->95752 95813->95812 95814 3129e8 95813->95814 95831 30f2d9 20 API calls __dosmaperr 95814->95831 95816 3129ee GetLastError 95816->95812 95817->95771 95818->95769 95819->95774 95820->95769 95821->95769 95822->95783 95823->95772 95824->95769 95825->95728 95826->95733 95827->95730 95828->95798 95829->95801 95830->95798 95831->95816 95832 3003fb 95833 300407 ___DestructExceptionObject 95832->95833 95861 2ffeb1 95833->95861 95835 30040e 95836 300561 95835->95836 95839 300438 95835->95839 95888 30083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95836->95888 95838 300568 95889 304e52 28 API calls _abort 95838->95889 95850 300477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95839->95850 95872 31247d 95839->95872 95841 30056e 95890 304e04 28 API calls _abort 95841->95890 95845 300576 95846 300457 95848 3004d8 95880 300959 95848->95880 95850->95848 95884 304e1a 38 API calls 2 library calls 95850->95884 95852 3004de 95853 3004f3 95852->95853 95885 300992 GetModuleHandleW 95853->95885 95855 3004fa 95855->95838 95856 3004fe 95855->95856 95857 300507 95856->95857 95886 304df5 28 API calls _abort 95856->95886 95887 300040 13 API calls 2 library calls 95857->95887 95860 30050f 95860->95846 95862 2ffeba 95861->95862 95891 300698 IsProcessorFeaturePresent 95862->95891 95864 2ffec6 95892 302c94 10 API calls 3 library calls 95864->95892 95866 2ffecb 95871 2ffecf 95866->95871 95893 312317 95866->95893 95869 2ffee6 95869->95835 95871->95835 95873 312494 95872->95873 95874 300a8c CatchGuardHandler 5 API calls 95873->95874 95875 300451 95874->95875 95875->95846 95876 312421 95875->95876 95877 312450 95876->95877 95878 300a8c CatchGuardHandler 5 API calls 95877->95878 95879 312479 95878->95879 95879->95850 95961 302340 95880->95961 95882 30096c GetStartupInfoW 95883 30097f 95882->95883 95883->95852 95884->95848 95885->95855 95886->95857 95887->95860 95888->95838 95889->95841 95890->95845 95891->95864 95892->95866 95897 31d1f6 95893->95897 95896 302cbd 8 API calls 3 library calls 95896->95871 95900 31d213 95897->95900 95901 31d20f 95897->95901 95899 2ffed8 95899->95869 95899->95896 95900->95901 95903 314bfb 95900->95903 95915 300a8c 95901->95915 95904 314c07 ___DestructExceptionObject 95903->95904 95922 312f5e EnterCriticalSection 95904->95922 95906 314c0e 95923 3150af 95906->95923 95908 314c1d 95914 314c2c 95908->95914 95936 314a8f 29 API calls 95908->95936 95911 314c27 95937 314b45 GetStdHandle GetFileType 95911->95937 95913 314c3d __wsopen_s 95913->95900 95938 314c48 LeaveCriticalSection _abort 95914->95938 95916 300a95 95915->95916 95917 300a97 IsProcessorFeaturePresent 95915->95917 95916->95899 95919 300c5d 95917->95919 95960 300c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95919->95960 95921 300d40 95921->95899 95922->95906 95924 3150bb ___DestructExceptionObject 95923->95924 95925 3150c8 95924->95925 95926 3150df 95924->95926 95947 30f2d9 20 API calls __dosmaperr 95925->95947 95939 312f5e EnterCriticalSection 95926->95939 95929 3150cd 95948 3127ec 26 API calls ___std_exception_copy 95929->95948 95931 3150d7 __wsopen_s 95931->95908 95932 315117 95949 31513e LeaveCriticalSection _abort 95932->95949 95934 3150eb 95934->95932 95940 315000 95934->95940 95936->95911 95937->95914 95938->95913 95939->95934 95950 314c7d 95940->95950 95942 31501f 95944 3129c8 _free 20 API calls 95942->95944 95943 315012 95943->95942 95957 313405 11 API calls 2 library calls 95943->95957 95946 315071 95944->95946 95946->95934 95947->95929 95948->95931 95949->95931 95956 314c8a __dosmaperr 95950->95956 95951 314cca 95959 30f2d9 20 API calls __dosmaperr 95951->95959 95952 314cb5 RtlAllocateHeap 95953 314cc8 95952->95953 95952->95956 95953->95943 95956->95951 95956->95952 95958 304ead 7 API calls 2 library calls 95956->95958 95957->95943 95958->95956 95959->95953 95960->95921 95962 302357 95961->95962 95962->95882 95962->95962 95963 2e2de3 95964 2e2df0 __wsopen_s 95963->95964 95965 2e2e09 95964->95965 95966 322c2b ___scrt_fastfail 95964->95966 95979 2e3aa2 95965->95979 95969 322c47 GetOpenFileNameW 95966->95969 95971 322c96 95969->95971 95973 2e6b57 22 API calls 95971->95973 95975 322cab 95973->95975 95975->95975 95976 2e2e27 96007 2e44a8 95976->96007 96036 321f50 95979->96036 95982 2e3ace 95984 2e6b57 22 API calls 95982->95984 95983 2e3ae9 96042 2ea6c3 95983->96042 95986 2e3ada 95984->95986 96038 2e37a0 95986->96038 95989 2e2da5 95990 321f50 __wsopen_s 95989->95990 95991 2e2db2 GetLongPathNameW 95990->95991 95992 2e6b57 22 API calls 95991->95992 95993 2e2dda 95992->95993 95994 2e3598 95993->95994 95995 2ea961 22 API calls 95994->95995 95996 2e35aa 95995->95996 95997 2e3aa2 23 API calls 95996->95997 95998 2e35b5 95997->95998 95999 3232eb 95998->95999 96000 2e35c0 95998->96000 96004 32330d 95999->96004 96060 2fce60 41 API calls 95999->96060 96048 2e515f 96000->96048 96006 2e35df 96006->95976 96061 2e4ecb 96007->96061 96010 323833 96083 352cf9 96010->96083 96012 2e4ecb 94 API calls 96013 2e44e1 96012->96013 96013->96010 96015 2e44e9 96013->96015 96014 323848 96016 323869 96014->96016 96017 32384c 96014->96017 96018 323854 96015->96018 96019 2e44f5 96015->96019 96021 2ffe0b 22 API calls 96016->96021 96118 2e4f39 96017->96118 96124 34da5a 82 API calls 96018->96124 96117 2e940c 136 API calls 2 library calls 96019->96117 96035 3238ae 96021->96035 96024 2e2e31 96025 323862 96025->96016 96026 2e4f39 68 API calls 96029 323a5f 96026->96029 96029->96026 96129 34989b 82 API calls __wsopen_s 96029->96129 96032 2e9cb3 22 API calls 96032->96035 96035->96029 96035->96032 96109 2ea4a1 96035->96109 96125 34967e 22 API calls __fread_nolock 96035->96125 96126 3495ad 42 API calls _wcslen 96035->96126 96127 350b5a 22 API calls 96035->96127 96128 2e3ff7 22 API calls 96035->96128 96037 2e3aaf GetFullPathNameW 96036->96037 96037->95982 96037->95983 96039 2e37ae 96038->96039 96040 2e93b2 22 API calls 96039->96040 96041 2e2e12 96040->96041 96041->95989 96043 2ea6dd 96042->96043 96047 2ea6d0 96042->96047 96044 2ffddb 22 API calls 96043->96044 96045 2ea6e7 96044->96045 96046 2ffe0b 22 API calls 96045->96046 96046->96047 96047->95986 96049 2e516e 96048->96049 96053 2e518f __fread_nolock 96048->96053 96052 2ffe0b 22 API calls 96049->96052 96050 2ffddb 22 API calls 96051 2e35cc 96050->96051 96054 2e35f3 96051->96054 96052->96053 96053->96050 96055 2e3605 96054->96055 96059 2e3624 __fread_nolock 96054->96059 96057 2ffe0b 22 API calls 96055->96057 96056 2ffddb 22 API calls 96058 2e363b 96056->96058 96057->96059 96058->96006 96059->96056 96060->95999 96130 2e4e90 LoadLibraryA 96061->96130 96066 2e4ef6 LoadLibraryExW 96138 2e4e59 LoadLibraryA 96066->96138 96067 323ccf 96068 2e4f39 68 API calls 96067->96068 96070 323cd6 96068->96070 96072 2e4e59 3 API calls 96070->96072 96074 323cde 96072->96074 96160 2e50f5 96074->96160 96075 2e4f20 96075->96074 96076 2e4f2c 96075->96076 96077 2e4f39 68 API calls 96076->96077 96079 2e44cd 96077->96079 96079->96010 96079->96012 96082 323d05 96084 352d15 96083->96084 96085 2e511f 64 API calls 96084->96085 96086 352d29 96085->96086 96310 352e66 96086->96310 96089 2e50f5 40 API calls 96090 352d56 96089->96090 96091 2e50f5 40 API calls 96090->96091 96092 352d66 96091->96092 96093 2e50f5 40 API calls 96092->96093 96094 352d81 96093->96094 96095 2e50f5 40 API calls 96094->96095 96096 352d9c 96095->96096 96097 2e511f 64 API calls 96096->96097 96098 352db3 96097->96098 96099 30ea0c ___std_exception_copy 21 API calls 96098->96099 96100 352dba 96099->96100 96101 30ea0c ___std_exception_copy 21 API calls 96100->96101 96102 352dc4 96101->96102 96103 2e50f5 40 API calls 96102->96103 96104 352dd8 96103->96104 96105 3528fe 27 API calls 96104->96105 96106 352dee 96105->96106 96107 352d3f 96106->96107 96316 3522ce 96106->96316 96107->96014 96110 2ea52b 96109->96110 96115 2ea4b1 __fread_nolock 96109->96115 96112 2ffe0b 22 API calls 96110->96112 96111 2ffddb 22 API calls 96113 2ea4b8 96111->96113 96112->96115 96114 2ffddb 22 API calls 96113->96114 96116 2ea4d6 96113->96116 96114->96116 96115->96111 96116->96035 96117->96024 96119 2e4f4a 96118->96119 96120 2e4f43 96118->96120 96122 2e4f6a FreeLibrary 96119->96122 96123 2e4f59 96119->96123 96121 30e678 67 API calls 96120->96121 96121->96119 96122->96123 96123->96018 96124->96025 96125->96035 96126->96035 96127->96035 96128->96035 96129->96029 96131 2e4ea8 GetProcAddress 96130->96131 96132 2e4ec6 96130->96132 96133 2e4eb8 96131->96133 96135 30e5eb 96132->96135 96133->96132 96134 2e4ebf FreeLibrary 96133->96134 96134->96132 96168 30e52a 96135->96168 96137 2e4eea 96137->96066 96137->96067 96139 2e4e6e GetProcAddress 96138->96139 96140 2e4e8d 96138->96140 96141 2e4e7e 96139->96141 96143 2e4f80 96140->96143 96141->96140 96142 2e4e86 FreeLibrary 96141->96142 96142->96140 96144 2ffe0b 22 API calls 96143->96144 96145 2e4f95 96144->96145 96220 2e5722 96145->96220 96147 2e4fa1 __fread_nolock 96148 2e50a5 96147->96148 96149 323d1d 96147->96149 96159 2e4fdc 96147->96159 96223 2e42a2 CreateStreamOnHGlobal 96148->96223 96234 35304d 74 API calls 96149->96234 96152 323d22 96154 2e511f 64 API calls 96152->96154 96153 2e50f5 40 API calls 96153->96159 96155 323d45 96154->96155 96156 2e50f5 40 API calls 96155->96156 96158 2e506e ISource 96156->96158 96158->96075 96159->96152 96159->96153 96159->96158 96229 2e511f 96159->96229 96161 323d70 96160->96161 96162 2e5107 96160->96162 96256 30e8c4 96162->96256 96165 3528fe 96293 35274e 96165->96293 96167 352919 96167->96082 96170 30e536 ___DestructExceptionObject 96168->96170 96169 30e544 96193 30f2d9 20 API calls __dosmaperr 96169->96193 96170->96169 96172 30e574 96170->96172 96174 30e586 96172->96174 96175 30e579 96172->96175 96173 30e549 96194 3127ec 26 API calls ___std_exception_copy 96173->96194 96185 318061 96174->96185 96195 30f2d9 20 API calls __dosmaperr 96175->96195 96179 30e58f 96180 30e5a2 96179->96180 96181 30e595 96179->96181 96197 30e5d4 LeaveCriticalSection __fread_nolock 96180->96197 96196 30f2d9 20 API calls __dosmaperr 96181->96196 96182 30e554 __wsopen_s 96182->96137 96186 31806d ___DestructExceptionObject 96185->96186 96198 312f5e EnterCriticalSection 96186->96198 96188 31807b 96199 3180fb 96188->96199 96192 3180ac __wsopen_s 96192->96179 96193->96173 96194->96182 96195->96182 96196->96182 96197->96182 96198->96188 96205 31811e 96199->96205 96200 318177 96201 314c7d __dosmaperr 20 API calls 96200->96201 96202 318180 96201->96202 96204 3129c8 _free 20 API calls 96202->96204 96206 318189 96204->96206 96205->96200 96205->96205 96211 318088 96205->96211 96215 30918d EnterCriticalSection 96205->96215 96216 3091a1 LeaveCriticalSection 96205->96216 96206->96211 96217 313405 11 API calls 2 library calls 96206->96217 96208 3181a8 96218 30918d EnterCriticalSection 96208->96218 96212 3180b7 96211->96212 96219 312fa6 LeaveCriticalSection 96212->96219 96214 3180be 96214->96192 96215->96205 96216->96205 96217->96208 96218->96211 96219->96214 96221 2ffddb 22 API calls 96220->96221 96222 2e5734 96221->96222 96222->96147 96224 2e42bc FindResourceExW 96223->96224 96228 2e42d9 96223->96228 96225 3235ba LoadResource 96224->96225 96224->96228 96226 3235cf SizeofResource 96225->96226 96225->96228 96227 3235e3 LockResource 96226->96227 96226->96228 96227->96228 96228->96159 96230 2e512e 96229->96230 96231 323d90 96229->96231 96235 30ece3 96230->96235 96234->96152 96238 30eaaa 96235->96238 96237 2e513c 96237->96159 96240 30eab6 ___DestructExceptionObject 96238->96240 96239 30eac2 96251 30f2d9 20 API calls __dosmaperr 96239->96251 96240->96239 96241 30eae8 96240->96241 96253 30918d EnterCriticalSection 96241->96253 96244 30eac7 96252 3127ec 26 API calls ___std_exception_copy 96244->96252 96245 30eaf4 96254 30ec0a 62 API calls 2 library calls 96245->96254 96248 30eb08 96255 30eb27 LeaveCriticalSection __fread_nolock 96248->96255 96250 30ead2 __wsopen_s 96250->96237 96251->96244 96252->96250 96253->96245 96254->96248 96255->96250 96259 30e8e1 96256->96259 96258 2e5118 96258->96165 96260 30e8ed ___DestructExceptionObject 96259->96260 96261 30e925 __wsopen_s 96260->96261 96262 30e900 ___scrt_fastfail 96260->96262 96263 30e92d 96260->96263 96261->96258 96286 30f2d9 20 API calls __dosmaperr 96262->96286 96272 30918d EnterCriticalSection 96263->96272 96265 30e937 96273 30e6f8 96265->96273 96268 30e91a 96287 3127ec 26 API calls ___std_exception_copy 96268->96287 96272->96265 96274 30e727 96273->96274 96277 30e70a ___scrt_fastfail 96273->96277 96288 30e96c LeaveCriticalSection __fread_nolock 96274->96288 96275 30e717 96289 30f2d9 20 API calls __dosmaperr 96275->96289 96277->96274 96277->96275 96278 30e76a __fread_nolock 96277->96278 96278->96274 96280 30e886 ___scrt_fastfail 96278->96280 96282 30d955 __fread_nolock 26 API calls 96278->96282 96285 318d45 __fread_nolock 38 API calls 96278->96285 96291 30cf78 26 API calls 4 library calls 96278->96291 96292 30f2d9 20 API calls __dosmaperr 96280->96292 96282->96278 96284 30e71c 96290 3127ec 26 API calls ___std_exception_copy 96284->96290 96285->96278 96286->96268 96287->96261 96288->96261 96289->96284 96290->96274 96291->96278 96292->96284 96296 30e4e8 96293->96296 96295 35275d 96295->96167 96299 30e469 96296->96299 96298 30e505 96298->96295 96300 30e478 96299->96300 96301 30e48c 96299->96301 96307 30f2d9 20 API calls __dosmaperr 96300->96307 96305 30e488 __alldvrm 96301->96305 96309 31333f 11 API calls 2 library calls 96301->96309 96304 30e47d 96308 3127ec 26 API calls ___std_exception_copy 96304->96308 96305->96298 96307->96304 96308->96305 96309->96305 96313 352e7a 96310->96313 96311 2e50f5 40 API calls 96311->96313 96312 3528fe 27 API calls 96312->96313 96313->96311 96313->96312 96314 352d3b 96313->96314 96315 2e511f 64 API calls 96313->96315 96314->96089 96314->96107 96315->96313 96317 3522d9 96316->96317 96318 3522e7 96316->96318 96319 30e5eb 29 API calls 96317->96319 96320 35232c 96318->96320 96321 30e5eb 29 API calls 96318->96321 96338 3522f0 96318->96338 96319->96318 96345 352557 96320->96345 96323 352311 96321->96323 96323->96320 96325 35231a 96323->96325 96324 352370 96326 352395 96324->96326 96327 352374 96324->96327 96328 30e678 67 API calls 96325->96328 96325->96338 96349 352171 96326->96349 96330 352381 96327->96330 96332 30e678 67 API calls 96327->96332 96328->96338 96335 30e678 67 API calls 96330->96335 96330->96338 96331 35239d 96333 3523c3 96331->96333 96334 3523a3 96331->96334 96332->96330 96356 3523f3 96333->96356 96336 3523b0 96334->96336 96339 30e678 67 API calls 96334->96339 96335->96338 96336->96338 96341 30e678 67 API calls 96336->96341 96338->96107 96339->96336 96340 3523ca 96342 3523de 96340->96342 96364 30e678 96340->96364 96341->96338 96342->96338 96344 30e678 67 API calls 96342->96344 96344->96338 96346 35257c 96345->96346 96348 352565 __fread_nolock 96345->96348 96347 30e8c4 __fread_nolock 40 API calls 96346->96347 96347->96348 96348->96324 96350 30ea0c ___std_exception_copy 21 API calls 96349->96350 96351 35217f 96350->96351 96352 30ea0c ___std_exception_copy 21 API calls 96351->96352 96353 352190 96352->96353 96354 30ea0c ___std_exception_copy 21 API calls 96353->96354 96355 35219c 96354->96355 96355->96331 96358 352408 96356->96358 96357 3524c0 96381 352724 96357->96381 96358->96357 96359 3521cc 40 API calls 96358->96359 96363 3524c7 96358->96363 96377 352606 96358->96377 96385 352269 40 API calls 96358->96385 96359->96358 96363->96340 96365 30e684 ___DestructExceptionObject 96364->96365 96366 30e695 96365->96366 96368 30e6aa 96365->96368 96438 30f2d9 20 API calls __dosmaperr 96366->96438 96376 30e6a5 __wsopen_s 96368->96376 96421 30918d EnterCriticalSection 96368->96421 96370 30e69a 96439 3127ec 26 API calls ___std_exception_copy 96370->96439 96371 30e6c6 96422 30e602 96371->96422 96374 30e6d1 96440 30e6ee LeaveCriticalSection __fread_nolock 96374->96440 96376->96342 96378 35261d 96377->96378 96380 352617 96377->96380 96378->96358 96378->96378 96380->96378 96386 3526d7 96380->96386 96382 352731 96381->96382 96383 352742 96381->96383 96384 30dbb3 65 API calls 96382->96384 96383->96363 96384->96383 96385->96358 96387 352703 96386->96387 96388 352714 96386->96388 96390 30dbb3 96387->96390 96388->96380 96391 30dbc1 96390->96391 96392 30dbdd 96390->96392 96391->96392 96393 30dbe3 96391->96393 96394 30dbcd 96391->96394 96392->96388 96399 30d9cc 96393->96399 96402 30f2d9 20 API calls __dosmaperr 96394->96402 96397 30dbd2 96403 3127ec 26 API calls ___std_exception_copy 96397->96403 96404 30d97b 96399->96404 96401 30d9f0 96401->96392 96402->96397 96403->96392 96405 30d987 ___DestructExceptionObject 96404->96405 96412 30918d EnterCriticalSection 96405->96412 96407 30d995 96413 30d9f4 96407->96413 96411 30d9b3 __wsopen_s 96411->96401 96412->96407 96414 3149a1 27 API calls 96413->96414 96415 30da09 96414->96415 96416 30da3a 62 API calls 96415->96416 96417 30da24 96416->96417 96418 314a56 62 API calls 96417->96418 96419 30d9a2 96418->96419 96420 30d9c0 LeaveCriticalSection __fread_nolock 96419->96420 96420->96411 96421->96371 96423 30e624 96422->96423 96424 30e60f 96422->96424 96430 30e61f 96423->96430 96441 30dc0b 96423->96441 96466 30f2d9 20 API calls __dosmaperr 96424->96466 96426 30e614 96467 3127ec 26 API calls ___std_exception_copy 96426->96467 96430->96374 96433 30d955 __fread_nolock 26 API calls 96434 30e646 96433->96434 96451 31862f 96434->96451 96437 3129c8 _free 20 API calls 96437->96430 96438->96370 96439->96376 96440->96376 96442 30dc1f 96441->96442 96443 30dc23 96441->96443 96447 314d7a 96442->96447 96443->96442 96444 30d955 __fread_nolock 26 API calls 96443->96444 96445 30dc43 96444->96445 96468 3159be 96445->96468 96448 314d90 96447->96448 96449 30e640 96447->96449 96448->96449 96450 3129c8 _free 20 API calls 96448->96450 96449->96433 96450->96449 96452 318653 96451->96452 96453 31863e 96451->96453 96455 31868e 96452->96455 96459 31867a 96452->96459 96583 30f2c6 20 API calls __dosmaperr 96453->96583 96585 30f2c6 20 API calls __dosmaperr 96455->96585 96456 318643 96584 30f2d9 20 API calls __dosmaperr 96456->96584 96580 318607 96459->96580 96460 318693 96586 30f2d9 20 API calls __dosmaperr 96460->96586 96463 30e64c 96463->96430 96463->96437 96464 31869b 96587 3127ec 26 API calls ___std_exception_copy 96464->96587 96466->96426 96467->96430 96469 3159ca ___DestructExceptionObject 96468->96469 96470 3159d2 96469->96470 96471 3159ea 96469->96471 96547 30f2c6 20 API calls __dosmaperr 96470->96547 96473 315a88 96471->96473 96476 315a1f 96471->96476 96552 30f2c6 20 API calls __dosmaperr 96473->96552 96474 3159d7 96548 30f2d9 20 API calls __dosmaperr 96474->96548 96493 315147 EnterCriticalSection 96476->96493 96477 315a8d 96553 30f2d9 20 API calls __dosmaperr 96477->96553 96481 3159df __wsopen_s 96481->96442 96482 315a25 96484 315a41 96482->96484 96485 315a56 96482->96485 96483 315a95 96554 3127ec 26 API calls ___std_exception_copy 96483->96554 96549 30f2d9 20 API calls __dosmaperr 96484->96549 96494 315aa9 96485->96494 96489 315a46 96550 30f2c6 20 API calls __dosmaperr 96489->96550 96491 315a51 96551 315a80 LeaveCriticalSection __wsopen_s 96491->96551 96493->96482 96495 315ad7 96494->96495 96532 315ad0 96494->96532 96496 315adb 96495->96496 96497 315afa 96495->96497 96562 30f2c6 20 API calls __dosmaperr 96496->96562 96500 315b4b 96497->96500 96501 315b2e 96497->96501 96498 300a8c CatchGuardHandler 5 API calls 96502 315cb1 96498->96502 96505 315b61 96500->96505 96568 319424 28 API calls __fread_nolock 96500->96568 96565 30f2c6 20 API calls __dosmaperr 96501->96565 96502->96491 96503 315ae0 96563 30f2d9 20 API calls __dosmaperr 96503->96563 96555 31564e 96505->96555 96507 315b33 96566 30f2d9 20 API calls __dosmaperr 96507->96566 96509 315ae7 96564 3127ec 26 API calls ___std_exception_copy 96509->96564 96515 315b6f 96516 315b3b 96567 3127ec 26 API calls ___std_exception_copy 96516->96567 96532->96498 96547->96474 96548->96481 96549->96489 96550->96491 96551->96481 96552->96477 96553->96483 96554->96481 96556 31f89b __fread_nolock 26 API calls 96555->96556 96557 31565e 96556->96557 96558 315663 96557->96558 96579 312d74 38 API calls 3 library calls 96557->96579 96558->96515 96560 315686 96560->96558 96562->96503 96563->96509 96564->96532 96565->96507 96566->96516 96567->96532 96568->96505 96579->96560 96588 318585 96580->96588 96582 31862b 96582->96463 96583->96456 96584->96463 96585->96460 96586->96464 96587->96463 96589 318591 ___DestructExceptionObject 96588->96589 96599 315147 EnterCriticalSection 96589->96599 96591 31859f 96592 3185d1 96591->96592 96593 3185c6 96591->96593 96615 30f2d9 20 API calls __dosmaperr 96592->96615 96600 3186ae 96593->96600 96596 3185cc 96616 3185fb LeaveCriticalSection __wsopen_s 96596->96616 96598 3185ee __wsopen_s 96598->96582 96599->96591 96617 3153c4 96600->96617 96602 3186c4 96603 3186be 96603->96602 96604 3186f6 96603->96604 96606 3153c4 __wsopen_s 26 API calls 96603->96606 96604->96602 96615->96596 96616->96598 96618 3153d1 96617->96618 96619 3153e6 96617->96619 96620 30f2c6 __dosmaperr 20 API calls 96618->96620 96621 30f2c6 __dosmaperr 20 API calls 96619->96621 96624 31540b 96619->96624 96622 3153d6 96620->96622 96625 315416 96621->96625 96624->96603 96627 30f2d9 __dosmaperr 20 API calls 96625->96627 96632 2ef7bf 96633 2efcb6 96632->96633 96634 2ef7d3 96632->96634 96723 2eaceb 23 API calls ISource 96633->96723 96636 2efcc2 96634->96636 96638 2ffddb 22 API calls 96634->96638 96724 2eaceb 23 API calls ISource 96636->96724 96639 2ef7e5 96638->96639 96639->96636 96640 2ef83e 96639->96640 96641 2efd3d 96639->96641 96664 2eed9d ISource 96640->96664 96667 2f1310 96640->96667 96725 351155 22 API calls 96641->96725 96645 2efef7 96653 2ea8c7 22 API calls 96645->96653 96645->96664 96646 2ffddb 22 API calls 96663 2eec76 ISource 96646->96663 96648 334600 96654 2ea8c7 22 API calls 96648->96654 96648->96664 96649 334b0b 96727 35359c 82 API calls __wsopen_s 96649->96727 96650 2ea8c7 22 API calls 96650->96663 96653->96664 96654->96664 96656 300242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96656->96663 96657 2efbe3 96659 334bdc 96657->96659 96657->96664 96666 2ef3ae ISource 96657->96666 96658 2ea961 22 API calls 96658->96663 96728 35359c 82 API calls __wsopen_s 96659->96728 96660 3000a3 29 API calls pre_c_initialization 96660->96663 96662 334beb 96729 35359c 82 API calls __wsopen_s 96662->96729 96663->96645 96663->96646 96663->96648 96663->96649 96663->96650 96663->96656 96663->96657 96663->96658 96663->96660 96663->96662 96663->96664 96665 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96663->96665 96663->96666 96721 2f01e0 236 API calls 2 library calls 96663->96721 96722 2f06a0 41 API calls ISource 96663->96722 96665->96663 96666->96664 96726 35359c 82 API calls __wsopen_s 96666->96726 96668 2f1376 96667->96668 96669 2f17b0 96667->96669 96671 336331 96668->96671 96672 2f1390 96668->96672 96826 300242 5 API calls __Init_thread_wait 96669->96826 96837 36709c 236 API calls 96671->96837 96673 2f1940 9 API calls 96672->96673 96676 2f13a0 96673->96676 96675 2f17ba 96678 2f17fb 96675->96678 96827 2e9cb3 96675->96827 96679 2f1940 9 API calls 96676->96679 96677 33633d 96677->96663 96682 336346 96678->96682 96684 2f182c 96678->96684 96681 2f13b6 96679->96681 96681->96678 96683 2f13ec 96681->96683 96838 35359c 82 API calls __wsopen_s 96682->96838 96683->96682 96709 2f1408 __fread_nolock 96683->96709 96834 2eaceb 23 API calls ISource 96684->96834 96687 2f1839 96835 2fd217 236 API calls 96687->96835 96688 2f17d4 96833 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96688->96833 96691 33636e 96839 35359c 82 API calls __wsopen_s 96691->96839 96692 2f152f 96694 3363d1 96692->96694 96695 2f153c 96692->96695 96841 365745 54 API calls _wcslen 96694->96841 96696 2f1940 9 API calls 96695->96696 96698 2f1549 96696->96698 96702 2f1940 9 API calls 96698->96702 96707 2f15c7 ISource 96698->96707 96699 2ffddb 22 API calls 96699->96709 96700 2ffe0b 22 API calls 96700->96709 96701 2f1872 96836 2ffaeb 23 API calls 96701->96836 96705 2f1563 96702->96705 96703 2f171d 96703->96663 96705->96707 96715 2ea8c7 22 API calls 96705->96715 96707->96701 96710 2f167b ISource 96707->96710 96713 2f1940 9 API calls 96707->96713 96730 356ef1 96707->96730 96810 369b55 96707->96810 96816 34d4ce 96707->96816 96819 36959f 96707->96819 96822 36958b 96707->96822 96842 35359c 82 API calls __wsopen_s 96707->96842 96708 2eec40 236 API calls 96708->96709 96709->96687 96709->96691 96709->96692 96709->96699 96709->96700 96709->96707 96709->96708 96711 3363b2 96709->96711 96710->96703 96825 2fce17 22 API calls ISource 96710->96825 96840 35359c 82 API calls __wsopen_s 96711->96840 96713->96707 96715->96707 96721->96663 96722->96663 96723->96636 96724->96641 96725->96664 96726->96664 96727->96664 96728->96662 96729->96664 96731 2ea961 22 API calls 96730->96731 96732 356f1d 96731->96732 96733 2ea961 22 API calls 96732->96733 96734 356f26 96733->96734 96735 356f3a 96734->96735 97029 2eb567 39 API calls 96734->97029 96843 2e7510 96735->96843 96738 356fbc 96741 2e7510 53 API calls 96738->96741 96739 3570bf 96742 2e4ecb 94 API calls 96739->96742 96740 356f57 _wcslen 96740->96738 96740->96739 96809 3570e9 96740->96809 96743 356fc8 96741->96743 96744 3570d0 96742->96744 96747 2ea8c7 22 API calls 96743->96747 96752 356fdb 96743->96752 96745 3570e5 96744->96745 96748 2e4ecb 94 API calls 96744->96748 96746 2ea961 22 API calls 96745->96746 96745->96809 96749 35711a 96746->96749 96747->96752 96748->96745 96750 2ea961 22 API calls 96749->96750 96754 357126 96750->96754 96751 357027 96753 2e7510 53 API calls 96751->96753 96752->96751 96755 357005 96752->96755 96759 2ea8c7 22 API calls 96752->96759 96757 357034 96753->96757 96758 2ea961 22 API calls 96754->96758 97030 2e33c6 96755->97030 96761 357047 96757->96761 96762 35703d 96757->96762 96763 35712f 96758->96763 96759->96755 96760 35700f 96764 2e7510 53 API calls 96760->96764 97039 34e199 GetFileAttributesW 96761->97039 96765 2ea8c7 22 API calls 96762->96765 96767 2ea961 22 API calls 96763->96767 96768 35701b 96764->96768 96765->96761 96770 357138 96767->96770 96771 2e6350 22 API calls 96768->96771 96769 357050 96772 357063 96769->96772 96776 2e4c6d 22 API calls 96769->96776 96773 2e7510 53 API calls 96770->96773 96771->96751 96775 2e7510 53 API calls 96772->96775 96782 357069 96772->96782 96774 357145 96773->96774 96866 2e525f 96774->96866 96778 3570a0 96775->96778 96776->96772 97040 34d076 57 API calls 96778->97040 96779 357166 96908 2e4c6d 96779->96908 96782->96809 96784 3571a9 96786 2ea8c7 22 API calls 96784->96786 96785 2e4c6d 22 API calls 96787 357186 96785->96787 96788 3571ba 96786->96788 96787->96784 96791 2e6b57 22 API calls 96787->96791 96911 2e6350 96788->96911 96793 35719b 96791->96793 96792 2e6350 22 API calls 96794 3571d6 96792->96794 96795 2e6b57 22 API calls 96793->96795 96796 2e6350 22 API calls 96794->96796 96795->96784 96797 3571e4 96796->96797 96798 2e7510 53 API calls 96797->96798 96799 3571f0 96798->96799 96920 34d7bc 96799->96920 96801 357201 96802 34d4ce 4 API calls 96801->96802 96803 35720b 96802->96803 96804 2e7510 53 API calls 96803->96804 96807 357239 96803->96807 96805 357229 96804->96805 96974 352947 96805->96974 96808 2e4f39 68 API calls 96807->96808 96808->96809 96809->96707 96814 369b68 96810->96814 96811 2e7510 53 API calls 96812 369bd5 96811->96812 97094 350eea 96812->97094 96814->96811 96815 369b77 96814->96815 96815->96707 97135 34dbbe lstrlenW 96816->97135 97140 367f59 96819->97140 96821 3695af 96821->96707 96823 367f59 120 API calls 96822->96823 96824 36959b 96823->96824 96824->96707 96825->96710 96826->96675 96828 2e9cc2 _wcslen 96827->96828 96829 2ffe0b 22 API calls 96828->96829 96830 2e9cea __fread_nolock 96829->96830 96831 2ffddb 22 API calls 96830->96831 96832 2e9d00 96831->96832 96832->96688 96833->96678 96834->96687 96835->96701 96836->96701 96837->96677 96838->96707 96839->96707 96840->96707 96841->96705 96842->96707 96844 2e7525 96843->96844 96845 2e7522 96843->96845 96846 2e752d 96844->96846 96847 2e755b 96844->96847 96845->96740 97041 3051c6 26 API calls 96846->97041 96849 3250f6 96847->96849 96852 2e756d 96847->96852 96857 32500f 96847->96857 97044 305183 26 API calls 96849->97044 96850 2e753d 96856 2ffddb 22 API calls 96850->96856 97042 2ffb21 51 API calls 96852->97042 96853 32510e 96853->96853 96858 2e7547 96856->96858 96860 2ffe0b 22 API calls 96857->96860 96861 325088 96857->96861 96859 2e9cb3 22 API calls 96858->96859 96859->96845 96862 325058 96860->96862 97043 2ffb21 51 API calls 96861->97043 96863 2ffddb 22 API calls 96862->96863 96864 32507f 96863->96864 96865 2e9cb3 22 API calls 96864->96865 96865->96861 96867 2ea961 22 API calls 96866->96867 96868 2e5275 96867->96868 96869 2ea961 22 API calls 96868->96869 96870 2e527d 96869->96870 96871 2ea961 22 API calls 96870->96871 96872 2e5285 96871->96872 96873 2ea961 22 API calls 96872->96873 96874 2e528d 96873->96874 96875 323df5 96874->96875 96876 2e52c1 96874->96876 96877 2ea8c7 22 API calls 96875->96877 96878 2e6d25 22 API calls 96876->96878 96879 323dfe 96877->96879 96880 2e52cf 96878->96880 96881 2ea6c3 22 API calls 96879->96881 96882 2e93b2 22 API calls 96880->96882 96884 2e5304 96881->96884 96883 2e52d9 96882->96883 96883->96884 96885 2e6d25 22 API calls 96883->96885 96886 2e5349 96884->96886 96887 2e5325 96884->96887 96903 323e20 96884->96903 96889 2e52fa 96885->96889 97045 2e6d25 96886->97045 96887->96886 96892 2e4c6d 22 API calls 96887->96892 96891 2e93b2 22 API calls 96889->96891 96890 2e535a 96893 2e5370 96890->96893 96898 2ea8c7 22 API calls 96890->96898 96891->96884 96894 2e5332 96892->96894 96896 2e5384 96893->96896 96899 2ea8c7 22 API calls 96893->96899 96894->96886 96900 2e6d25 22 API calls 96894->96900 96895 2e6b57 22 API calls 96905 323ee0 96895->96905 96897 2e538f 96896->96897 96901 2ea8c7 22 API calls 96896->96901 96902 2ea8c7 22 API calls 96897->96902 96907 2e539a 96897->96907 96898->96893 96899->96896 96900->96886 96901->96897 96902->96907 96903->96895 96904 2e4c6d 22 API calls 96904->96905 96905->96886 96905->96904 97058 2e49bd 22 API calls __fread_nolock 96905->97058 96907->96779 96909 2eaec9 22 API calls 96908->96909 96910 2e4c78 96909->96910 96910->96784 96910->96785 96912 324a51 96911->96912 96913 2e6362 96911->96913 97070 2e4a88 22 API calls __fread_nolock 96912->97070 97060 2e6373 96913->97060 96916 324a5b 96918 324a67 96916->96918 96919 2ea8c7 22 API calls 96916->96919 96917 2e636e 96917->96792 96919->96918 96921 34d7d8 96920->96921 96922 34d7f3 96921->96922 96923 34d7dd 96921->96923 96924 2ea961 22 API calls 96922->96924 96925 2ea8c7 22 API calls 96923->96925 96973 34d7ee 96923->96973 96926 34d7fb 96924->96926 96925->96973 96927 2ea961 22 API calls 96926->96927 96928 34d803 96927->96928 96929 2ea961 22 API calls 96928->96929 96930 34d80e 96929->96930 96931 2ea961 22 API calls 96930->96931 96932 34d816 96931->96932 96933 2ea961 22 API calls 96932->96933 96934 34d81e 96933->96934 96935 2ea961 22 API calls 96934->96935 96936 34d826 96935->96936 96937 2ea961 22 API calls 96936->96937 96938 34d82e 96937->96938 96939 2ea961 22 API calls 96938->96939 96940 34d836 96939->96940 96941 2e525f 22 API calls 96940->96941 96942 34d84d 96941->96942 96943 2e525f 22 API calls 96942->96943 96944 34d866 96943->96944 96945 2e4c6d 22 API calls 96944->96945 96946 34d872 96945->96946 96947 34d885 96946->96947 96949 2e93b2 22 API calls 96946->96949 96948 2e4c6d 22 API calls 96947->96948 96950 34d88e 96948->96950 96949->96947 96951 34d89e 96950->96951 96952 2e93b2 22 API calls 96950->96952 96953 34d8b0 96951->96953 96954 2ea8c7 22 API calls 96951->96954 96952->96951 96955 2e6350 22 API calls 96953->96955 96954->96953 96956 34d8bb 96955->96956 97076 34d978 22 API calls 96956->97076 96958 34d8ca 97077 34d978 22 API calls 96958->97077 96960 34d8dd 96961 2e4c6d 22 API calls 96960->96961 96962 34d8e7 96961->96962 96963 34d8ec 96962->96963 96964 34d8fe 96962->96964 96965 2e33c6 22 API calls 96963->96965 96966 2e4c6d 22 API calls 96964->96966 96967 34d8f9 96965->96967 96968 34d907 96966->96968 96971 2e6350 22 API calls 96967->96971 96969 34d925 96968->96969 96970 2e33c6 22 API calls 96968->96970 96972 2e6350 22 API calls 96969->96972 96970->96967 96971->96969 96972->96973 96973->96801 96975 352954 __wsopen_s 96974->96975 96976 2ffe0b 22 API calls 96975->96976 96977 352971 96976->96977 96978 2e5722 22 API calls 96977->96978 96979 35297b 96978->96979 96980 35274e 27 API calls 96979->96980 96981 352986 96980->96981 96982 2e511f 64 API calls 96981->96982 96983 35299b 96982->96983 96984 352a6c 96983->96984 96985 3529bf 96983->96985 96986 352e66 75 API calls 96984->96986 96987 352e66 75 API calls 96985->96987 97002 352a38 96986->97002 96988 3529c4 96987->96988 96993 352a75 ISource 96988->96993 97082 30d583 26 API calls 96988->97082 96990 2e50f5 40 API calls 96991 352a91 96990->96991 96992 2e50f5 40 API calls 96991->96992 96995 352aa1 96992->96995 96993->96807 96994 3529ed 97083 30d583 26 API calls 96994->97083 96996 2e50f5 40 API calls 96995->96996 96998 352abc 96996->96998 96999 2e50f5 40 API calls 96998->96999 97000 352acc 96999->97000 97001 2e50f5 40 API calls 97000->97001 97003 352ae7 97001->97003 97002->96990 97002->96993 97004 2e50f5 40 API calls 97003->97004 97005 352af7 97004->97005 97006 2e50f5 40 API calls 97005->97006 97007 352b07 97006->97007 97008 2e50f5 40 API calls 97007->97008 97009 352b17 97008->97009 97078 353017 GetTempPathW GetTempFileNameW 97009->97078 97011 352b22 97012 30e5eb 29 API calls 97011->97012 97014 352b33 97012->97014 97013 30e678 67 API calls 97015 352bf8 97013->97015 97014->96993 97016 2e50f5 40 API calls 97014->97016 97023 30dbb3 65 API calls 97014->97023 97025 352bed 97014->97025 97017 352c12 97015->97017 97018 352bfe DeleteFileW 97015->97018 97016->97014 97019 352c91 CopyFileW 97017->97019 97024 352c18 97017->97024 97018->96993 97020 352ca7 DeleteFileW 97019->97020 97021 352cb9 DeleteFileW 97019->97021 97020->96993 97079 352fd8 CreateFileW 97021->97079 97023->97014 97026 3522ce 79 API calls 97024->97026 97025->97013 97027 352c7c 97026->97027 97027->97021 97028 352c80 DeleteFileW 97027->97028 97028->96993 97029->96735 97031 2e33dd 97030->97031 97032 3230bb 97030->97032 97084 2e33ee 97031->97084 97034 2ffddb 22 API calls 97032->97034 97036 3230c5 _wcslen 97034->97036 97035 2e33e8 97035->96760 97037 2ffe0b 22 API calls 97036->97037 97038 3230fe __fread_nolock 97037->97038 97039->96769 97040->96782 97041->96850 97042->96850 97043->96849 97044->96853 97046 2e6d34 97045->97046 97047 2e6d91 97045->97047 97046->97047 97049 2e6d3f 97046->97049 97048 2e93b2 22 API calls 97047->97048 97054 2e6d62 __fread_nolock 97048->97054 97050 2e6d5a 97049->97050 97051 324c9d 97049->97051 97059 2e6f34 22 API calls 97050->97059 97052 2ffddb 22 API calls 97051->97052 97055 324ca7 97052->97055 97054->96890 97056 2ffe0b 22 API calls 97055->97056 97057 324cda 97056->97057 97058->96905 97059->97054 97061 2e63b6 __fread_nolock 97060->97061 97062 2e6382 97060->97062 97061->96917 97062->97061 97063 324a82 97062->97063 97064 2e63a9 97062->97064 97066 2ffddb 22 API calls 97063->97066 97071 2ea587 97064->97071 97067 324a91 97066->97067 97068 2ffe0b 22 API calls 97067->97068 97069 324ac5 __fread_nolock 97068->97069 97070->96916 97072 2ea59d 97071->97072 97075 2ea598 __fread_nolock 97071->97075 97073 32f80f 97072->97073 97074 2ffe0b 22 API calls 97072->97074 97074->97075 97075->97061 97076->96958 97077->96960 97078->97011 97080 353013 97079->97080 97081 352fff SetFileTime CloseHandle 97079->97081 97080->96993 97081->97080 97082->96994 97083->97002 97085 2e33fe _wcslen 97084->97085 97086 32311d 97085->97086 97087 2e3411 97085->97087 97089 2ffddb 22 API calls 97086->97089 97088 2ea587 22 API calls 97087->97088 97090 2e341e __fread_nolock 97088->97090 97091 323127 97089->97091 97090->97035 97092 2ffe0b 22 API calls 97091->97092 97093 323157 __fread_nolock 97092->97093 97095 350ef7 97094->97095 97096 2ffddb 22 API calls 97095->97096 97097 350efe 97096->97097 97100 34f2fb 97097->97100 97099 350f38 97099->96815 97101 2eaec9 22 API calls 97100->97101 97102 34f30e CharLowerBuffW 97101->97102 97104 34f321 97102->97104 97103 34f32b ___scrt_fastfail 97103->97099 97104->97103 97105 34f35f 97104->97105 97106 2e4c6d 22 API calls 97104->97106 97107 34f371 97105->97107 97108 2e4c6d 22 API calls 97105->97108 97106->97104 97109 2ffe0b 22 API calls 97107->97109 97108->97107 97113 34f39f 97109->97113 97112 34f3fe 97112->97103 97115 2ffddb 22 API calls 97112->97115 97114 34f3c1 97113->97114 97133 34f233 22 API calls 97113->97133 97118 34f452 97114->97118 97116 34f418 97115->97116 97117 2ffe0b 22 API calls 97116->97117 97117->97103 97119 2ea961 22 API calls 97118->97119 97120 34f484 97119->97120 97121 2ea961 22 API calls 97120->97121 97122 34f48d 97121->97122 97123 2ea961 22 API calls 97122->97123 97129 34f496 97123->97129 97124 306388 GetStringTypeW 97124->97129 97125 2e6b57 22 API calls 97125->97129 97126 2e49bd 22 API calls 97126->97129 97128 34f452 41 API calls 97128->97129 97129->97124 97129->97125 97129->97126 97129->97128 97130 3062d1 39 API calls 97129->97130 97131 34f75a 97129->97131 97132 2ea8c7 22 API calls 97129->97132 97134 3063b2 GetStringTypeW _strftime 97129->97134 97130->97129 97131->97112 97132->97129 97133->97113 97134->97129 97136 34dbdc GetFileAttributesW 97135->97136 97137 34d4d5 97135->97137 97136->97137 97138 34dbe8 FindFirstFileW 97136->97138 97137->96707 97138->97137 97139 34dbf9 FindClose 97138->97139 97139->97137 97141 2e7510 53 API calls 97140->97141 97142 367f90 97141->97142 97166 367fd5 ISource 97142->97166 97178 368cd3 97142->97178 97144 368281 97145 36844f 97144->97145 97149 36828f 97144->97149 97247 368ee4 60 API calls 97145->97247 97148 36845e 97148->97149 97150 36846a 97148->97150 97191 367e86 97149->97191 97150->97166 97151 2e7510 53 API calls 97169 368049 97151->97169 97156 3682c8 97206 2ffc70 97156->97206 97159 368302 97210 2e63eb 97159->97210 97160 3682e8 97245 35359c 82 API calls __wsopen_s 97160->97245 97163 3682f3 GetCurrentProcess TerminateProcess 97163->97159 97166->96821 97168 2f04f0 22 API calls 97171 368341 97168->97171 97169->97144 97169->97151 97169->97166 97243 34417d 22 API calls __fread_nolock 97169->97243 97244 36851d 42 API calls _strftime 97169->97244 97170 3684c5 97170->97166 97174 3684d9 FreeLibrary 97170->97174 97172 368b7b 75 API calls 97171->97172 97176 368352 97172->97176 97174->97166 97176->97170 97221 2f04f0 97176->97221 97232 368b7b 97176->97232 97246 2eaceb 23 API calls ISource 97176->97246 97179 2eaec9 22 API calls 97178->97179 97180 368cee CharLowerBuffW 97179->97180 97248 348e54 97180->97248 97184 2ea961 22 API calls 97185 368d2a 97184->97185 97186 2e6d25 22 API calls 97185->97186 97187 368d3e 97186->97187 97188 2e93b2 22 API calls 97187->97188 97190 368d48 _wcslen 97188->97190 97189 368e5e _wcslen 97189->97169 97190->97189 97255 36851d 42 API calls _strftime 97190->97255 97192 367ea1 97191->97192 97196 367eec 97191->97196 97193 2ffe0b 22 API calls 97192->97193 97194 367ec3 97193->97194 97195 2ffddb 22 API calls 97194->97195 97194->97196 97195->97194 97197 369096 97196->97197 97198 3692ab ISource 97197->97198 97204 3690ba _strcat _wcslen 97197->97204 97198->97156 97199 2eb567 39 API calls 97199->97204 97200 2eb38f 39 API calls 97200->97204 97201 2eb6b5 39 API calls 97201->97204 97202 2e7510 53 API calls 97202->97204 97203 30ea0c 21 API calls ___std_exception_copy 97203->97204 97204->97198 97204->97199 97204->97200 97204->97201 97204->97202 97204->97203 97258 34efae 24 API calls _wcslen 97204->97258 97208 2ffc85 97206->97208 97207 2ffd1d VirtualAlloc 97209 2ffceb 97207->97209 97208->97207 97208->97209 97209->97159 97209->97160 97211 2e63f3 97210->97211 97212 2ffddb 22 API calls 97211->97212 97213 2e6401 97212->97213 97259 2e6a26 97213->97259 97216 2e6a50 97262 2eb010 97216->97262 97218 2e6a60 97219 2ffe0b 22 API calls 97218->97219 97220 2e6afc 97218->97220 97219->97220 97220->97168 97220->97176 97222 2f0502 97221->97222 97224 2f050b 97222->97224 97271 2fa732 22 API calls 97222->97271 97225 2f05c0 97224->97225 97226 2ffddb 22 API calls 97224->97226 97225->97176 97227 2f0629 97226->97227 97228 2ffddb 22 API calls 97227->97228 97229 2f0632 97228->97229 97230 2e9cb3 22 API calls 97229->97230 97231 2f0641 97230->97231 97231->97176 97233 368b93 97232->97233 97238 368baf 97232->97238 97234 368c64 97233->97234 97235 368b9a 97233->97235 97236 368bbb 97233->97236 97233->97238 97275 350cdf 73 API calls ISource 97234->97275 97272 34ebd1 24 API calls _strlen 97235->97272 97274 2e9c6e 22 API calls 97236->97274 97238->97176 97241 368ba4 97273 2e9c6e 22 API calls 97241->97273 97243->97169 97244->97169 97245->97163 97246->97176 97247->97148 97249 348e74 _wcslen 97248->97249 97250 348f63 97249->97250 97251 348ea9 97249->97251 97253 348f68 97249->97253 97250->97184 97250->97190 97251->97250 97256 2fce60 41 API calls 97251->97256 97253->97250 97257 2fce60 41 API calls 97253->97257 97255->97189 97256->97251 97257->97253 97258->97204 97260 2ffddb 22 API calls 97259->97260 97261 2e6409 97260->97261 97261->97216 97263 2eb01b 97262->97263 97264 32fb4d 97263->97264 97269 2eb023 ISource 97263->97269 97265 2ffddb 22 API calls 97264->97265 97267 32fb59 97265->97267 97266 2eb02a 97266->97218 97269->97266 97270 2eb090 22 API calls ISource 97269->97270 97270->97269 97271->97224 97272->97241 97273->97238 97274->97238 97275->97238 97276 332a00 97291 2ed7b0 ISource 97276->97291 97277 2edb11 PeekMessageW 97277->97291 97278 2ed807 GetInputState 97278->97277 97278->97291 97279 331cbe TranslateAcceleratorW 97279->97291 97281 2edb8f PeekMessageW 97281->97291 97282 2eda04 timeGetTime 97282->97291 97283 2edb73 TranslateMessage DispatchMessageW 97283->97281 97284 2edbaf Sleep 97302 2edbc0 97284->97302 97285 332b74 Sleep 97285->97302 97286 2fe551 timeGetTime 97286->97302 97287 331dda timeGetTime 97339 2fe300 23 API calls 97287->97339 97290 332c0b GetExitCodeProcess 97292 332c21 WaitForSingleObject 97290->97292 97293 332c37 CloseHandle 97290->97293 97291->97277 97291->97278 97291->97279 97291->97281 97291->97282 97291->97283 97291->97284 97291->97285 97291->97287 97295 2ed9d5 97291->97295 97304 2eec40 236 API calls 97291->97304 97305 2f1310 236 API calls 97291->97305 97306 2ebf40 236 API calls 97291->97306 97308 2edd50 97291->97308 97315 2edfd0 97291->97315 97338 2fedf6 IsDialogMessageW GetClassLongW 97291->97338 97340 353a2a 23 API calls 97291->97340 97341 35359c 82 API calls __wsopen_s 97291->97341 97292->97291 97292->97293 97293->97302 97294 332a31 97294->97295 97296 3729bf GetForegroundWindow 97296->97302 97298 332ca9 Sleep 97298->97291 97302->97286 97302->97290 97302->97291 97302->97294 97302->97295 97302->97296 97302->97298 97342 365658 23 API calls 97302->97342 97343 34e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97302->97343 97344 34d4dc 47 API calls 97302->97344 97304->97291 97305->97291 97306->97291 97309 2edd6f 97308->97309 97310 2edd83 97308->97310 97345 2ed260 236 API calls 2 library calls 97309->97345 97346 35359c 82 API calls __wsopen_s 97310->97346 97312 2edd7a 97312->97291 97314 332f75 97314->97314 97316 2ee010 97315->97316 97332 2ee0dc ISource 97316->97332 97349 300242 5 API calls __Init_thread_wait 97316->97349 97319 2ee3e1 97319->97291 97320 332fca 97322 2ea961 22 API calls 97320->97322 97320->97332 97321 2ea961 22 API calls 97321->97332 97324 332fe4 97322->97324 97350 3000a3 29 API calls __onexit 97324->97350 97328 332fee 97351 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97328->97351 97331 2ea8c7 22 API calls 97331->97332 97332->97319 97332->97321 97332->97331 97333 2f04f0 22 API calls 97332->97333 97334 2eec40 236 API calls 97332->97334 97336 35359c 82 API calls 97332->97336 97347 2ea81b 41 API calls 97332->97347 97348 2fa308 236 API calls 97332->97348 97352 300242 5 API calls __Init_thread_wait 97332->97352 97353 3000a3 29 API calls __onexit 97332->97353 97354 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97332->97354 97355 3647d4 236 API calls 97332->97355 97356 3668c1 236 API calls 97332->97356 97333->97332 97334->97332 97336->97332 97338->97291 97339->97291 97340->97291 97341->97291 97342->97302 97343->97302 97344->97302 97345->97312 97346->97314 97347->97332 97348->97332 97349->97320 97350->97328 97351->97332 97352->97332 97353->97332 97354->97332 97355->97332 97356->97332 97357 318402 97362 3181be 97357->97362 97359 31842a 97363 3181ef try_get_first_available_module 97362->97363 97370 318338 97363->97370 97377 308e0b 40 API calls 2 library calls 97363->97377 97365 3183ee 97381 3127ec 26 API calls ___std_exception_copy 97365->97381 97367 318343 97367->97359 97374 320984 97367->97374 97369 31838c 97369->97370 97378 308e0b 40 API calls 2 library calls 97369->97378 97370->97367 97380 30f2d9 20 API calls __dosmaperr 97370->97380 97372 3183ab 97372->97370 97379 308e0b 40 API calls 2 library calls 97372->97379 97382 320081 97374->97382 97376 32099f 97376->97359 97377->97369 97378->97372 97379->97370 97380->97365 97381->97367 97385 32008d ___DestructExceptionObject 97382->97385 97383 32009b 97440 30f2d9 20 API calls __dosmaperr 97383->97440 97385->97383 97387 3200d4 97385->97387 97386 3200a0 97441 3127ec 26 API calls ___std_exception_copy 97386->97441 97393 32065b 97387->97393 97392 3200aa __wsopen_s 97392->97376 97443 32042f 97393->97443 97396 3206a6 97461 315221 97396->97461 97397 32068d 97475 30f2c6 20 API calls __dosmaperr 97397->97475 97400 3206ab 97401 3206b4 97400->97401 97402 3206cb 97400->97402 97477 30f2c6 20 API calls __dosmaperr 97401->97477 97474 32039a CreateFileW 97402->97474 97406 3206b9 97478 30f2d9 20 API calls __dosmaperr 97406->97478 97407 320704 97409 320781 GetFileType 97407->97409 97411 320756 GetLastError 97407->97411 97479 32039a CreateFileW 97407->97479 97410 32078c GetLastError 97409->97410 97417 3207d3 97409->97417 97481 30f2a3 20 API calls __dosmaperr 97410->97481 97480 30f2a3 20 API calls __dosmaperr 97411->97480 97415 320692 97476 30f2d9 20 API calls __dosmaperr 97415->97476 97416 32079a CloseHandle 97416->97415 97420 3207c3 97416->97420 97483 31516a 21 API calls 2 library calls 97417->97483 97418 320749 97418->97409 97418->97411 97482 30f2d9 20 API calls __dosmaperr 97420->97482 97421 3207f4 97423 320840 97421->97423 97484 3205ab 72 API calls 3 library calls 97421->97484 97428 32086d 97423->97428 97485 32014d 72 API calls 4 library calls 97423->97485 97424 3207c8 97424->97415 97427 320866 97427->97428 97429 32087e 97427->97429 97430 3186ae __wsopen_s 29 API calls 97428->97430 97431 3200f8 97429->97431 97432 3208fc CloseHandle 97429->97432 97430->97431 97442 320121 LeaveCriticalSection __wsopen_s 97431->97442 97486 32039a CreateFileW 97432->97486 97434 320927 97435 32095d 97434->97435 97436 320931 GetLastError 97434->97436 97435->97431 97487 30f2a3 20 API calls __dosmaperr 97436->97487 97438 32093d 97488 315333 21 API calls 2 library calls 97438->97488 97440->97386 97441->97392 97442->97392 97444 320450 97443->97444 97445 32046a 97443->97445 97444->97445 97496 30f2d9 20 API calls __dosmaperr 97444->97496 97489 3203bf 97445->97489 97448 3204a2 97451 3204d1 97448->97451 97498 30f2d9 20 API calls __dosmaperr 97448->97498 97449 32045f 97497 3127ec 26 API calls ___std_exception_copy 97449->97497 97458 320524 97451->97458 97500 30d70d 26 API calls 2 library calls 97451->97500 97454 32051f 97456 32059e 97454->97456 97454->97458 97455 3204c6 97499 3127ec 26 API calls ___std_exception_copy 97455->97499 97501 3127fc 11 API calls _abort 97456->97501 97458->97396 97458->97397 97460 3205aa 97462 31522d ___DestructExceptionObject 97461->97462 97504 312f5e EnterCriticalSection 97462->97504 97465 315259 97466 315000 __wsopen_s 21 API calls 97465->97466 97469 31525e 97466->97469 97467 3152a4 __wsopen_s 97467->97400 97468 315234 97468->97465 97470 3152c7 EnterCriticalSection 97468->97470 97472 31527b 97468->97472 97469->97472 97508 315147 EnterCriticalSection 97469->97508 97470->97472 97473 3152d4 LeaveCriticalSection 97470->97473 97505 31532a 97472->97505 97473->97468 97474->97407 97475->97415 97476->97431 97477->97406 97478->97415 97479->97418 97480->97415 97481->97416 97482->97424 97483->97421 97484->97423 97485->97427 97486->97434 97487->97438 97488->97435 97490 3203d7 97489->97490 97493 3203f2 97490->97493 97502 30f2d9 20 API calls __dosmaperr 97490->97502 97492 320416 97503 3127ec 26 API calls ___std_exception_copy 97492->97503 97493->97448 97495 320421 97495->97448 97496->97449 97497->97445 97498->97455 97499->97451 97500->97454 97501->97460 97502->97492 97503->97495 97504->97468 97509 312fa6 LeaveCriticalSection 97505->97509 97507 315331 97507->97467 97508->97472 97509->97507 97510 2e105b 97515 2e344d 97510->97515 97512 2e106a 97546 3000a3 29 API calls __onexit 97512->97546 97514 2e1074 97516 2e345d __wsopen_s 97515->97516 97517 2ea961 22 API calls 97516->97517 97518 2e3513 97517->97518 97547 2e3a5a 97518->97547 97520 2e351c 97554 2e3357 97520->97554 97523 2e33c6 22 API calls 97524 2e3535 97523->97524 97525 2e515f 22 API calls 97524->97525 97526 2e3544 97525->97526 97527 2ea961 22 API calls 97526->97527 97528 2e354d 97527->97528 97529 2ea6c3 22 API calls 97528->97529 97530 2e3556 RegOpenKeyExW 97529->97530 97531 323176 RegQueryValueExW 97530->97531 97535 2e3578 97530->97535 97532 323193 97531->97532 97533 32320c RegCloseKey 97531->97533 97534 2ffe0b 22 API calls 97532->97534 97533->97535 97545 32321e _wcslen 97533->97545 97536 3231ac 97534->97536 97535->97512 97538 2e5722 22 API calls 97536->97538 97537 2e4c6d 22 API calls 97537->97545 97539 3231b7 RegQueryValueExW 97538->97539 97540 3231d4 97539->97540 97542 3231ee ISource 97539->97542 97541 2e6b57 22 API calls 97540->97541 97541->97542 97542->97533 97543 2e9cb3 22 API calls 97543->97545 97544 2e515f 22 API calls 97544->97545 97545->97535 97545->97537 97545->97543 97545->97544 97546->97514 97548 321f50 __wsopen_s 97547->97548 97549 2e3a67 GetModuleFileNameW 97548->97549 97550 2e9cb3 22 API calls 97549->97550 97551 2e3a8d 97550->97551 97552 2e3aa2 23 API calls 97551->97552 97553 2e3a97 97552->97553 97553->97520 97555 321f50 __wsopen_s 97554->97555 97556 2e3364 GetFullPathNameW 97555->97556 97557 2e3386 97556->97557 97558 2e6b57 22 API calls 97557->97558 97559 2e33a4 97558->97559 97559->97523 97560 2e1098 97565 2e42de 97560->97565 97564 2e10a7 97566 2ea961 22 API calls 97565->97566 97567 2e42f5 GetVersionExW 97566->97567 97568 2e6b57 22 API calls 97567->97568 97569 2e4342 97568->97569 97570 2e93b2 22 API calls 97569->97570 97584 2e4378 97569->97584 97571 2e436c 97570->97571 97573 2e37a0 22 API calls 97571->97573 97572 2e441b GetCurrentProcess IsWow64Process 97574 2e4437 97572->97574 97573->97584 97575 2e444f LoadLibraryA 97574->97575 97576 323824 GetSystemInfo 97574->97576 97577 2e449c GetSystemInfo 97575->97577 97578 2e4460 GetProcAddress 97575->97578 97580 2e4476 97577->97580 97578->97577 97579 2e4470 GetNativeSystemInfo 97578->97579 97579->97580 97582 2e447a FreeLibrary 97580->97582 97583 2e109d 97580->97583 97581 3237df 97582->97583 97585 3000a3 29 API calls __onexit 97583->97585 97584->97572 97584->97581 97585->97564 97586 322ba5 97587 2e2b25 97586->97587 97588 322baf 97586->97588 97614 2e2b83 7 API calls 97587->97614 97590 2e3a5a 24 API calls 97588->97590 97592 322bb8 97590->97592 97594 2e9cb3 22 API calls 97592->97594 97596 322bc6 97594->97596 97595 2e2b2f 97605 2e2b44 97595->97605 97618 2e3837 97595->97618 97597 322bf5 97596->97597 97598 322bce 97596->97598 97601 2e33c6 22 API calls 97597->97601 97599 2e33c6 22 API calls 97598->97599 97602 322bd9 97599->97602 97612 322bf1 GetForegroundWindow ShellExecuteW 97601->97612 97603 2e6350 22 API calls 97602->97603 97607 322be7 97603->97607 97604 2e2b5f 97611 2e2b66 SetCurrentDirectoryW 97604->97611 97605->97604 97628 2e30f2 Shell_NotifyIconW ___scrt_fastfail 97605->97628 97610 2e33c6 22 API calls 97607->97610 97609 322c26 97609->97604 97610->97612 97613 2e2b7a 97611->97613 97612->97609 97629 2e2cd4 7 API calls 97614->97629 97616 2e2b2a 97617 2e2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97616->97617 97617->97595 97619 2e3862 ___scrt_fastfail 97618->97619 97630 2e4212 97619->97630 97622 2e38e8 97624 323386 Shell_NotifyIconW 97622->97624 97625 2e3906 Shell_NotifyIconW 97622->97625 97634 2e3923 97625->97634 97627 2e391c 97627->97605 97628->97604 97629->97616 97631 3235a4 97630->97631 97632 2e38b7 97630->97632 97631->97632 97633 3235ad DestroyIcon 97631->97633 97632->97622 97656 34c874 42 API calls _strftime 97632->97656 97633->97632 97635 2e393f 97634->97635 97654 2e3a13 97634->97654 97657 2e6270 97635->97657 97638 323393 LoadStringW 97642 3233ad 97638->97642 97639 2e395a 97640 2e6b57 22 API calls 97639->97640 97641 2e396f 97640->97641 97643 2e397c 97641->97643 97644 3233c9 97641->97644 97645 2ea8c7 22 API calls 97642->97645 97650 2e3994 ___scrt_fastfail 97642->97650 97643->97642 97646 2e3986 97643->97646 97647 2e6350 22 API calls 97644->97647 97645->97650 97648 2e6350 22 API calls 97646->97648 97649 3233d7 97647->97649 97648->97650 97649->97650 97651 2e33c6 22 API calls 97649->97651 97652 2e39f9 Shell_NotifyIconW 97650->97652 97653 3233f9 97651->97653 97652->97654 97655 2e33c6 22 API calls 97653->97655 97654->97627 97655->97650 97656->97622 97658 2ffe0b 22 API calls 97657->97658 97659 2e6295 97658->97659 97660 2ffddb 22 API calls 97659->97660 97661 2e394d 97660->97661 97661->97638 97661->97639 97662 2e3156 97665 2e3170 97662->97665 97666 2e3187 97665->97666 97667 2e318c 97666->97667 97668 2e31eb 97666->97668 97705 2e31e9 97666->97705 97672 2e3199 97667->97672 97673 2e3265 PostQuitMessage 97667->97673 97670 322dfb 97668->97670 97671 2e31f1 97668->97671 97669 2e31d0 DefWindowProcW 97707 2e316a 97669->97707 97714 2e18e2 10 API calls 97670->97714 97674 2e321d SetTimer RegisterWindowMessageW 97671->97674 97675 2e31f8 97671->97675 97677 2e31a4 97672->97677 97678 322e7c 97672->97678 97673->97707 97682 2e3246 CreatePopupMenu 97674->97682 97674->97707 97679 322d9c 97675->97679 97680 2e3201 KillTimer 97675->97680 97683 2e31ae 97677->97683 97684 322e68 97677->97684 97719 34bf30 34 API calls ___scrt_fastfail 97678->97719 97687 322da1 97679->97687 97688 322dd7 MoveWindow 97679->97688 97710 2e30f2 Shell_NotifyIconW ___scrt_fastfail 97680->97710 97681 322e1c 97715 2fe499 42 API calls 97681->97715 97682->97707 97692 2e31b9 97683->97692 97693 322e4d 97683->97693 97718 34c161 27 API calls ___scrt_fastfail 97684->97718 97686 322e8e 97686->97669 97686->97707 97695 322dc6 SetFocus 97687->97695 97696 322da7 97687->97696 97688->97707 97694 2e3253 97692->97694 97699 2e31c4 97692->97699 97693->97669 97717 340ad7 22 API calls 97693->97717 97712 2e326f 44 API calls ___scrt_fastfail 97694->97712 97695->97707 97696->97699 97701 322db0 97696->97701 97697 2e3214 97711 2e3c50 DeleteObject DestroyWindow 97697->97711 97698 2e3263 97698->97707 97699->97669 97716 2e30f2 Shell_NotifyIconW ___scrt_fastfail 97699->97716 97713 2e18e2 10 API calls 97701->97713 97705->97669 97708 322e41 97709 2e3837 49 API calls 97708->97709 97709->97705 97710->97697 97711->97707 97712->97698 97713->97707 97714->97681 97715->97699 97716->97708 97717->97705 97718->97698 97719->97686 97720 2e2e37 97721 2ea961 22 API calls 97720->97721 97722 2e2e4d 97721->97722 97799 2e4ae3 97722->97799 97724 2e2e6b 97725 2e3a5a 24 API calls 97724->97725 97726 2e2e7f 97725->97726 97727 2e9cb3 22 API calls 97726->97727 97728 2e2e8c 97727->97728 97729 2e4ecb 94 API calls 97728->97729 97730 2e2ea5 97729->97730 97731 322cb0 97730->97731 97732 2e2ead 97730->97732 97733 352cf9 80 API calls 97731->97733 97735 2ea8c7 22 API calls 97732->97735 97734 322cc3 97733->97734 97736 322ccf 97734->97736 97738 2e4f39 68 API calls 97734->97738 97737 2e2ec3 97735->97737 97740 2e4f39 68 API calls 97736->97740 97813 2e6f88 22 API calls 97737->97813 97738->97736 97742 322ce5 97740->97742 97741 2e2ecf 97743 2e9cb3 22 API calls 97741->97743 97827 2e3084 22 API calls 97742->97827 97744 2e2edc 97743->97744 97814 2ea81b 41 API calls 97744->97814 97747 2e2eec 97749 2e9cb3 22 API calls 97747->97749 97748 322d02 97828 2e3084 22 API calls 97748->97828 97750 2e2f12 97749->97750 97815 2ea81b 41 API calls 97750->97815 97753 322d1e 97754 2e3a5a 24 API calls 97753->97754 97755 322d44 97754->97755 97829 2e3084 22 API calls 97755->97829 97756 2e2f21 97759 2ea961 22 API calls 97756->97759 97758 322d50 97760 2ea8c7 22 API calls 97758->97760 97761 2e2f3f 97759->97761 97762 322d5e 97760->97762 97816 2e3084 22 API calls 97761->97816 97830 2e3084 22 API calls 97762->97830 97765 2e2f4b 97817 304a28 40 API calls 3 library calls 97765->97817 97766 322d6d 97771 2ea8c7 22 API calls 97766->97771 97768 2e2f59 97768->97742 97769 2e2f63 97768->97769 97818 304a28 40 API calls 3 library calls 97769->97818 97773 322d83 97771->97773 97772 2e2f6e 97772->97748 97774 2e2f78 97772->97774 97831 2e3084 22 API calls 97773->97831 97819 304a28 40 API calls 3 library calls 97774->97819 97777 322d90 97778 2e2f83 97778->97753 97779 2e2f8d 97778->97779 97820 304a28 40 API calls 3 library calls 97779->97820 97781 2e2f98 97782 2e2fdc 97781->97782 97821 2e3084 22 API calls 97781->97821 97782->97766 97783 2e2fe8 97782->97783 97783->97777 97785 2e63eb 22 API calls 97783->97785 97787 2e2ff8 97785->97787 97786 2e2fbf 97788 2ea8c7 22 API calls 97786->97788 97789 2e6a50 22 API calls 97787->97789 97790 2e2fcd 97788->97790 97791 2e3006 97789->97791 97822 2e3084 22 API calls 97790->97822 97823 2e70b0 23 API calls 97791->97823 97794 2e3021 97797 2e3065 97794->97797 97824 2e6f88 22 API calls 97794->97824 97825 2e70b0 23 API calls 97794->97825 97826 2e3084 22 API calls 97794->97826 97800 2e4af0 __wsopen_s 97799->97800 97801 2e6b57 22 API calls 97800->97801 97802 2e4b22 97800->97802 97801->97802 97803 2e4c6d 22 API calls 97802->97803 97811 2e4b58 97802->97811 97803->97802 97804 2e4c6d 22 API calls 97804->97811 97805 2e9cb3 22 API calls 97807 2e4c52 97805->97807 97806 2e9cb3 22 API calls 97806->97811 97808 2e515f 22 API calls 97807->97808 97810 2e4c5e 97808->97810 97809 2e515f 22 API calls 97809->97811 97810->97724 97811->97804 97811->97806 97811->97809 97812 2e4c29 97811->97812 97812->97805 97812->97810 97813->97741 97814->97747 97815->97756 97816->97765 97817->97768 97818->97772 97819->97778 97820->97781 97821->97786 97822->97782 97823->97794 97824->97794 97825->97794 97826->97794 97827->97748 97828->97753 97829->97758 97830->97766 97831->97777 97832 2e1033 97837 2e4c91 97832->97837 97836 2e1042 97838 2ea961 22 API calls 97837->97838 97839 2e4cff 97838->97839 97845 2e3af0 97839->97845 97842 2e4d9c 97843 2e1038 97842->97843 97848 2e51f7 22 API calls __fread_nolock 97842->97848 97844 3000a3 29 API calls __onexit 97843->97844 97844->97836 97849 2e3b1c 97845->97849 97848->97842 97850 2e3b0f 97849->97850 97851 2e3b29 97849->97851 97850->97842 97851->97850 97852 2e3b30 RegOpenKeyExW 97851->97852 97852->97850 97853 2e3b4a RegQueryValueExW 97852->97853 97854 2e3b6b 97853->97854 97855 2e3b80 RegCloseKey 97853->97855 97854->97855 97855->97850 97856 2edf10 97859 2eb710 97856->97859 97860 2eb72b 97859->97860 97861 330146 97860->97861 97862 3300f8 97860->97862 97881 2eb750 97860->97881 97901 3658a2 236 API calls 2 library calls 97861->97901 97865 330102 97862->97865 97868 33010f 97862->97868 97862->97881 97899 365d33 236 API calls 97865->97899 97885 2eba20 97868->97885 97900 3661d0 236 API calls 2 library calls 97868->97900 97871 3303d9 97871->97871 97873 2ebbe0 40 API calls 97873->97881 97876 2eba4e 97877 330322 97904 365c0c 82 API calls 97877->97904 97881->97873 97881->97876 97881->97877 97881->97885 97886 2fd336 40 API calls 97881->97886 97887 2eec40 236 API calls 97881->97887 97888 2ea8c7 22 API calls 97881->97888 97890 2ea81b 41 API calls 97881->97890 97891 2fd2f0 40 API calls 97881->97891 97892 2fa01b 236 API calls 97881->97892 97893 300242 5 API calls __Init_thread_wait 97881->97893 97894 2fedcd 22 API calls 97881->97894 97895 3000a3 29 API calls __onexit 97881->97895 97896 3001f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97881->97896 97897 2fee53 82 API calls 97881->97897 97898 2fe5ca 236 API calls 97881->97898 97902 2eaceb 23 API calls ISource 97881->97902 97903 33f6bf 23 API calls 97881->97903 97885->97876 97905 35359c 82 API calls __wsopen_s 97885->97905 97886->97881 97887->97881 97888->97881 97890->97881 97891->97881 97892->97881 97893->97881 97894->97881 97895->97881 97896->97881 97897->97881 97898->97881 97899->97868 97900->97885 97901->97881 97902->97881 97903->97881 97904->97885 97905->97871

            Executed Functions

            Function 002E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 234 2e42de-2e434d call 2ea961 GetVersionExW call 2e6b57 239 323617-32362a 234->239 240 2e4353 234->240 241 32362b-32362f 239->241 242 2e4355-2e4357 240->242 245 323632-32363e 241->245 246 323631 241->246 243 2e435d-2e43bc call 2e93b2 call 2e37a0 242->243 244 323656 242->244 262 2e43c2-2e43c4 243->262 263 3237df-3237e6 243->263 249 32365d-323660 244->249 245->241 248 323640-323642 245->248 246->245 248->242 251 323648-32364f 248->251 252 323666-3236a8 249->252 253 2e441b-2e4435 GetCurrentProcess IsWow64Process 249->253 251->239 255 323651 251->255 252->253 256 3236ae-3236b1 252->256 258 2e4437 253->258 259 2e4494-2e449a 253->259 255->244 260 3236b3-3236bd 256->260 261 3236db-3236e5 256->261 264 2e443d-2e4449 258->264 259->264 265 3236ca-3236d6 260->265 266 3236bf-3236c5 260->266 268 3236e7-3236f3 261->268 269 3236f8-323702 261->269 262->249 267 2e43ca-2e43dd 262->267 270 323806-323809 263->270 271 3237e8 263->271 272 2e444f-2e445e LoadLibraryA 264->272 273 323824-323828 GetSystemInfo 264->273 265->253 266->253 274 323726-32372f 267->274 275 2e43e3-2e43e5 267->275 268->253 277 323704-323710 269->277 278 323715-323721 269->278 279 3237f4-3237fc 270->279 280 32380b-32381a 270->280 276 3237ee 271->276 281 2e449c-2e44a6 GetSystemInfo 272->281 282 2e4460-2e446e GetProcAddress 272->282 287 323731-323737 274->287 288 32373c-323748 274->288 285 2e43eb-2e43ee 275->285 286 32374d-323762 275->286 276->279 277->253 278->253 279->270 280->276 289 32381c-323822 280->289 284 2e4476-2e4478 281->284 282->281 283 2e4470-2e4474 GetNativeSystemInfo 282->283 283->284 290 2e447a-2e447b FreeLibrary 284->290 291 2e4481-2e4493 284->291 292 323791-323794 285->292 293 2e43f4-2e440f 285->293 294 323764-32376a 286->294 295 32376f-32377b 286->295 287->253 288->253 289->279 290->291 292->253 296 32379a-3237c1 292->296 297 323780-32378c 293->297 298 2e4415 293->298 294->253 295->253 299 3237c3-3237c9 296->299 300 3237ce-3237da 296->300 297->253 298->253 299->253 300->253
            APIs
            • GetVersionExW.KERNEL32(?), ref: 002E430D
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
            • GetCurrentProcess.KERNEL32(?,0037CB64,00000000,?,?), ref: 002E4422
            • IsWow64Process.KERNEL32(00000000,?,?), ref: 002E4429
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 002E4454
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002E4466
            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 002E4474
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 002E447B
            • GetSystemInfo.KERNEL32(?,?,?), ref: 002E44A0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
            • String ID: GetNativeSystemInfo$kernel32.dll$|O
            • API String ID: 3290436268-3101561225
            • Opcode ID: 0bc45cec6feebd6ce1991b11af332353d68ccca831763eb29082f0a287b66c8f
            • Instruction ID: 0dcd46476e7ec4b1e96a2073722114c80a43ebbb7e59f7e5616a8fa3e3db9f80
            • Opcode Fuzzy Hash: 0bc45cec6feebd6ce1991b11af332353d68ccca831763eb29082f0a287b66c8f
            • Instruction Fuzzy Hash: 49A1E87DA2A3D0CFCB13DB697CA01997FEC6B26308FC856ADD24993B61F2644544CB21
            Function 002E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1378 2e42a2-2e42ba CreateStreamOnHGlobal 1379 2e42bc-2e42d3 FindResourceExW 1378->1379 1380 2e42da-2e42dd 1378->1380 1381 2e42d9 1379->1381 1382 3235ba-3235c9 LoadResource 1379->1382 1381->1380 1382->1381 1383 3235cf-3235dd SizeofResource 1382->1383 1383->1381 1384 3235e3-3235ee LockResource 1383->1384 1384->1381 1385 3235f4-323612 1384->1385 1385->1381
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002E50AA,?,?,00000000,00000000), ref: 002E42B2
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002E50AA,?,?,00000000,00000000), ref: 002E42C9
            • LoadResource.KERNEL32(?,00000000,?,?,002E50AA,?,?,00000000,00000000,?,?,?,?,?,?,002E4F20), ref: 003235BE
            • SizeofResource.KERNEL32(?,00000000,?,?,002E50AA,?,?,00000000,00000000,?,?,?,?,?,?,002E4F20), ref: 003235D3
            • LockResource.KERNEL32(002E50AA,?,?,002E50AA,?,?,00000000,00000000,?,?,?,?,?,?,002E4F20,?), ref: 003235E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: 190792425084c2d08df78aa40cb3ab0024e6b17354a4ef31d9e3b6490ace7d31
            • Instruction ID: 68d4ced45d185deb3c7e9e997c63b18490d3755a678c1c97742469f858bf7a42
            • Opcode Fuzzy Hash: 190792425084c2d08df78aa40cb3ab0024e6b17354a4ef31d9e3b6490ace7d31
            • Instruction Fuzzy Hash: 2E11A070250301BFDB229F66DC48F277BBDEBCAB51F10456DF90696160DB71D810C620
            Function 00322BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • SetCurrentDirectoryW.KERNEL32(?), ref: 002E2B6B
              • Part of subcall function 002E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003B1418,?,002E2E7F,?,?,?,00000000), ref: 002E3A78
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • GetForegroundWindow.USER32(runas,?,?,?,?,?,003A2224), ref: 00322C10
            • ShellExecuteW.SHELL32(00000000,?,?,003A2224), ref: 00322C17
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
            • String ID: runas
            • API String ID: 448630720-4000483414
            • Opcode ID: f244c2fd8e6c50bbf85e143b019645db3eb61378f560d0c53170eba2c628626a
            • Instruction ID: fbb781ed795b255dcc55d36c778719e58616c7b9b7f559e5fabd17299f0a0d6b
            • Opcode Fuzzy Hash: f244c2fd8e6c50bbf85e143b019645db3eb61378f560d0c53170eba2c628626a
            • Instruction Fuzzy Hash: C4110A311943C1AAC716FF62DC55EEE77AC9B91345FC4142DF186130A2DF308AA9CB52
            Function 0034DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,00325222), ref: 0034DBCE
            • GetFileAttributesW.KERNELBASE(?), ref: 0034DBDD
            • FindFirstFileW.KERNELBASE(?,?), ref: 0034DBEE
            • FindClose.KERNEL32(00000000), ref: 0034DBFA
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirstlstrlen
            • String ID:
            • API String ID: 2695905019-0
            • Opcode ID: d86a882e65494e80576580b64a878dbe4bfbeaf44bc2fc6df57c7f10c99ebbcf
            • Instruction ID: 3c176aedac5c529d0ba2c88e9cc7029337ab7cab795c9ed539bb5207e3f22bf2
            • Opcode Fuzzy Hash: d86a882e65494e80576580b64a878dbe4bfbeaf44bc2fc6df57c7f10c99ebbcf
            • Instruction Fuzzy Hash: 23F0A03082091457C2336BB8AC4D8AA37AC9F02334F504B1AF83AC20E0EBB06DD48695
            Function 002EBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: p#;
            • API String ID: 3964851224-2752655111
            • Opcode ID: 9c2842448c90b463456c3f904db8d795453c55d33536eacca2763ae800e4e696
            • Instruction ID: 7a8d55b6d8c845c2d9bcde313a0536928615e9ef4d5dfdccebd8cc5a0cffc6b5
            • Opcode Fuzzy Hash: 9c2842448c90b463456c3f904db8d795453c55d33536eacca2763ae800e4e696
            • Instruction Fuzzy Hash: 0AA2AB706183418FC715CF59C490B2ABBE0BF89304F64896DE99A8B362D771EC56CF92
            Function 002ED730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 002ED807
            • timeGetTime.WINMM ref: 002EDA07
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002EDB28
            • TranslateMessage.USER32(?), ref: 002EDB7B
            • DispatchMessageW.USER32(?), ref: 002EDB89
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002EDB9F
            • Sleep.KERNEL32(0000000A), ref: 002EDBB1
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
            • String ID:
            • API String ID: 2189390790-0
            • Opcode ID: 5edbe047553ad931f24eef1b2da607fb39cbabb34db3853c591028a6b3c5bc8c
            • Instruction ID: 97e417121c783930abc9a22fe9e245921a6b727f97c371d505c97686d88e1ef8
            • Opcode Fuzzy Hash: 5edbe047553ad931f24eef1b2da607fb39cbabb34db3853c591028a6b3c5bc8c
            • Instruction Fuzzy Hash: B3421430668382DFD736CF25C894BAAB7E4BF46304F94462DE5558B291D770E864CF82
            Function 002E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 002E2D07
            • RegisterClassExW.USER32(00000030), ref: 002E2D31
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E2D42
            • InitCommonControlsEx.COMCTL32(?), ref: 002E2D5F
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E2D6F
            • LoadIconW.USER32(000000A9), ref: 002E2D85
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 2e6ed3f237f082324c6279f6a7977e2dd7cd81454977e91003ebe9336b440d26
            • Instruction ID: fc6fb19fe389988ac936e986ab6a000641d5b9086054607d7fd7dd94726549eb
            • Opcode Fuzzy Hash: 2e6ed3f237f082324c6279f6a7977e2dd7cd81454977e91003ebe9336b440d26
            • Instruction Fuzzy Hash: F12129B4911348AFDB12DF94EC59BDDBBB8FB08705F00521AF615A6290D7B14544CF90
            Function 00318D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 302 318d45-318d55 303 318d57-318d6a call 30f2c6 call 30f2d9 302->303 304 318d6f-318d71 302->304 321 3190f1 303->321 306 318d77-318d7d 304->306 307 3190d9-3190e6 call 30f2c6 call 30f2d9 304->307 306->307 308 318d83-318dae 306->308 323 3190ec call 3127ec 307->323 308->307 311 318db4-318dbd 308->311 314 318dd7-318dd9 311->314 315 318dbf-318dd2 call 30f2c6 call 30f2d9 311->315 319 3190d5-3190d7 314->319 320 318ddf-318de3 314->320 315->323 324 3190f4-3190f9 319->324 320->319 326 318de9-318ded 320->326 321->324 323->321 326->315 329 318def-318e06 326->329 331 318e23-318e2c 329->331 332 318e08-318e0b 329->332 335 318e4a-318e54 331->335 336 318e2e-318e45 call 30f2c6 call 30f2d9 call 3127ec 331->336 333 318e15-318e1e 332->333 334 318e0d-318e13 332->334 340 318ebf-318ed9 333->340 334->333 334->336 338 318e56-318e58 335->338 339 318e5b-318e79 call 313820 call 3129c8 * 2 335->339 365 31900c 336->365 338->339 375 318e96-318ebc call 319424 339->375 376 318e7b-318e91 call 30f2d9 call 30f2c6 339->376 342 318fad-318fb6 call 31f89b 340->342 343 318edf-318eef 340->343 354 319029 342->354 355 318fb8-318fca 342->355 343->342 347 318ef5-318ef7 343->347 347->342 351 318efd-318f23 347->351 351->342 356 318f29-318f3c 351->356 358 31902d-319045 ReadFile 354->358 355->354 360 318fcc-318fdb GetConsoleMode 355->360 356->342 361 318f3e-318f40 356->361 363 3190a1-3190ac GetLastError 358->363 364 319047-31904d 358->364 360->354 366 318fdd-318fe1 360->366 361->342 367 318f42-318f6d 361->367 369 3190c5-3190c8 363->369 370 3190ae-3190c0 call 30f2d9 call 30f2c6 363->370 364->363 371 31904f 364->371 373 31900f-319019 call 3129c8 365->373 366->358 372 318fe3-318ffd ReadConsoleW 366->372 367->342 374 318f6f-318f82 367->374 383 319005-31900b call 30f2a3 369->383 384 3190ce-3190d0 369->384 370->365 379 319052-319064 371->379 381 318fff GetLastError 372->381 382 31901e-319027 372->382 373->324 374->342 386 318f84-318f86 374->386 375->340 376->365 379->373 390 319066-31906a 379->390 381->383 382->379 383->365 384->373 386->342 387 318f88-318fa8 386->387 387->342 396 319083-31908e 390->396 397 31906c-31907c call 318a61 390->397 402 319090 call 318bb1 396->402 403 31909a-31909f call 3188a1 396->403 408 31907f-319081 397->408 409 319095-319098 402->409 403->409 408->373 409->408
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: .0
            • API String ID: 0-2407493218
            • Opcode ID: b5a6fdbf075e85bda95997bb63dafc3b60069edb5f47921f89fd57a9c854d408
            • Instruction ID: f71239aed469a5acae1829692e55a57e71ea226bb3ff83a613ec6bfae609624f
            • Opcode Fuzzy Hash: b5a6fdbf075e85bda95997bb63dafc3b60069edb5f47921f89fd57a9c854d408
            • Instruction Fuzzy Hash: CFC1E674E042499FDB2BDFA8D851BEDBBB8BF0D310F15415AE514AB392C7319982CB60
            Function 0032065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 410 32065b-32068b call 32042f 413 3206a6-3206b2 call 315221 410->413 414 32068d-320698 call 30f2c6 410->414 419 3206b4-3206c9 call 30f2c6 call 30f2d9 413->419 420 3206cb-320714 call 32039a 413->420 421 32069a-3206a1 call 30f2d9 414->421 419->421 430 320781-32078a GetFileType 420->430 431 320716-32071f 420->431 428 32097d-320983 421->428 432 3207d3-3207d6 430->432 433 32078c-3207bd GetLastError call 30f2a3 CloseHandle 430->433 435 320721-320725 431->435 436 320756-32077c GetLastError call 30f2a3 431->436 439 3207d8-3207dd 432->439 440 3207df-3207e5 432->440 433->421 449 3207c3-3207ce call 30f2d9 433->449 435->436 441 320727-320754 call 32039a 435->441 436->421 445 3207e9-320837 call 31516a 439->445 440->445 446 3207e7 440->446 441->430 441->436 452 320847-32086b call 32014d 445->452 453 320839-320845 call 3205ab 445->453 446->445 449->421 460 32087e-3208c1 452->460 461 32086d 452->461 453->452 459 32086f-320879 call 3186ae 453->459 459->428 463 3208e2-3208f0 460->463 464 3208c3-3208c7 460->464 461->459 465 3208f6-3208fa 463->465 466 32097b 463->466 464->463 468 3208c9-3208dd 464->468 465->466 469 3208fc-32092f CloseHandle call 32039a 465->469 466->428 468->463 472 320963-320977 469->472 473 320931-32095d GetLastError call 30f2a3 call 315333 469->473 472->466 473->472
            APIs
              • Part of subcall function 0032039A: CreateFileW.KERNELBASE(00000000,00000000,?,00320704,?,?,00000000,?,00320704,00000000,0000000C), ref: 003203B7
            • GetLastError.KERNEL32 ref: 0032076F
            • __dosmaperr.LIBCMT ref: 00320776
            • GetFileType.KERNELBASE(00000000), ref: 00320782
            • GetLastError.KERNEL32 ref: 0032078C
            • __dosmaperr.LIBCMT ref: 00320795
            • CloseHandle.KERNEL32(00000000), ref: 003207B5
            • CloseHandle.KERNEL32(?), ref: 003208FF
            • GetLastError.KERNEL32 ref: 00320931
            • __dosmaperr.LIBCMT ref: 00320938
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID: H
            • API String ID: 4237864984-2852464175
            • Opcode ID: ce7c0b41ee319b93ee85f678b706e67b29fb0bfbfe55e0195d64cc3f410ef53d
            • Instruction ID: 2fa84423e0deb6244d428347c364833c2841a72caa2f78b3e69b4f18b42c6625
            • Opcode Fuzzy Hash: ce7c0b41ee319b93ee85f678b706e67b29fb0bfbfe55e0195d64cc3f410ef53d
            • Instruction Fuzzy Hash: C5A12536A001188FDF2EEF68E851BAE7BA4EB06324F14015DF8159F2E2C7319856CB91
            Function 002E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 002E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003B1418,?,002E2E7F,?,?,?,00000000), ref: 002E3A78
              • Part of subcall function 002E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002E3379
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002E356A
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0032318D
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003231CE
            • RegCloseKey.ADVAPI32(?), ref: 00323210
            • _wcslen.LIBCMT ref: 00323277
            • _wcslen.LIBCMT ref: 00323286
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 98802146-2727554177
            • Opcode ID: 1651a114f6608d3a7df4083089d488608d3ae9209b97a6d2f4153522ccfb8e76
            • Instruction ID: edd02d5cc23604e1cd87e20f37ffd24b690c47fbf8c1ce4223b086e755d915ff
            • Opcode Fuzzy Hash: 1651a114f6608d3a7df4083089d488608d3ae9209b97a6d2f4153522ccfb8e76
            • Instruction Fuzzy Hash: 0771D5755143409EC316EF26EC819ABB7ECFF89744F804A2EF64987160DB349A48CF51
            Function 002E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 002E2B8E
            • LoadCursorW.USER32(00000000,00007F00), ref: 002E2B9D
            • LoadIconW.USER32(00000063), ref: 002E2BB3
            • LoadIconW.USER32(000000A4), ref: 002E2BC5
            • LoadIconW.USER32(000000A2), ref: 002E2BD7
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002E2BEF
            • RegisterClassExW.USER32(?), ref: 002E2C40
              • Part of subcall function 002E2CD4: GetSysColorBrush.USER32(0000000F), ref: 002E2D07
              • Part of subcall function 002E2CD4: RegisterClassExW.USER32(00000030), ref: 002E2D31
              • Part of subcall function 002E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002E2D42
              • Part of subcall function 002E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 002E2D5F
              • Part of subcall function 002E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002E2D6F
              • Part of subcall function 002E2CD4: LoadIconW.USER32(000000A9), ref: 002E2D85
              • Part of subcall function 002E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002E2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: ed27fe862ed8b5f91e27bb67c0b321b47c42fe28071fee79661c700c7889ae50
            • Instruction ID: f08d7b9d2d3f94cf01b0d45804de2875ee97830cd6ad827a9f771e92cbc85a3d
            • Opcode Fuzzy Hash: ed27fe862ed8b5f91e27bb67c0b321b47c42fe28071fee79661c700c7889ae50
            • Instruction Fuzzy Hash: 4E214179D10358AFDB229FA5EC65A9D7FF8FB08B54F50011AE608A6660E7B10540CF90
            Function 002EB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 002EBB4E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: p#;$p#;$p#;$p#;$p%;$p%;$x#;$x#;
            • API String ID: 1385522511-1004722525
            • Opcode ID: 5220f21781eb67701a73c73b82868e63d604d25c6ae7fe56008b7148fc96019a
            • Instruction ID: 37ffcb478d7def946fc0839bf7023f3c000af80f9b36776436740bf8e9651cdc
            • Opcode Fuzzy Hash: 5220f21781eb67701a73c73b82868e63d604d25c6ae7fe56008b7148fc96019a
            • Instruction Fuzzy Hash: E7320C38A1024ADFCB26CF55C8A4ABFB7B9EF44314F558069EA05AB361C374AD51CB90
            Function 002E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 758 2e3170-2e3185 759 2e3187-2e318a 758->759 760 2e31e5-2e31e7 758->760 762 2e318c-2e3193 759->762 763 2e31eb 759->763 760->759 761 2e31e9 760->761 764 2e31d0-2e31d8 DefWindowProcW 761->764 767 2e3199-2e319e 762->767 768 2e3265-2e326d PostQuitMessage 762->768 765 322dfb-322e23 call 2e18e2 call 2fe499 763->765 766 2e31f1-2e31f6 763->766 769 2e31de-2e31e4 764->769 801 322e28-322e2f 765->801 771 2e321d-2e3244 SetTimer RegisterWindowMessageW 766->771 772 2e31f8-2e31fb 766->772 774 2e31a4-2e31a8 767->774 775 322e7c-322e90 call 34bf30 767->775 770 2e3219-2e321b 768->770 770->769 771->770 779 2e3246-2e3251 CreatePopupMenu 771->779 776 322d9c-322d9f 772->776 777 2e3201-2e3214 KillTimer call 2e30f2 call 2e3c50 772->777 780 2e31ae-2e31b3 774->780 781 322e68-322e77 call 34c161 774->781 775->770 793 322e96 775->793 784 322da1-322da5 776->784 785 322dd7-322df6 MoveWindow 776->785 777->770 779->770 789 2e31b9-2e31be 780->789 790 322e4d-322e54 780->790 781->770 794 322dc6-322dd2 SetFocus 784->794 795 322da7-322daa 784->795 785->770 791 2e31c4-2e31ca 789->791 792 2e3253-2e3263 call 2e326f 789->792 790->764 796 322e5a-322e63 call 340ad7 790->796 791->764 791->801 792->770 793->764 794->770 795->791 802 322db0-322dc1 call 2e18e2 795->802 796->764 801->764 806 322e35-322e48 call 2e30f2 call 2e3837 801->806 802->770 806->764
            APIs
            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,002E316A,?,?), ref: 002E31D8
            • KillTimer.USER32(?,00000001,?,?,?,?,?,002E316A,?,?), ref: 002E3204
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002E3227
            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,002E316A,?,?), ref: 002E3232
            • CreatePopupMenu.USER32 ref: 002E3246
            • PostQuitMessage.USER32(00000000), ref: 002E3267
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: a341bb77d6eaf6dcb8a2f2b95ff87422091194b3d1e92663fba885ccd36a82df
            • Instruction ID: b7cebf45188ed0ef33c37e50a04b03a63e373694b3fedd21106961944ba16393
            • Opcode Fuzzy Hash: a341bb77d6eaf6dcb8a2f2b95ff87422091194b3d1e92663fba885ccd36a82df
            • Instruction Fuzzy Hash: 05416D352B01C0ABDB279F399C2D7B9365CE701346FC4022DFB598B1A1DBB08E6097A1
            Function 002EDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: D%;$D%;$D%;$D%;$D%;D%;$Variable must be of type 'Object'.
            • API String ID: 0-1950724997
            • Opcode ID: 03f189e308c13584a2370e1858f6aba06d415c41e0d9041f42f1fe75a9c7dc3b
            • Instruction ID: 506cfdbafc1a63aebdfca2604902d9ee028f727b33b410af8fcb3a6c8d417330
            • Opcode Fuzzy Hash: 03f189e308c13584a2370e1858f6aba06d415c41e0d9041f42f1fe75a9c7dc3b
            • Instruction Fuzzy Hash: 99C2BC71A50245CFCF25CF59C880AADB7B1FF09300F668569E906AB3A1D371EDA1CB91
            Function 039925D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1324 39925d0-399267e call 3990000 1327 3992685-39926ab call 39934e0 CreateFileW 1324->1327 1330 39926ad 1327->1330 1331 39926b2-39926c2 1327->1331 1332 39927fd-3992801 1330->1332 1336 39926c9-39926e3 VirtualAlloc 1331->1336 1337 39926c4 1331->1337 1334 3992843-3992846 1332->1334 1335 3992803-3992807 1332->1335 1338 3992849-3992850 1334->1338 1339 3992809-399280c 1335->1339 1340 3992813-3992817 1335->1340 1343 39926ea-3992701 ReadFile 1336->1343 1344 39926e5 1336->1344 1337->1332 1345 3992852-399285d 1338->1345 1346 39928a5-39928ba 1338->1346 1339->1340 1341 3992819-3992823 1340->1341 1342 3992827-399282b 1340->1342 1341->1342 1349 399283b 1342->1349 1350 399282d-3992837 1342->1350 1351 3992708-3992748 VirtualAlloc 1343->1351 1352 3992703 1343->1352 1344->1332 1353 399285f 1345->1353 1354 3992861-399286d 1345->1354 1347 39928ca-39928d2 1346->1347 1348 39928bc-39928c7 VirtualFree 1346->1348 1348->1347 1349->1334 1350->1349 1355 399274a 1351->1355 1356 399274f-399276a call 3993730 1351->1356 1352->1332 1353->1346 1357 399286f-399287f 1354->1357 1358 3992881-399288d 1354->1358 1355->1332 1364 3992775-399277f 1356->1364 1362 39928a3 1357->1362 1359 399289a-39928a0 1358->1359 1360 399288f-3992898 1358->1360 1359->1362 1360->1362 1362->1338 1365 3992781-39927b0 call 3993730 1364->1365 1366 39927b2-39927c6 call 3993540 1364->1366 1365->1364 1372 39927c8 1366->1372 1373 39927ca-39927ce 1366->1373 1372->1332 1374 39927da-39927de 1373->1374 1375 39927d0-39927d4 FindCloseChangeNotification 1373->1375 1376 39927ee-39927f7 1374->1376 1377 39927e0-39927eb VirtualFree 1374->1377 1375->1374 1376->1327 1376->1332 1377->1376
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 039926A1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 039928C7
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
            • Instruction ID: 6d2b23d7b7301254a00196e35634e6550caa1860f1866511ddc3a9c468089395
            • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
            • Instruction Fuzzy Hash: E6A10B74E0020DEBEF14DFA8C894BEEB7B5BF48304F14899AE541BB280D7759A40CB54
            Function 002E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1388 2e2c63-2e2cd3 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002E2C91
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002E2CB2
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,002E1CAD,?), ref: 002E2CC6
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,002E1CAD,?), ref: 002E2CCF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: b6f801fd65424793f4e149a37083955b9d32d965d49da71349c3df72bc585eba
            • Instruction ID: 4a97edb922ad67a48fe300d8171b91a02f0d09ab66b7b58de20eeee88bb08491
            • Opcode Fuzzy Hash: b6f801fd65424793f4e149a37083955b9d32d965d49da71349c3df72bc585eba
            • Instruction Fuzzy Hash: 31F03A795502907AEB330723AC18E772EFDD7C7F54F54511EFA08A21A0E6A50840DBB0
            Function 039923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1503 39923b0-39924cc call 3990000 call 39922a0 CreateFileW 1510 39924ce 1503->1510 1511 39924d3-39924e3 1503->1511 1512 3992583-3992588 1510->1512 1514 39924ea-3992504 VirtualAlloc 1511->1514 1515 39924e5 1511->1515 1516 3992508-399251f ReadFile 1514->1516 1517 3992506 1514->1517 1515->1512 1518 3992521 1516->1518 1519 3992523-399255d call 39922e0 call 39912a0 1516->1519 1517->1512 1518->1512 1524 3992579-3992581 ExitProcess 1519->1524 1525 399255f-3992574 call 3992330 1519->1525 1524->1512 1525->1524
            APIs
              • Part of subcall function 039922A0: Sleep.KERNELBASE(000001F4), ref: 039922B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 039924C2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: TJWOWCIXBNCFZJLWEC5
            • API String ID: 2694422964-951046154
            • Opcode ID: 2cff9eb6f8f1947344c30d103ed34abf09df622f8de098f3fe27654a62249c7f
            • Instruction ID: d9a7e2188b057b031e21f2458cb32eba238547cbcafcfa579c5c462a159cb7ab
            • Opcode Fuzzy Hash: 2cff9eb6f8f1947344c30d103ed34abf09df622f8de098f3fe27654a62249c7f
            • Instruction Fuzzy Hash: E1516371D0424DEBFF11DBA4D814BEEBB79AF55300F044599E2487B2C0D6B91B48CBA6
            Function 00352947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1527 352947-3529b9 call 321f50 call 3525d6 call 2ffe0b call 2e5722 call 35274e call 2e511f call 305232 1542 352a6c-352a73 call 352e66 1527->1542 1543 3529bf-3529c6 call 352e66 1527->1543 1548 352a75-352a77 1542->1548 1549 352a7c 1542->1549 1543->1548 1550 3529cc-352a6a call 30d583 call 304983 call 309038 call 30d583 call 309038 * 2 1543->1550 1551 352cb6-352cb7 1548->1551 1553 352a7f-352b3a call 2e50f5 * 8 call 353017 call 30e5eb 1549->1553 1550->1553 1556 352cd5-352cdb 1551->1556 1592 352b43-352b5e call 352792 1553->1592 1593 352b3c-352b3e 1553->1593 1557 352cf0-352cf6 1556->1557 1558 352cdd-352ced call 2ffdcd call 2ffe14 1556->1558 1558->1557 1596 352b64-352b6c 1592->1596 1597 352bf0-352bfc call 30e678 1592->1597 1593->1551 1598 352b74 1596->1598 1599 352b6e-352b72 1596->1599 1604 352c12-352c16 1597->1604 1605 352bfe-352c0d DeleteFileW 1597->1605 1601 352b79-352b97 call 2e50f5 1598->1601 1599->1601 1609 352bc1-352bd7 call 35211d call 30dbb3 1601->1609 1610 352b99-352b9e 1601->1610 1606 352c91-352ca5 CopyFileW 1604->1606 1607 352c18-352c7e call 3525d6 call 30d2eb * 2 call 3522ce 1604->1607 1605->1551 1612 352ca7-352cb4 DeleteFileW 1606->1612 1613 352cb9-352ccf DeleteFileW call 352fd8 1606->1613 1607->1613 1632 352c80-352c8f DeleteFileW 1607->1632 1627 352bdc-352be7 1609->1627 1614 352ba1-352bb4 call 3528d2 1610->1614 1612->1551 1621 352cd4 1613->1621 1625 352bb6-352bbf 1614->1625 1621->1556 1625->1609 1627->1596 1629 352bed 1627->1629 1629->1597 1632->1551
            APIs
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00352C05
            • DeleteFileW.KERNEL32(?), ref: 00352C87
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00352C9D
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00352CAE
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00352CC0
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: File$Delete$Copy
            • String ID:
            • API String ID: 3226157194-0
            • Opcode ID: e7c2eac44e8c25762d39fd5cb81cf4f0aec8c55a6eff6863c37d953d3085bef8
            • Instruction ID: add5e810674846bc54f65e60645dfc1d18f2dbc1dd0fbead6a55bae3e8c1b5bd
            • Opcode Fuzzy Hash: e7c2eac44e8c25762d39fd5cb81cf4f0aec8c55a6eff6863c37d953d3085bef8
            • Instruction Fuzzy Hash: 6CB16071D11129ABDF22DBA5CC85EDFB7BDEF09350F1040A6F909E6151EB309A488F61
            Function 00315AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1907 315aa9-315ace 1908 315ad0-315ad2 1907->1908 1909 315ad7-315ad9 1907->1909 1910 315ca5-315cb4 call 300a8c 1908->1910 1911 315adb-315af5 call 30f2c6 call 30f2d9 call 3127ec 1909->1911 1912 315afa-315b1f 1909->1912 1911->1910 1913 315b21-315b24 1912->1913 1914 315b26-315b2c 1912->1914 1913->1914 1917 315b4e-315b53 1913->1917 1918 315b4b 1914->1918 1919 315b2e-315b46 call 30f2c6 call 30f2d9 call 3127ec 1914->1919 1923 315b55-315b61 call 319424 1917->1923 1924 315b64-315b6d call 31564e 1917->1924 1918->1917 1956 315c9c-315c9f 1919->1956 1923->1924 1934 315ba8-315bba 1924->1934 1935 315b6f-315b71 1924->1935 1941 315c02-315c23 WriteFile 1934->1941 1942 315bbc-315bc2 1934->1942 1938 315b73-315b78 1935->1938 1939 315b95-315b9e call 31542e 1935->1939 1943 315c6c-315c7e 1938->1943 1944 315b7e-315b8b call 3155e1 1938->1944 1955 315ba3-315ba6 1939->1955 1947 315c25-315c2b GetLastError 1941->1947 1948 315c2e 1941->1948 1949 315bf2-315c00 call 3156c4 1942->1949 1950 315bc4-315bc7 1942->1950 1953 315c80-315c83 1943->1953 1954 315c89-315c99 call 30f2d9 call 30f2c6 1943->1954 1965 315b8e-315b90 1944->1965 1947->1948 1957 315c31-315c3c 1948->1957 1949->1955 1958 315be2-315bf0 call 315891 1950->1958 1959 315bc9-315bcc 1950->1959 1953->1954 1963 315c85-315c87 1953->1963 1954->1956 1955->1965 1969 315ca4 1956->1969 1966 315ca1 1957->1966 1967 315c3e-315c43 1957->1967 1958->1955 1959->1943 1968 315bd2-315be0 call 3157a3 1959->1968 1963->1969 1965->1957 1966->1969 1972 315c45-315c4a 1967->1972 1973 315c69 1967->1973 1968->1955 1969->1910 1977 315c60-315c67 call 30f2a3 1972->1977 1978 315c4c-315c5e call 30f2d9 call 30f2c6 1972->1978 1973->1943 1977->1956 1978->1956
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: JO.
            • API String ID: 0-695963393
            • Opcode ID: 2cbfc9488cdbb3d2a468a617e6e80fd150953b8e30b4470d39dfc43c8046cd17
            • Instruction ID: 781b457d2bb7183adfb9e32ab1340c2ecceeed7a98659db8a1792a970e68954c
            • Opcode Fuzzy Hash: 2cbfc9488cdbb3d2a468a617e6e80fd150953b8e30b4470d39dfc43c8046cd17
            • Instruction Fuzzy Hash: AE51E075E05609DFCB2B9FA4C845FEEBBB8AF8D310F15001AF405AB291D7719981CBA1
            Function 002E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002E3B0F,SwapMouseButtons,00000004,?), ref: 002E3B40
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002E3B0F,SwapMouseButtons,00000004,?), ref: 002E3B61
            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002E3B0F,SwapMouseButtons,00000004,?), ref: 002E3B83
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: c0ae9b874cf4d9b4f4a3fb6e7a6232ae97fa7a2d737b04317c1b038d40848d7c
            • Instruction ID: 559dd591fba4ab7de96ded16737d6ca642a2704d87d7cc79b922f8790f44ffc8
            • Opcode Fuzzy Hash: c0ae9b874cf4d9b4f4a3fb6e7a6232ae97fa7a2d737b04317c1b038d40848d7c
            • Instruction Fuzzy Hash: 33115AB1560208FFDB21CFA6DC48AAEB7BCEF04749B50445DE806D7110D231DE5097A0
            Function 039912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03991A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03991AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03991B13
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
            • Instruction ID: 0f6ec4b08563ed702224e03c1181528a52f7b390d6e444ba4d7802cd8234de6c
            • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
            • Instruction Fuzzy Hash: 0C620934A14259DBEB24CFA4C840BDEB376FF58300F1095A9D10DEB294E77A9E81CB59
            Function 002E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003233A2
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002E3A04
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_wcslen
            • String ID: Line:
            • API String ID: 2289894680-1585850449
            • Opcode ID: f0adae64f7d93febd25e417d2e0fef12a04997203435ff1433a61d30feb2270c
            • Instruction ID: 443e29ec100254aaa5cf75ae26bd8fc3efecc7078bb71f37fbbcd4f284f8c10a
            • Opcode Fuzzy Hash: f0adae64f7d93febd25e417d2e0fef12a04997203435ff1433a61d30feb2270c
            • Instruction Fuzzy Hash: 5631E571468380AAC322EB11DC59BEBB7DCAF40714F90062EF69993091EB709658CBD2
            Function 002E2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • GetOpenFileNameW.COMDLG32(?), ref: 00322C8C
              • Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2
              • Part of subcall function 002E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002E2DC4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen
            • String ID: X$`e:
            • API String ID: 779396738-2000733710
            • Opcode ID: 4afac6a504f3886579f8e0ea6bb6d3c7e5ba3032c7cf8247df292b0dce8acb3d
            • Instruction ID: 0ab3ea73a1fae9fd886fb21ed6bc02c5987f398614a1783b437ab572e42dd30a
            • Opcode Fuzzy Hash: 4afac6a504f3886579f8e0ea6bb6d3c7e5ba3032c7cf8247df292b0dce8acb3d
            • Instruction Fuzzy Hash: 6521D870A10298AFCF02DF95CC09BEE7BFCAF49304F444059E505B7241DBB455898F61
            Function 002FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • __CxxThrowException@8.LIBVCRUNTIME ref: 00300668
              • Part of subcall function 003032A4: RaiseException.KERNEL32(?,?,?,0030068A,?,003B1444,?,?,?,?,?,?,0030068A,002E1129,003A8738,002E1129), ref: 00303304
            • __CxxThrowException@8.LIBVCRUNTIME ref: 00300685
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Exception@8Throw$ExceptionRaise
            • String ID: Unknown exception
            • API String ID: 3476068407-410509341
            • Opcode ID: 27f3bc94a173e1f647568cabe2c254392adc237e375df4037c31010c156b45b8
            • Instruction ID: f267add687018156055e9d13454dec7af8bb5604f8fb0f34329ab7642b715c23
            • Opcode Fuzzy Hash: 27f3bc94a173e1f647568cabe2c254392adc237e375df4037c31010c156b45b8
            • Instruction Fuzzy Hash: 7DF0C23490120DB7CB06BAA4DC66EAEB76DAE01350F604571FA149A5D1EF72EA25C680
            Function 00353017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0035302F
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00353044
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: e3b95adfda0a6a2260a58b09a18ab56a6a09167c09eb42870e276e6932172d35
            • Instruction ID: 9b0eb3b921ac28ec703669a4a46d8ed6fa50169b64d21a31bd6527e899c06594
            • Opcode Fuzzy Hash: e3b95adfda0a6a2260a58b09a18ab56a6a09167c09eb42870e276e6932172d35
            • Instruction Fuzzy Hash: 1ED05EB250032867DF30A7A4AC0EFCB3A6CDB05750F0006A1F659E2092DBB09A84CBD0
            Function 00367F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003682F5
            • TerminateProcess.KERNEL32(00000000), ref: 003682FC
            • FreeLibrary.KERNEL32(?,?,?,?), ref: 003684DD
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$CurrentFreeLibraryTerminate
            • String ID:
            • API String ID: 146820519-0
            • Opcode ID: 6b64efc0f5f1da8b6e78fa0b6ee35cafbab9e07cd56f05aa223d6089eb239e25
            • Instruction ID: 7ad5cd462cdefbdddcfa50845b505db09e3efe1102fc4e9cea2f4ff028412583
            • Opcode Fuzzy Hash: 6b64efc0f5f1da8b6e78fa0b6ee35cafbab9e07cd56f05aa223d6089eb239e25
            • Instruction Fuzzy Hash: 92128C71A083419FC721CF28C484B2ABBE5BF89314F558A5DE8898B356CB31ED45CF92
            Function 00369096 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$_strcat
            • String ID:
            • API String ID: 306214811-0
            • Opcode ID: 96b5bf6e73a59bd167767553d8727cbdaab0addad366b6531bf898457afd8975
            • Instruction ID: a28946879a96307693a50ff1c80e648727de0b2f84e74eb00c7becda6bb85362
            • Opcode Fuzzy Hash: 96b5bf6e73a59bd167767553d8727cbdaab0addad366b6531bf898457afd8975
            • Instruction Fuzzy Hash: 3AA15C30204605EFCB19DF59C5D1A69BBA9FF45314B60C8AEE80A8F696DB31ED51CF80
            Function 002E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002E1BF4
              • Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 002E1BFC
              • Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002E1C07
              • Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002E1C12
              • Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 002E1C1A
              • Part of subcall function 002E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 002E1C22
              • Part of subcall function 002E1B4A: RegisterWindowMessageW.USER32(00000004,?,002E12C4), ref: 002E1BA2
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002E136A
            • OleInitialize.OLE32 ref: 002E1388
            • CloseHandle.KERNEL32(00000000,00000000), ref: 003224AB
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 1986988660-0
            • Opcode ID: b13955b82456893475935c17aae7bc518ca47f8e43a305d5a687eff7dcde15fc
            • Instruction ID: f75cf4479a64058e497cbe9d08ec0c5befbf9275054dd768092e74ce9011b226
            • Opcode Fuzzy Hash: b13955b82456893475935c17aae7bc518ca47f8e43a305d5a687eff7dcde15fc
            • Instruction Fuzzy Hash: 3A71B2B99212448EC3A7DF7AA8656953BE8BB8A34CBD4832FD70AC7261E7304411CF51
            Function 003186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,003185CC,?,003A8CC8,0000000C), ref: 00318704
            • GetLastError.KERNEL32(?,003185CC,?,003A8CC8,0000000C), ref: 0031870E
            • __dosmaperr.LIBCMT ref: 00318739
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
            • String ID:
            • API String ID: 490808831-0
            • Opcode ID: 5691bf323e0c5b4c71cefa6830b575bdcd290b90184eeee6467c3b0cd9bfcde7
            • Instruction ID: c30682a6372ca0aff0d276d57bf1d33cfbc2395759b9a643d7095a911bc69f58
            • Opcode Fuzzy Hash: 5691bf323e0c5b4c71cefa6830b575bdcd290b90184eeee6467c3b0cd9bfcde7
            • Instruction Fuzzy Hash: 4E012B3670562056D67F633468457FE674D4BCD778F3A061AFA189F1D2DEA08CC18158
            Function 00352FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00352CD4,?,?,?,00000004,00000001), ref: 00352FF2
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00352CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00353006
            • CloseHandle.KERNEL32(00000000,?,00352CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0035300D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 120fae291c58ee88da159c00fd54f5927e7f99068518a1c5b4df82e0b4868def
            • Instruction ID: 289d53da89d18a61a86c89e200972bda0e987bf883f1ccea1f8c44c7f81179d3
            • Opcode Fuzzy Hash: 120fae291c58ee88da159c00fd54f5927e7f99068518a1c5b4df82e0b4868def
            • Instruction Fuzzy Hash: A2E0863669131077E2321755BC0DF8B3A1CD786B71F114224FB1D760D146A0154182A8
            Function 002F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 002F17F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: CALL
            • API String ID: 1385522511-4196123274
            • Opcode ID: 7f0054c6e6c92b37100ebd486bd52931816cb9cd5a298984cae2ad111dca6306
            • Instruction ID: de40ca2d88800903fcf75cb6d4b7aed778a2ade71d91305622fbef94a8af6dcf
            • Opcode Fuzzy Hash: 7f0054c6e6c92b37100ebd486bd52931816cb9cd5a298984cae2ad111dca6306
            • Instruction Fuzzy Hash: DA22AA70618205DFD715CF14C481A2AFBF5BF85394FA4892DF68A8B261D771E861CF82
            Function 00356EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00356F6B
              • Part of subcall function 002E4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4EFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LibraryLoad_wcslen
            • String ID: >>>AUTOIT SCRIPT<<<
            • API String ID: 3312870042-2806939583
            • Opcode ID: f43247d462fcac66697e72d1d1a7fb4056fa9d8760c3c3017de24c34e15f21ee
            • Instruction ID: dbad8df658000c8d13fc893974b67754d1de0558c2c3b866f78703e01808a02f
            • Opcode Fuzzy Hash: f43247d462fcac66697e72d1d1a7fb4056fa9d8760c3c3017de24c34e15f21ee
            • Instruction Fuzzy Hash: C7B1B1311182418FCB15EF21D891DAEB7E5BF94300F95885DF896872A2EB30ED59CF92
            Function 00352557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID: EA06
            • API String ID: 2638373210-3962188686
            • Opcode ID: 24dca2df0d3fccb6148cc6b001740a12907cb5b2bea203fdb9c92cd493d8101e
            • Instruction ID: 2092ceeecc0d85f2b1cbde25cd23bbab8f5e54e4ca338b7f751538d1076892a5
            • Opcode Fuzzy Hash: 24dca2df0d3fccb6148cc6b001740a12907cb5b2bea203fdb9c92cd493d8101e
            • Instruction Fuzzy Hash: FA01B5729042587EDF19C7A8C866EEEBBF8DB06301F04455AF552D61C1E5B4E608CB60
            Function 002E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E3908
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: IconNotifyShell_
            • String ID:
            • API String ID: 1144537725-0
            • Opcode ID: a8bb4b7cc534c24b60888e20a1a93e9dc3ec3b4e19e575e05077bea6211d0ab4
            • Instruction ID: 78a0f33127d726066be5db2c3eb6eabfb8f21354fbb97744828016e050acc2cc
            • Opcode Fuzzy Hash: a8bb4b7cc534c24b60888e20a1a93e9dc3ec3b4e19e575e05077bea6211d0ab4
            • Instruction Fuzzy Hash: 2F31F2745143018FD322DF25D8987A7BBF8FB48309F40092EF69D87240E7B1AA54CB52
            Function 0399129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 03991A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03991AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03991B13
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
            • Instruction ID: 9085223efbe155d61205e978ac8a5d6c7abb39902758ff233f2e4bb4e7bb3d46
            • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
            • Instruction Fuzzy Hash: 6912DE24E18658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4E81CF5A
            Function 0034F2FB Relevance: 1.6, APIs: 1, Instructions: 136COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?), ref: 0034F314
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: BuffCharLower
            • String ID:
            • API String ID: 2358735015-0
            • Opcode ID: e1aa68fb74ff798065dc9c9f1e504acfff1d0ab54d50b40ec2c5c893a3ec53b4
            • Instruction ID: 128748c469263c6b23f13a9dd889338704a98fa727143813f1426414a59af674
            • Opcode Fuzzy Hash: e1aa68fb74ff798065dc9c9f1e504acfff1d0ab54d50b40ec2c5c893a3ec53b4
            • Instruction Fuzzy Hash: 6E41D676600209AFCB12EF64C8409AFB3F8FF44314B19853EE5569B251DB70EE41CB50
            Function 002E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E9C
              • Part of subcall function 002E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002E4EAE
              • Part of subcall function 002E4E90: FreeLibrary.KERNEL32(00000000,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4EC0
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4EFD
              • Part of subcall function 002E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E62
              • Part of subcall function 002E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002E4E74
              • Part of subcall function 002E4E59: FreeLibrary.KERNEL32(00000000,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E87
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Library$Load$AddressFreeProc
            • String ID:
            • API String ID: 2632591731-0
            • Opcode ID: f3d3b8620118ad4f2c331484dfb824519a6383361896317cf3769f2b6c9967ca
            • Instruction ID: 7ca46802d48e069460e5815a9111bb7e0f7224ec7771f52e5b4b28bc318a3b19
            • Opcode Fuzzy Hash: f3d3b8620118ad4f2c331484dfb824519a6383361896317cf3769f2b6c9967ca
            • Instruction Fuzzy Hash: 26113A326B0315AACF25FF62DC02FAD77A4AF40B14F50882DF542AA1C1DE789A249B50
            Function 00318402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: __wsopen_s
            • String ID:
            • API String ID: 3347428461-0
            • Opcode ID: 4a823e5d5d96130f4d8f77a8031661c30a574e9316ae5bb9ea0ebe100893e3cd
            • Instruction ID: f02039dd8865d0911450e7d972f358230fb685daea245378d41977826032a05e
            • Opcode Fuzzy Hash: 4a823e5d5d96130f4d8f77a8031661c30a574e9316ae5bb9ea0ebe100893e3cd
            • Instruction Fuzzy Hash: 7111487190410AAFCB0ADF58E9409DA7BF9EF48304F114069F808AB312DB30DA11CBA8
            Function 00315000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00314C7D: RtlAllocateHeap.NTDLL(00000008,002E1129,00000000,?,00312E29,00000001,00000364,?,?,?,0030F2DE,00313863,003B1444,?,002FFDF5,?), ref: 00314CBE
            • _free.LIBCMT ref: 0031506C
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
            • Instruction ID: 6127c9d02387435e8f4c2d6ccd819e3e88ad5a89b1d1598b299d0bf329218157
            • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
            • Instruction Fuzzy Hash: 90012672204704ABE3268F699881ADAFBECFBCD370F25051DE18487280EA30A845C6B4
            Function 0030E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
            • Instruction ID: 53e90d9dd617ffb5143759bdc47b246d7bec12f921a8a2ede5ef33184be3c6dc
            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
            • Instruction Fuzzy Hash: 39F07832602A18AAC7373A69AC25B9B338C8F56330F110F15F420DB1C2CF75D84186A9
            Function 00314C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000008,002E1129,00000000,?,00312E29,00000001,00000364,?,?,?,0030F2DE,00313863,003B1444,?,002FFDF5,?), ref: 00314CBE
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 5e7f6a43747dfa47dab09a713ee2813ae4de07891638c2c6fe713031ee994b8f
            • Instruction ID: 0ccaf65eadf5762bd2e11b4cefe26c01ab2c4c6c22f1ac8e455260e2d4dbeca8
            • Opcode Fuzzy Hash: 5e7f6a43747dfa47dab09a713ee2813ae4de07891638c2c6fe713031ee994b8f
            • Instruction Fuzzy Hash: 3FF0E93160322477DB2B5F669C09BDA378CBF55BA0B168125BD19AA5C0CA30D88087E0
            Function 00313820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 1483ef05d77d1b30e2652be7c75b1a687fe9c757e3029e5c87fc15dce48348d5
            • Instruction ID: 95cca5b021f5bdb032f23e3785cd75b3ea2cc98c4c6b235cc811aa2980b3331c
            • Opcode Fuzzy Hash: 1483ef05d77d1b30e2652be7c75b1a687fe9c757e3029e5c87fc15dce48348d5
            • Instruction Fuzzy Hash: 0BE02B3110122496D73727779C14BDB374CAF467B0F060134BD0C968C0DB10DE8582E1
            Function 002E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4F6D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 20bba480f60aafea2671a3aa3fe011aeabc24893e2cd176b18ebf2ea675eae92
            • Instruction ID: 661834d2912bd787566189082913f60452b43ea12b4f6e0229477d9b9dfadcec
            • Opcode Fuzzy Hash: 20bba480f60aafea2671a3aa3fe011aeabc24893e2cd176b18ebf2ea675eae92
            • Instruction Fuzzy Hash: EEF0A070165382CFCB34AF22D490812B7E4BF00719350897EE1DA83910C7319C54DF00
            Function 002E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002E2DC4
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LongNamePath_wcslen
            • String ID:
            • API String ID: 541455249-0
            • Opcode ID: c63f0e4c3afca630c9133a65f46dd24e523d9a220b8e2797f6f1aa7e08a74d2d
            • Instruction ID: 71993e6c503ba1a968fb55d052b986118f9cd59ca0442df382f3300761518046
            • Opcode Fuzzy Hash: c63f0e4c3afca630c9133a65f46dd24e523d9a220b8e2797f6f1aa7e08a74d2d
            • Instruction Fuzzy Hash: 98E0CD726001246BCB2192589C05FDA77DDDFC87D0F040175FD09E7258D960ADC08550
            Function 00352693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction ID: 6a72028c7e3c37a6431d6f4335a8d68ac11ff2bc42d7b36f4e7402c8f37b78fe
            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction Fuzzy Hash: EDE048B06097005FDF395A28A861BB777D49F4A301F01085EF99B92252E5726845864D
            Function 002E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002E3908
              • Part of subcall function 002ED730: GetInputState.USER32 ref: 002ED807
            • SetCurrentDirectoryW.KERNEL32(?), ref: 002E2B6B
              • Part of subcall function 002E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 002E314E
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: IconNotifyShell_$CurrentDirectoryInputState
            • String ID:
            • API String ID: 3667716007-0
            • Opcode ID: d0bc3074b45727e2366ab1a33be1136b3bf1e46b3254a92390f9d3ab3144cbf5
            • Instruction ID: be93071179b643f098456588a640ea88d0b51867784987968ea8df5a86bfda6c
            • Opcode Fuzzy Hash: d0bc3074b45727e2366ab1a33be1136b3bf1e46b3254a92390f9d3ab3144cbf5
            • Instruction Fuzzy Hash: 1BE026213A02C443C604FB33A82A5ADB35D8BD1316FC0153EF14283162CE244AA94B11
            Function 0032039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,00000000,?,00320704,?,?,00000000,?,00320704,00000000,0000000C), ref: 003203B7
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 8853cab1524b1ff07dbabb609917fdc0f1b84d17a1dd5462fa3ff0e72bdb4614
            • Instruction ID: 0a2c23d1c6648867d0d74b3b73fe6479e637abbd7713db9ecbede55b7eb94c08
            • Opcode Fuzzy Hash: 8853cab1524b1ff07dbabb609917fdc0f1b84d17a1dd5462fa3ff0e72bdb4614
            • Instruction Fuzzy Hash: D9D06C3205010DBBDF128F84DD06EDA3BAAFB48714F014050BE1866020C732E861AB90
            Function 002E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 002E1CBC
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: InfoParametersSystem
            • String ID:
            • API String ID: 3098949447-0
            • Opcode ID: 9226cbc3817d07195c7ddb332561bfa37b51d5e3c36708f97a2aa9301243906b
            • Instruction ID: 3994e92bcb252db03d374cc18b737fb31e7e18d3bc6c516c36729f8e6dc3e707
            • Opcode Fuzzy Hash: 9226cbc3817d07195c7ddb332561bfa37b51d5e3c36708f97a2aa9301243906b
            • Instruction Fuzzy Hash: ABC09B35280304DFF2274781BC5AF11775CA349B14F444101F70D555E3D3A22450D750
            Function 002FFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 714aee8f3bb09579ef034a448d2a871658731ae4d504b0e7cd9739f3b3218367
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: BD311574A2010EDBD758CF59D680969FBA1FF49380B2482B6EA09CB655D731EDE1CBC0
            Function 0399229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 039922B1
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
            • Instruction ID: 428f8bffb1f348a9155d7459370363e3378f7a58dad27d23f682dc1556e07696
            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
            • Instruction Fuzzy Hash: D1E0BF7494010EEFDB00EFA8D5496DE7BB4EF04311F1005A1FD05D7680DB319E548A62
            Function 039922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 039922B1
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 66398fc46dcbe488c39975df4842e70dac3848fa7b39f9f2aecb5b94bbf6d3e6
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 04E0E67494010EEFDB00EFB8D54969E7FB4EF04301F1005A1FD01D2280D6319D508A72

            Non-executed Functions

            Function 00379576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0037961A
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0037965B
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0037969F
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003796C9
            • SendMessageW.USER32 ref: 003796F2
            • GetKeyState.USER32(00000011), ref: 0037978B
            • GetKeyState.USER32(00000009), ref: 00379798
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003797AE
            • GetKeyState.USER32(00000010), ref: 003797B8
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003797E9
            • SendMessageW.USER32 ref: 00379810
            • SendMessageW.USER32(?,00001030,?,00377E95), ref: 00379918
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0037992E
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00379941
            • SetCapture.USER32(?), ref: 0037994A
            • ClientToScreen.USER32(?,?), ref: 003799AF
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003799BC
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003799D6
            • ReleaseCapture.USER32 ref: 003799E1
            • GetCursorPos.USER32(?), ref: 00379A19
            • ScreenToClient.USER32(?,?), ref: 00379A26
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00379A80
            • SendMessageW.USER32 ref: 00379AAE
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00379AEB
            • SendMessageW.USER32 ref: 00379B1A
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00379B3B
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00379B4A
            • GetCursorPos.USER32(?), ref: 00379B68
            • ScreenToClient.USER32(?,?), ref: 00379B75
            • GetParent.USER32(?), ref: 00379B93
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00379BFA
            • SendMessageW.USER32 ref: 00379C2B
            • ClientToScreen.USER32(?,?), ref: 00379C84
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00379CB4
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00379CDE
            • SendMessageW.USER32 ref: 00379D01
            • ClientToScreen.USER32(?,?), ref: 00379D4E
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00379D82
              • Part of subcall function 002F9944: GetWindowLongW.USER32(?,000000EB), ref: 002F9952
            • GetWindowLongW.USER32(?,000000F0), ref: 00379E05
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
            • String ID: @GUI_DRAGID$F$p#;
            • API String ID: 3429851547-1510108329
            • Opcode ID: c6eeef7d7f12e22662902a52734f289269addead95c81357d31cbba774a4b9ec
            • Instruction ID: 8336be13d7bc8b8aee0c5a1789fe186d031edd6381af8b13fad8eaad1cff1e17
            • Opcode Fuzzy Hash: c6eeef7d7f12e22662902a52734f289269addead95c81357d31cbba774a4b9ec
            • Instruction Fuzzy Hash: E6428B74204241AFD736CF24CC84BAABBE9FF49324F15871EF699872A1D735A850CB81
            Function 00374873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003748F3
            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00374908
            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00374927
            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0037494B
            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0037495C
            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0037497B
            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003749AE
            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003749D4
            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00374A0F
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00374A56
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00374A7E
            • IsMenu.USER32(?), ref: 00374A97
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00374AF2
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00374B20
            • GetWindowLongW.USER32(?,000000F0), ref: 00374B94
            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00374BE3
            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00374C82
            • wsprintfW.USER32 ref: 00374CAE
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00374CC9
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00374CF1
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00374D13
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00374D33
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00374D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
            • String ID: %d/%02d/%02d
            • API String ID: 4054740463-328681919
            • Opcode ID: 8e11ddb191dfbd7a2e27c38883574ebfe26e13255b6f17edb6c9b9a4414841cb
            • Instruction ID: b74c50573c34fe174e2c3b08df8ac3c3dc4550df3a90fd0e5bf05e70b5836201
            • Opcode Fuzzy Hash: 8e11ddb191dfbd7a2e27c38883574ebfe26e13255b6f17edb6c9b9a4414841cb
            • Instruction Fuzzy Hash: B312C171500258ABEB368F24CD49FAEBBF8EF45710F14812DF91ADA2E1D778A941CB50
            Function 002FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 002FF998
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0033F474
            • IsIconic.USER32(00000000), ref: 0033F47D
            • ShowWindow.USER32(00000000,00000009), ref: 0033F48A
            • SetForegroundWindow.USER32(00000000), ref: 0033F494
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0033F4AA
            • GetCurrentThreadId.KERNEL32 ref: 0033F4B1
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0033F4BD
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0033F4CE
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0033F4D6
            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0033F4DE
            • SetForegroundWindow.USER32(00000000), ref: 0033F4E1
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F4F6
            • keybd_event.USER32(00000012,00000000), ref: 0033F501
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F50B
            • keybd_event.USER32(00000012,00000000), ref: 0033F510
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F519
            • keybd_event.USER32(00000012,00000000), ref: 0033F51E
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0033F528
            • keybd_event.USER32(00000012,00000000), ref: 0033F52D
            • SetForegroundWindow.USER32(00000000), ref: 0033F530
            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0033F557
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: fb52cb981cbdb84f997c9377d7e5ad28c47c69c1f73a43a1cc8cd36b740c5fc7
            • Instruction ID: 37b80c162a2458f69f7a3c15d3fc8fb3b995dde0a17f63bfe5c79ca440915781
            • Opcode Fuzzy Hash: fb52cb981cbdb84f997c9377d7e5ad28c47c69c1f73a43a1cc8cd36b740c5fc7
            • Instruction Fuzzy Hash: 71319471E50218BFFB326BB65C8AFBF7E6CEB45B50F111029F604EA1D1C6B15D40AA60
            Function 00341201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 003416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0034170D
              • Part of subcall function 003416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0034173A
              • Part of subcall function 003416C3: GetLastError.KERNEL32 ref: 0034174A
            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00341286
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003412A8
            • CloseHandle.KERNEL32(?), ref: 003412B9
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003412D1
            • GetProcessWindowStation.USER32 ref: 003412EA
            • SetProcessWindowStation.USER32(00000000), ref: 003412F4
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00341310
              • Part of subcall function 003410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003411FC), ref: 003410D4
              • Part of subcall function 003410BF: CloseHandle.KERNEL32(?,?,003411FC), ref: 003410E9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
            • String ID: $default$winsta0$Z:
            • API String ID: 22674027-902221358
            • Opcode ID: ece435b7536937c261a0d5f5fc32bf5c3dc1f5e0cc344d13c91991733a154462
            • Instruction ID: 2b5d69217868b7321dfec5406ef18e2faaa5caccd54bbc18240f4d62881397f8
            • Opcode Fuzzy Hash: ece435b7536937c261a0d5f5fc32bf5c3dc1f5e0cc344d13c91991733a154462
            • Instruction Fuzzy Hash: 5B819D71900209AFDF229FA5DC49FEE7BBDEF04704F144129FA14BA2A0D775A984CB60
            Function 00340B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00341114
              • Part of subcall function 003410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341120
              • Part of subcall function 003410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 0034112F
              • Part of subcall function 003410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341136
              • Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0034114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00340BCC
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00340C00
            • GetLengthSid.ADVAPI32(?), ref: 00340C17
            • GetAce.ADVAPI32(?,00000000,?), ref: 00340C51
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00340C6D
            • GetLengthSid.ADVAPI32(?), ref: 00340C84
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00340C8C
            • HeapAlloc.KERNEL32(00000000), ref: 00340C93
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00340CB4
            • CopySid.ADVAPI32(00000000), ref: 00340CBB
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00340CEA
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00340D0C
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00340D1E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340D45
            • HeapFree.KERNEL32(00000000), ref: 00340D4C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340D55
            • HeapFree.KERNEL32(00000000), ref: 00340D5C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340D65
            • HeapFree.KERNEL32(00000000), ref: 00340D6C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00340D78
            • HeapFree.KERNEL32(00000000), ref: 00340D7F
              • Part of subcall function 00341193: GetProcessHeap.KERNEL32(00000008,00340BB1,?,00000000,?,00340BB1,?), ref: 003411A1
              • Part of subcall function 00341193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00340BB1,?), ref: 003411A8
              • Part of subcall function 00341193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00340BB1,?), ref: 003411B7
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 9fca9f234579b9f6eb653d0d723d20f980c94e396afba9c3c889a6a06d5129f9
            • Instruction ID: fdf569f6b8a7f2c693c6d84ae039975db0dd299679e7c8eea89de992d40f213a
            • Opcode Fuzzy Hash: 9fca9f234579b9f6eb653d0d723d20f980c94e396afba9c3c889a6a06d5129f9
            • Instruction Fuzzy Hash: D0715071A00209ABDF16DFE4DC44FAEBBBCBF05310F054529EA15AA151D771E945CBA0
            Function 0035EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(0037CC08), ref: 0035EB29
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0035EB37
            • GetClipboardData.USER32(0000000D), ref: 0035EB43
            • CloseClipboard.USER32 ref: 0035EB4F
            • GlobalLock.KERNEL32(00000000), ref: 0035EB87
            • CloseClipboard.USER32 ref: 0035EB91
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0035EBBC
            • IsClipboardFormatAvailable.USER32(00000001), ref: 0035EBC9
            • GetClipboardData.USER32(00000001), ref: 0035EBD1
            • GlobalLock.KERNEL32(00000000), ref: 0035EBE2
            • GlobalUnlock.KERNEL32(00000000,?), ref: 0035EC22
            • IsClipboardFormatAvailable.USER32(0000000F), ref: 0035EC38
            • GetClipboardData.USER32(0000000F), ref: 0035EC44
            • GlobalLock.KERNEL32(00000000), ref: 0035EC55
            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0035EC77
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0035EC94
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0035ECD2
            • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0035ECF3
            • CountClipboardFormats.USER32 ref: 0035ED14
            • CloseClipboard.USER32 ref: 0035ED59
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
            • String ID:
            • API String ID: 420908878-0
            • Opcode ID: 729fc8d1a7026f385743eadfea44f869d6a13820b9804aca7232c2d34330b1b9
            • Instruction ID: 9d6785942b5f409f8efa69290c2bcef80f9ea4823b1cb051c7e34acf444f86a6
            • Opcode Fuzzy Hash: 729fc8d1a7026f385743eadfea44f869d6a13820b9804aca7232c2d34330b1b9
            • Instruction Fuzzy Hash: E06102342042019FC716EF20C898F2A77E8AF84705F58555DF85A972B2CB30DE89CBA2
            Function 0035698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 003569BE
            • FindClose.KERNEL32(00000000), ref: 00356A12
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00356A4E
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00356A75
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00356AB2
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00356ADF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
            • API String ID: 3830820486-3289030164
            • Opcode ID: a85da2adfae785743aa5cf89f3f51624a24655f74f2201bdc249f8bbc7268879
            • Instruction ID: 7105b3eb39ab18452c16c71b0f2478c2fdf1bd7d6629935ca418fcb83e6933f2
            • Opcode Fuzzy Hash: a85da2adfae785743aa5cf89f3f51624a24655f74f2201bdc249f8bbc7268879
            • Instruction Fuzzy Hash: 47D1B6715583409FC711EBA1C992EAFB7ECAF88704F84491EF985C7151EB34DA48CB62
            Function 00359642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00359663
            • GetFileAttributesW.KERNEL32(?), ref: 003596A1
            • SetFileAttributesW.KERNEL32(?,?), ref: 003596BB
            • FindNextFileW.KERNEL32(00000000,?), ref: 003596D3
            • FindClose.KERNEL32(00000000), ref: 003596DE
            • FindFirstFileW.KERNEL32(*.*,?), ref: 003596FA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 0035974A
            • SetCurrentDirectoryW.KERNEL32(003A6B7C), ref: 00359768
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00359772
            • FindClose.KERNEL32(00000000), ref: 0035977F
            • FindClose.KERNEL32(00000000), ref: 0035978F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1409584000-438819550
            • Opcode ID: e0baee60be2ed6c51e5a03aaa1698e207ad0691180bc563b80892141ec60bc9c
            • Instruction ID: 16ca824585385df90f004d2a5717676e53b4a04fcb222589aa69bdabaaa7a75b
            • Opcode Fuzzy Hash: e0baee60be2ed6c51e5a03aaa1698e207ad0691180bc563b80892141ec60bc9c
            • Instruction Fuzzy Hash: E231D232501209AADF22AFB4DC09EDE37AC9F09321F14445BE809E21A0DB34DA888A64
            Function 0035979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 003597BE
            • FindNextFileW.KERNEL32(00000000,?), ref: 00359819
            • FindClose.KERNEL32(00000000), ref: 00359824
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00359840
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00359890
            • SetCurrentDirectoryW.KERNEL32(003A6B7C), ref: 003598AE
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003598B8
            • FindClose.KERNEL32(00000000), ref: 003598C5
            • FindClose.KERNEL32(00000000), ref: 003598D5
              • Part of subcall function 0034DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0034DB00
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 2640511053-438819550
            • Opcode ID: ac24f5e0b76e970234559548971058c25821f2ddf127a3b17901ed6f0c4ee43c
            • Instruction ID: 7d55d217daa9f4b9d70b753bac549357ef50a15315f546a52ce59646872a302c
            • Opcode Fuzzy Hash: ac24f5e0b76e970234559548971058c25821f2ddf127a3b17901ed6f0c4ee43c
            • Instruction Fuzzy Hash: 5331C332501219EADF22AFB4DC49FDE77ACDF06321F15455AE814A61E1DB30DA89CB24
            Function 00358195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00358257
            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00358267
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00358273
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00358310
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00358324
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00358356
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0035838C
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00358395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CurrentDirectoryTime$File$Local$System
            • String ID: *.*
            • API String ID: 1464919966-438819550
            • Opcode ID: 465886a58fbfae201371145ffe0fd97e2580e6849f149342b06c04e836f723ee
            • Instruction ID: 21b7ee2874c254b1579f324d65da9941650748c0045ac9a79604505d3efcdf97
            • Opcode Fuzzy Hash: 465886a58fbfae201371145ffe0fd97e2580e6849f149342b06c04e836f723ee
            • Instruction Fuzzy Hash: 9E6167765143459FCB11EF60C840DAEB3E8BF89310F44892EF99997261EB31E949CF92
            Function 0034D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2
              • Part of subcall function 0034E199: GetFileAttributesW.KERNEL32(?,0034CF95), ref: 0034E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 0034D122
            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0034D1DD
            • MoveFileW.KERNEL32(?,?), ref: 0034D1F0
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0034D20D
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0034D237
              • Part of subcall function 0034D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0034D21C,?,?), ref: 0034D2B2
            • FindClose.KERNEL32(00000000,?,?,?), ref: 0034D253
            • FindClose.KERNEL32(00000000), ref: 0034D264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 1946585618-1173974218
            • Opcode ID: 470933c07bb7bb21585b66306dddb318a054eedb126d34ec76c7deff76d9179e
            • Instruction ID: 0f180c19d197f2939f6c4f9140565406db6f361aabad0c65018cf873d1132fa0
            • Opcode Fuzzy Hash: 470933c07bb7bb21585b66306dddb318a054eedb126d34ec76c7deff76d9179e
            • Instruction Fuzzy Hash: 0D618F3184114D9FCF16EBE1C9929EDB7B9AF55300F604569E4067B1A2EB30AF49CF60
            Function 0035ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: c2a372069e6ef790103f91cb531a93306fb6df72e131a2f4046e5616ebc83d47
            • Instruction ID: c5a310637014dbb825363ce7cc3041064761ef16701df694d2cd01ab766b7473
            • Opcode Fuzzy Hash: c2a372069e6ef790103f91cb531a93306fb6df72e131a2f4046e5616ebc83d47
            • Instruction Fuzzy Hash: 1141DF342142119FD726CF15D889F19BBE8EF04319F15C09DE8198BA72C731ED81CB90
            Function 0034E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 003416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0034170D
              • Part of subcall function 003416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0034173A
              • Part of subcall function 003416C3: GetLastError.KERNEL32 ref: 0034174A
            • ExitWindowsEx.USER32(?,00000000), ref: 0034E932
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $ $@$SeShutdownPrivilege
            • API String ID: 2234035333-3163812486
            • Opcode ID: 6fd4c30350674b21c4e0b39bd803f23214774ec82621753a9daf4803d4d58f00
            • Instruction ID: 2a3986e056f019083ad6ecdcf8545bc5e71e7c62f6597922412857c72579c440
            • Opcode Fuzzy Hash: 6fd4c30350674b21c4e0b39bd803f23214774ec82621753a9daf4803d4d58f00
            • Instruction Fuzzy Hash: 9001FE73620211ABEB6626B49C86FBF72DCB714751F160825FC13EE1E1D7697C808290
            Function 00361204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00361276
            • WSAGetLastError.WSOCK32 ref: 00361283
            • bind.WSOCK32(00000000,?,00000010), ref: 003612BA
            • WSAGetLastError.WSOCK32 ref: 003612C5
            • closesocket.WSOCK32(00000000), ref: 003612F4
            • listen.WSOCK32(00000000,00000005), ref: 00361303
            • WSAGetLastError.WSOCK32 ref: 0036130D
            • closesocket.WSOCK32(00000000), ref: 0036133C
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLast$closesocket$bindlistensocket
            • String ID:
            • API String ID: 540024437-0
            • Opcode ID: 21e31e99ceb02cb36c7ea4cd93244f29194b13af406711414e5c45375fc58468
            • Instruction ID: 7f514690024f6ef844d72493eb37856260922827b5d13f006076e7da580dddf4
            • Opcode Fuzzy Hash: 21e31e99ceb02cb36c7ea4cd93244f29194b13af406711414e5c45375fc58468
            • Instruction Fuzzy Hash: 69418135600140AFD721DF64C498B2ABBE5AF46318F2DC58CD8568F29AC771EC81CBA1
            Function 0031B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 0031B9D4
            • _free.LIBCMT ref: 0031B9F8
            • _free.LIBCMT ref: 0031BB7F
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00383700), ref: 0031BB91
            • WideCharToMultiByte.KERNEL32(00000000,00000000,003B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0031BC09
            • WideCharToMultiByte.KERNEL32(00000000,00000000,003B1270,000000FF,?,0000003F,00000000,?), ref: 0031BC36
            • _free.LIBCMT ref: 0031BD4B
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$ByteCharMultiWide$InformationTimeZone
            • String ID:
            • API String ID: 314583886-0
            • Opcode ID: 6425dd0ab078283af3055cacb99c2851e0882a1f289ceb105d32e7017f071215
            • Instruction ID: 0df2a6b9c26354e3e72e0eb5338117fea25fcfb577d824c8e891fea4c6fce38e
            • Opcode Fuzzy Hash: 6425dd0ab078283af3055cacb99c2851e0882a1f289ceb105d32e7017f071215
            • Instruction Fuzzy Hash: FAC13671A04205AFCB2F9F68DC51AEAFBBCEF49310F15459AE591DB291E7308E81C790
            Function 0034D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2
              • Part of subcall function 0034E199: GetFileAttributesW.KERNEL32(?,0034CF95), ref: 0034E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 0034D420
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 0034D470
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0034D481
            • FindClose.KERNEL32(00000000), ref: 0034D498
            • FindClose.KERNEL32(00000000), ref: 0034D4A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
            • String ID: \*.*
            • API String ID: 2649000838-1173974218
            • Opcode ID: efe15ba5181746200a30f382b6d8687e7e4e103de2084a0e2825fcc6d4a9c274
            • Instruction ID: 0fce609c0ff310d205f99b8737f40b9e417e4160a11e0b66142cfbd7fb66df30
            • Opcode Fuzzy Hash: efe15ba5181746200a30f382b6d8687e7e4e103de2084a0e2825fcc6d4a9c274
            • Instruction Fuzzy Hash: 923190310683859BC712EF65C8568AF77ECAE91304F844E1DF4D553292EF30AA59CB63
            Function 0031E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: __floor_pentium4
            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
            • API String ID: 4168288129-2761157908
            • Opcode ID: 19cb6f698654711b231a8453db7a1317e493fecbc82e63bc97bfc1aba3666185
            • Instruction ID: 01b8eadf2ccfaec93173c2122f1acb297a1fa36e7faf621722ab2bf084b0c6c6
            • Opcode Fuzzy Hash: 19cb6f698654711b231a8453db7a1317e493fecbc82e63bc97bfc1aba3666185
            • Instruction Fuzzy Hash: 0EC23D71E086298FDB2ACE28DD407EAB7B9EB49305F1541EAD84DE7240D775AEC18F40
            Function 0035648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 003564DC
            • CoInitialize.OLE32(00000000), ref: 00356639
            • CoCreateInstance.OLE32(0037FCF8,00000000,00000001,0037FB68,?), ref: 00356650
            • CoUninitialize.OLE32 ref: 003568D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 886957087-24824748
            • Opcode ID: 8b71a787d08a896a86380aca92bda390666610e4892f3a8ffcc6b3fc53f77c6f
            • Instruction ID: 7752d182a31912edf693a23ccd5834a96812037ee860606a3d7936e0ba8895cc
            • Opcode Fuzzy Hash: 8b71a787d08a896a86380aca92bda390666610e4892f3a8ffcc6b3fc53f77c6f
            • Instruction Fuzzy Hash: 12D18971558240AFC311EF24C881D6BB7E8FF99304F90496DF4958B2A1EB30EE49CB92
            Function 003622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,00000000), ref: 003622E8
              • Part of subcall function 0035E4EC: GetWindowRect.USER32(?,?), ref: 0035E504
            • GetDesktopWindow.USER32 ref: 00362312
            • GetWindowRect.USER32(00000000), ref: 00362319
            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00362355
            • GetCursorPos.USER32(?), ref: 00362381
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003623DF
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForeground
            • String ID:
            • API String ID: 2387181109-0
            • Opcode ID: a6d1bafe76d67cee283ba195367408847aaeca71bef577c0d25342a2990e538b
            • Instruction ID: 3827df9e4fc79aa29af31c0d9532040b86602ed7ab62abc783fe2740d1a17d42
            • Opcode Fuzzy Hash: a6d1bafe76d67cee283ba195367408847aaeca71bef577c0d25342a2990e538b
            • Instruction Fuzzy Hash: 2131ED72104705AFC722DF14C848A9BBBE9FF84310F11491DF8889B281DB34EA48CB92
            Function 00359B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00359B78
            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00359C8B
              • Part of subcall function 00353874: GetInputState.USER32 ref: 003538CB
              • Part of subcall function 00353874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00353966
            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00359BA8
            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00359C75
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
            • String ID: *.*
            • API String ID: 1972594611-438819550
            • Opcode ID: 02c3e33f2245af018833c1b4a75a5a700283e6205372e7070dec1b3815ef0da6
            • Instruction ID: 9dc734ad1e20171871b9cacf2b183db46f28ba25ac1045d789813aa415455e7f
            • Opcode Fuzzy Hash: 02c3e33f2245af018833c1b4a75a5a700283e6205372e7070dec1b3815ef0da6
            • Instruction Fuzzy Hash: D641607194020ADFDF16DF64C849FEE7BB8EF05311F64405AE805A61A1EB309E98CFA0
            Function 002F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 002F9A4E
            • GetSysColor.USER32(0000000F), ref: 002F9B23
            • SetBkColor.GDI32(?,00000000), ref: 002F9B36
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Color$LongProcWindow
            • String ID:
            • API String ID: 3131106179-0
            • Opcode ID: f747eda9139fdf24ac56ce7de91e5e136b5b9978f4982886132083ba219da45c
            • Instruction ID: 84ef6097f7fc26d7296b554402868b9e811ca7f15421fcb6995f685ed157be66
            • Opcode Fuzzy Hash: f747eda9139fdf24ac56ce7de91e5e136b5b9978f4982886132083ba219da45c
            • Instruction Fuzzy Hash: 2AA15DB013844CBEE7379E2C8CD9F7B769DDB42384F11422AF712CA691CA659DA1C271
            Function 00361806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0036304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0036307A
              • Part of subcall function 0036304E: _wcslen.LIBCMT ref: 0036309B
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0036185D
            • WSAGetLastError.WSOCK32 ref: 00361884
            • bind.WSOCK32(00000000,?,00000010), ref: 003618DB
            • WSAGetLastError.WSOCK32 ref: 003618E6
            • closesocket.WSOCK32(00000000), ref: 00361915
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 1601658205-0
            • Opcode ID: 96fb0b3ddd7d706a536b234cd8606f43d14479e0d57aec04d188de82156d5477
            • Instruction ID: a61adec473a85de8684b3d1910a9693d5b1a9c31de714c548b14321ce81898fc
            • Opcode Fuzzy Hash: 96fb0b3ddd7d706a536b234cd8606f43d14479e0d57aec04d188de82156d5477
            • Instruction Fuzzy Hash: 0551B371A50200AFDB11AF24C886F2AB7E5AB44718F58C49CF91A9F3D7C771AD41CBA1
            Function 002E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: b13a11ac23e7697e399f667817ea3830c0cf8087a35787fe5483d91cc1a0cf36
            • Instruction ID: dcbde257c539e6c4012d1583f3d881f3568bb2b516b95c1619aba9705c32c1cf
            • Opcode Fuzzy Hash: b13a11ac23e7697e399f667817ea3830c0cf8087a35787fe5483d91cc1a0cf36
            • Instruction Fuzzy Hash: 8FA2E370E5026ACBCF25CF59D8417ADB3B1FF54310F6581AAD859A7280EB709E91CF90
            Function 00348298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003482AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($tb:$|
            • API String ID: 1659193697-3789105877
            • Opcode ID: 4ebaad0b712741bb43c252e7dad4d4a70e0115b6548554c065184cffb6d65f6d
            • Instruction ID: 11b5c64cad60ca4d250966c161377087f511d829177638713dcebee0a8736f5a
            • Opcode Fuzzy Hash: 4ebaad0b712741bb43c252e7dad4d4a70e0115b6548554c065184cffb6d65f6d
            • Instruction Fuzzy Hash: AC323679A007059FCB29CF19C481A6AB7F0FF48710B15C56EE59ADB7A1EB70E981CB40
            Function 0036A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 0036A6AC
            • Process32FirstW.KERNEL32(00000000,?), ref: 0036A6BA
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • Process32NextW.KERNEL32(00000000,?), ref: 0036A79C
            • CloseHandle.KERNEL32(00000000), ref: 0036A7AB
              • Part of subcall function 002FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00323303,?), ref: 002FCE8A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
            • String ID:
            • API String ID: 1991900642-0
            • Opcode ID: 7a52cffbf2e2e5417aed7cbb337f95298ed59fbaef8173b4f936f091faf38567
            • Instruction ID: 98782c6db072c3084bf3f5c05b04e9832cefcd63861f2b26cc78f69b281363fc
            • Opcode Fuzzy Hash: 7a52cffbf2e2e5417aed7cbb337f95298ed59fbaef8173b4f936f091faf38567
            • Instruction Fuzzy Hash: 47519C71518340AFD710EF25C886A6BBBE8FF89744F40892DF58997262EB30D954CF92
            Function 0034AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0034AAAC
            • SetKeyboardState.USER32(00000080), ref: 0034AAC8
            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0034AB36
            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0034AB88
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: bb7d7c0a8ece4f22a5784e2036d2ee4d9e62161c71a8ed82a1bf7e350bc1eb76
            • Instruction ID: bae44b4669b9a507d99eef154f231bf85b3f1551d258348cb557d6a06b137a99
            • Opcode Fuzzy Hash: bb7d7c0a8ece4f22a5784e2036d2ee4d9e62161c71a8ed82a1bf7e350bc1eb76
            • Instruction Fuzzy Hash: 0B31F670AC0A48AEFF37CA658C05BFA7BEAEB44310F04421AF5855E1D1D375A981D7A2
            Function 0035CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
            Download Yara Rule
            APIs
            • InternetReadFile.WININET(?,?,00000400,?), ref: 0035CE89
            • GetLastError.KERNEL32(?,00000000), ref: 0035CEEA
            • SetEvent.KERNEL32(?,?,00000000), ref: 0035CEFE
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorEventFileInternetLastRead
            • String ID:
            • API String ID: 234945975-0
            • Opcode ID: 9e55ca3d022fa980c90d04c917cc566248e64262b23fb6083717cabd0eb2eb55
            • Instruction ID: d5fe18fdaefcefd597010f80b7828b0d607c424e221e0f0a218ced1e567e5877
            • Opcode Fuzzy Hash: 9e55ca3d022fa980c90d04c917cc566248e64262b23fb6083717cabd0eb2eb55
            • Instruction Fuzzy Hash: 0921ACB15103059FEB328FA5C94AFA677FCEB0031AF10581EE946A2161E770EE488B50
            Function 00312622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 0031271A
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00312724
            • UnhandledExceptionFilter.KERNEL32(?), ref: 00312731
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 480045e0cf571489f169a2d6eea1c81c2241a94588abfe3bcc8b5e338c224b67
            • Instruction ID: 843ad76264dba931a0fa18ddd7bc7ae0ef815d0b77e61b20d310d6004255094b
            • Opcode Fuzzy Hash: 480045e0cf571489f169a2d6eea1c81c2241a94588abfe3bcc8b5e338c224b67
            • Instruction Fuzzy Hash: 8331C67491121C9BCB26DF68DC897DDB7B8AF08310F5041EAE41CA72A1E7749F918F45
            Function 003551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 003551DA
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00355238
            • SetErrorMode.KERNEL32(00000000), ref: 003552A1
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 1267964b4a26c34dc01abb780e6ffdf0b8e5cf8575356f7de578f8be13fffc6b
            • Instruction ID: c6efbd2d5441ad4e632163d4afd0c25c9f6673ee66615a85c1804c266f516560
            • Opcode Fuzzy Hash: 1267964b4a26c34dc01abb780e6ffdf0b8e5cf8575356f7de578f8be13fffc6b
            • Instruction Fuzzy Hash: 08318E35A10508DFDB01DF94D884EADBBB4FF08314F448499E809AB362DB31E85ACF90
            Function 003416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00300668
              • Part of subcall function 002FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00300685
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0034170D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0034173A
            • GetLastError.KERNEL32 ref: 0034174A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
            • String ID:
            • API String ID: 577356006-0
            • Opcode ID: 32082849392c2fefaa412d92023a6120eea08741270256b55009387cdbed9b8d
            • Instruction ID: 112f6b4768b9a191f003c863007e3bb713b324f7371ef3c4652c5297ecb87024
            • Opcode Fuzzy Hash: 32082849392c2fefaa412d92023a6120eea08741270256b55009387cdbed9b8d
            • Instruction Fuzzy Hash: 9F11C1B2410308AFE7289F54DC86D6ABBFDFF04754B20852EE05657241EB70FC81CA60
            Function 0034D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0034D608
            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0034D645
            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0034D650
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: 32e597aa5efb022675d2d9baab3dfd4010596d07b90792b45785e436c5c3cdfe
            • Instruction ID: 27106054435bceea69e3b0513266e8c8ef047a52ee2fba2748f0f1cad985a64e
            • Opcode Fuzzy Hash: 32e597aa5efb022675d2d9baab3dfd4010596d07b90792b45785e436c5c3cdfe
            • Instruction Fuzzy Hash: 34118E75E01228BFDB218F98DC44FAFBBBCEB45B50F108125F908E7290C2705A018BA1
            Function 00341663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0034168C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003416A1
            • FreeSid.ADVAPI32(?), ref: 003416B1
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: ba97fbf77a9daec119a1924f5bc0ed47865990d115af1a0c4b25161acce984b0
            • Instruction ID: 7ffcf5865425d9c2f858cc0113e91ba23a29403b7b123ebab20e0f2069fe76c7
            • Opcode Fuzzy Hash: ba97fbf77a9daec119a1924f5bc0ed47865990d115af1a0c4b25161acce984b0
            • Instruction Fuzzy Hash: 46F0F471950309FBDB01DFE49C89EAEBBBCFB08704F504565E901E2181E774EA848BA0
            Function 00304CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(003128E9,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002,00000000,?,003128E9), ref: 00304D09
            • TerminateProcess.KERNEL32(00000000,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002,00000000,?,003128E9), ref: 00304D10
            • ExitProcess.KERNEL32 ref: 00304D22
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: ca031ec6117dc2f568d15bf2336664c5fdea865b18f75cc70be270fbf6b9e085
            • Instruction ID: b5af83913043c54f7df5b5ed03f445d148d124d5a9707e79102b06bdf28179d1
            • Opcode Fuzzy Hash: ca031ec6117dc2f568d15bf2336664c5fdea865b18f75cc70be270fbf6b9e085
            • Instruction Fuzzy Hash: E8E0B671011248BBDF23AF54DD19A983B6DEB45785F114018FD099A173CB39DE82CA80
            Function 0031C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: /
            • API String ID: 0-2043925204
            • Opcode ID: 892b3b89f75cc4d14d220bb0e0a85139208e140fef88e7a76f14cbc0698ad5c9
            • Instruction ID: e8d916df47d028a38b23db890b63d40bc30ee01ac5258cdeb5774092137346a0
            • Opcode Fuzzy Hash: 892b3b89f75cc4d14d220bb0e0a85139208e140fef88e7a76f14cbc0698ad5c9
            • Instruction Fuzzy Hash: D3414776940218AFCB299FB9CC48EFB77B8EB88314F1046A9F915DB180E6309DC1CB50
            Function 0033D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 0033D28C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: NameUser
            • String ID: X64
            • API String ID: 2645101109-893830106
            • Opcode ID: 05af764843eb40e13c747122e09fbc4c8842751dc570fa3b016ea96aaa7c25ae
            • Instruction ID: dcce25237e2ee60682522b99b1a8c19f9db3b5961640be6bf3f92d7f6e7f6f6b
            • Opcode Fuzzy Hash: 05af764843eb40e13c747122e09fbc4c8842751dc570fa3b016ea96aaa7c25ae
            • Instruction Fuzzy Hash: 07D0C9B482511DEBCF91CB90ECC8DDAB37CBB04345F100559F506E2000DB7095488F10
            Function 0030CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction ID: c661685a31be2872e9cc906c8d5929f5bb0967ce17e72dd5a26a48252d9835f3
            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction Fuzzy Hash: 45022D71E112199BDF15CFA9C8906ADFBF1EF48314F25826AD819EB384D730AE41CB84
            Function 002ECAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: Variable is not of type 'Object'.$p#;
            • API String ID: 0-3772276233
            • Opcode ID: e73887fd49ebc9397773207932c7cd0f32d760f19c25af197e1d0683e4159f26
            • Instruction ID: 52ac94188f03bd30c80b49c06b00d66b0b60f490b6884dfe2c49d42076592d18
            • Opcode Fuzzy Hash: e73887fd49ebc9397773207932c7cd0f32d760f19c25af197e1d0683e4159f26
            • Instruction Fuzzy Hash: 0232CE70960258DFCF19DF91C890AEDB7B5BF05304FA4806AE806AB292C775AD56CF60
            Function 003568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00356918
            • FindClose.KERNEL32(00000000), ref: 00356961
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 5a6c355d3467bc8c4e4333d0bc38ca9e669c983f6ca1a8dbc3a84d3bebb1a8de
            • Instruction ID: 9a81723467c053437ee1609ccf9e8b2694895f6b1a6894a7299c02d07e95843f
            • Opcode Fuzzy Hash: 5a6c355d3467bc8c4e4333d0bc38ca9e669c983f6ca1a8dbc3a84d3bebb1a8de
            • Instruction Fuzzy Hash: 5A11D0316142009FCB10CF6AD485E16BBE4FF84329F55C69DE8698F6A2CB30EC45CB91
            Function 003537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00364891,?,?,00000035,?), ref: 003537E4
            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00364891,?,?,00000035,?), ref: 003537F4
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: ae23646546ee24ed993998c0ad0d4c1c33e0778edfa0385b85ed2d7de6ba0b27
            • Instruction ID: a90967553379dcc4f84521531fa3a7e965f0a478a8c64de2e71ea625d63781ce
            • Opcode Fuzzy Hash: ae23646546ee24ed993998c0ad0d4c1c33e0778edfa0385b85ed2d7de6ba0b27
            • Instruction Fuzzy Hash: C7F0EC706052243AE72117765C4DFDB369DEFC8761F000165F509D2291D9605944C7B0
            Function 0034B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0034B25D
            • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0034B270
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: InputSendkeybd_event
            • String ID:
            • API String ID: 3536248340-0
            • Opcode ID: dbb73685a8006a184d14475a2f3885d9047b016a12835b8ab6a0b3f13857e339
            • Instruction ID: 255be6c42f43da99259a0db65970af55e115a05b52d80dc3c9f00d37abcf6439
            • Opcode Fuzzy Hash: dbb73685a8006a184d14475a2f3885d9047b016a12835b8ab6a0b3f13857e339
            • Instruction Fuzzy Hash: 34F06D7080428EABDB169FA0C805BAEBBB4FF04305F008409F955A91A2C379D2019F94
            Function 003410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003411FC), ref: 003410D4
            • CloseHandle.KERNEL32(?,?,003411FC), ref: 003410E9
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: 67ad5a07b4d181fad6be138563b7db9bd60d0f62cb70a2ecc9b65e3a7f1c8f26
            • Instruction ID: 60e5908ec6b08c01eb43c435e731022a940c89d857f721da1b9ffd5c6f8b4678
            • Opcode Fuzzy Hash: 67ad5a07b4d181fad6be138563b7db9bd60d0f62cb70a2ecc9b65e3a7f1c8f26
            • Instruction Fuzzy Hash: BEE09A72024610AEF7662B51FD05E77B7A9EF04350F14882DB5A5844B1DA62ACE0DA50
            Function 0031676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00316766,?,?,00000008,?,?,0031FEFE,00000000), ref: 00316998
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ExceptionRaise
            • String ID:
            • API String ID: 3997070919-0
            • Opcode ID: f7f8aafc6e9c6ce8a12d77ea875c924c777f1da13cc7587e2dd9483424ba88a0
            • Instruction ID: eda4d4bbe5e8ba3bcac1506e9ccfe91c04b0d5b3642cd99b8b4dd8310bd44b51
            • Opcode Fuzzy Hash: f7f8aafc6e9c6ce8a12d77ea875c924c777f1da13cc7587e2dd9483424ba88a0
            • Instruction Fuzzy Hash: 65B13D71510609DFD71ACF68C486BA57BE0FF49364F2A8658E899CF2A2C335D991CB40
            Function 002FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 4619fa1405ad5fab39296aa4c232186cd5db9e2b15a39ffa25d7346b0dcee581
            • Instruction ID: 4d90899b668a794de3f7f6d2edfcb7d986e197e4b4f9161db4dbb142979366f5
            • Opcode Fuzzy Hash: 4619fa1405ad5fab39296aa4c232186cd5db9e2b15a39ffa25d7346b0dcee581
            • Instruction Fuzzy Hash: D4127F759102299FDB25CF58C9906FEB7B5FF48310F1081AAE949EB251EB709A81CF90
            Function 0035EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 0035EABD
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: badffc1a343a7e667ead0d44f3fc82fac2c46886ce89ded7516e7b779a0c7e04
            • Instruction ID: 5f3b075f159af961a5998f94cb4421919d0c5af79601d052db32a1f7b3a9efdb
            • Opcode Fuzzy Hash: badffc1a343a7e667ead0d44f3fc82fac2c46886ce89ded7516e7b779a0c7e04
            • Instruction Fuzzy Hash: 34E04F312202049FC711EF6AD844E9AF7EDBF98760F40841AFD4AC7361DB70E9458B90
            Function 003009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003003EE), ref: 003009DA
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 359eaca76ce59ca37fb12e97dff5f92f8ff2da61fce9cc5158c9cbfaace39373
            • Instruction ID: 3230b14bd0285e523bdd5b6733ac8de1ab7186568c60bff5211bf615551522ad
            • Opcode Fuzzy Hash: 359eaca76ce59ca37fb12e97dff5f92f8ff2da61fce9cc5158c9cbfaace39373
            • Instruction Fuzzy Hash:
            Function 0030781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction ID: 0d60be49666c2d48ecc3baf80eebbc6e9bf88ff7cbf29e3cc840fb7c495e48d0
            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction Fuzzy Hash: B3515861E0F6495BDB3B8668887F7FF23899B42340F198509D886DBAC2C715FE41D362
            Function 00352046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: 0&;
            • API String ID: 0-2852083330
            • Opcode ID: 0cf4e3ba703912d7bd9f06c94cb620f6561128ddec410f5fb560ba7eb44d0774
            • Instruction ID: 18043645df1025120f020c567c49f565eac05d6a4e3aa37c034970ba8fa91175
            • Opcode Fuzzy Hash: 0cf4e3ba703912d7bd9f06c94cb620f6561128ddec410f5fb560ba7eb44d0774
            • Instruction Fuzzy Hash: 9821D5326216118BDB28CE79C822A7F73E9A754314F158A2EE4A7C77D0DE35A904CB80
            Function 00316DD9 Relevance: .6, Instructions: 637COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ce62b83847241a4b35bb93e1120dfef9b55567b8b007d2100e0a56cb51f75cdb
            • Instruction ID: 57c68abbfbb002ef82c10cbf4410bebfface702434fe7ab6aa89cdb0a72f1865
            • Opcode Fuzzy Hash: ce62b83847241a4b35bb93e1120dfef9b55567b8b007d2100e0a56cb51f75cdb
            • Instruction Fuzzy Hash: 8F320431D29F014DD7279634D822336A69DAFBB3C5F19D737E82AB59A5EB29C4C34200
            Function 002FCC39 Relevance: .6, Instructions: 635COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2e7ee23ac106373627839be1d4c9ab0481e7fa8a12040afcfcc255b82d832ecd
            • Instruction ID: 4554813c622a49e38a04c304e315c6f23d66738472c37f103e244d1789182db5
            • Opcode Fuzzy Hash: 2e7ee23ac106373627839be1d4c9ab0481e7fa8a12040afcfcc255b82d832ecd
            • Instruction Fuzzy Hash: 03323831A2025D8BCF2ACF28C5D067DB7A1EB45340F39A17BE949AB6A1D330DD91DB40
            Function 002E7920 Relevance: .6, Instructions: 563COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d3a2b0887038da6570cff66a363da09c2b5fa01048ba11a4174273f9ba949207
            • Instruction ID: 45d5004cd7820374826ed9facbbd0a9dc568387b5cc331bf86537bf3b0b6f399
            • Opcode Fuzzy Hash: d3a2b0887038da6570cff66a363da09c2b5fa01048ba11a4174273f9ba949207
            • Instruction Fuzzy Hash: E722D270A1465ADFDF14CF65D881AAEB3F5FF44300F604629E816EB291EB35AE60CB50
            Function 002E91C0 Relevance: .5, Instructions: 475COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b9f2d8c48931bb8677b03a08aa1a65bd5201a9f411b553bb1cbd6365f88eb339
            • Instruction ID: ed53c2fc56cf3f04f10976b6048bb3d347128d4b60c8f1a2ae966e624ca97547
            • Opcode Fuzzy Hash: b9f2d8c48931bb8677b03a08aa1a65bd5201a9f411b553bb1cbd6365f88eb339
            • Instruction Fuzzy Hash: D702E7B1E10119EFDF05DF55D982AAEB7B5FF44300F518169E9069B290EB31AE60CF80
            Function 003019B0 Relevance: .2, Instructions: 240COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction ID: 3219f7ac0d0d862c2a87377a316726b52a4ef92afa7f70fac8d908009361df37
            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction Fuzzy Hash: AF91517220B0A34ADB6F427A857403EFFE55A923A231B079ED4F2CA5C1FF24C564D620
            Function 00307A4A Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d77d1f0c5eb37d3c158829a7db46a74f645964bfaa6cf88abc5411e776d995a3
            • Instruction ID: b8fec7d5e73f975c5945fd0a4351ba3132c10aea91594fccd9fe7abc664bd46f
            • Opcode Fuzzy Hash: d77d1f0c5eb37d3c158829a7db46a74f645964bfaa6cf88abc5411e776d995a3
            • Instruction Fuzzy Hash: 0C614871F0A74966EA3B9A2C88B5BBE3398DF41710F110919E883DF7C1DA51BE42C365
            Function 00301706 Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction ID: 2214ad5120ee1f6398a26da053f7c868e8283540e1311f5a212be8d4e32acb4a
            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction Fuzzy Hash: 1F81953360A0A34ADB6F427A857443EFFE15A923A131B079DD4F2CB5C1EE24C654E660
            Function 002FD064 Relevance: .2, Instructions: 179COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f1530c5c3dcf19450da0e34e8f03aba1a61c377fe8a23f1991782508ce064d52
            • Instruction ID: 3b1f1a94c81eb9a848a97d70294d037884ebbb556598b6df3e94ca0fbc1e973a
            • Opcode Fuzzy Hash: f1530c5c3dcf19450da0e34e8f03aba1a61c377fe8a23f1991782508ce064d52
            • Instruction Fuzzy Hash: B261FC7255EAE2DFCB139B348CE9645BFB0AE6724030949EBC0814F49BD6A49019CF97
            Function 002E90B7 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b3af5a99f5d9d82605ee594352612db4675f9b2ceda83f8944519d2abe60bb9
            • Instruction ID: 637d3fec78f40798e373e2580207af914ad844ae4656c25767db0864a121d755
            • Opcode Fuzzy Hash: 5b3af5a99f5d9d82605ee594352612db4675f9b2ceda83f8944519d2abe60bb9
            • Instruction Fuzzy Hash: 9531416A6AD2C05ECB030B795CBA3E23FB4DE2730475C26CBD0C15E0A3C1055687CB02
            Function 039935F0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction ID: ffbc3f8f6f9777806eea3c938a9a83ce3a717ef12b71f02870287cfdef2dd585
            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction Fuzzy Hash: EE41C171D1051CEBDF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80
            Function 03993480 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction ID: 6d303d8557245be9a3708347f7c500624c763bb99218688a56bac6ed5935d0fb
            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction Fuzzy Hash: 7D019278A00209EFDB44DF98C5909AEF7B9FB88310F2485DAD819A7701E730EE41DB80
            Function 039934E0 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction ID: 2f2613c270e5b4608e7eb6ca61134854f3f623f0cbff5d44f038f624fe958ef5
            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction Fuzzy Hash: 80019278A00209EFDB44DF98C5909AEF7B9FB4C310F64859AD809A7701E730AE41DB81
            Function 03991E70 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1257390158.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_3990000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
            Function 00362ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00362B30
            • DeleteObject.GDI32(00000000), ref: 00362B43
            • DestroyWindow.USER32 ref: 00362B52
            • GetDesktopWindow.USER32 ref: 00362B6D
            • GetWindowRect.USER32(00000000), ref: 00362B74
            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00362CA3
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00362CB1
            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362CF8
            • GetClientRect.USER32(00000000,?), ref: 00362D04
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00362D40
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D62
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D75
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D80
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D89
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362D98
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362DA1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362DA8
            • GlobalFree.KERNEL32(00000000), ref: 00362DB3
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362DC5
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0037FC38,00000000), ref: 00362DDB
            • GlobalFree.KERNEL32(00000000), ref: 00362DEB
            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00362E11
            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00362E30
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00362E52
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0036303F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: b33fcdcca76936d4bd1c04d554cfce51ca2186db3249c7b5c5c943963288129d
            • Instruction ID: 723e36f2ad0d44598b58e623951f6ed9b33b34651307e49ff2fddc695b1f6406
            • Opcode Fuzzy Hash: b33fcdcca76936d4bd1c04d554cfce51ca2186db3249c7b5c5c943963288129d
            • Instruction Fuzzy Hash: 98027B75910204EFDB26DF64CC89EAF7BB9EB48310F048558F919AB2A1DB74AD41CF60
            Function 003770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 0037712F
            • GetSysColorBrush.USER32(0000000F), ref: 00377160
            • GetSysColor.USER32(0000000F), ref: 0037716C
            • SetBkColor.GDI32(?,000000FF), ref: 00377186
            • SelectObject.GDI32(?,?), ref: 00377195
            • InflateRect.USER32(?,000000FF,000000FF), ref: 003771C0
            • GetSysColor.USER32(00000010), ref: 003771C8
            • CreateSolidBrush.GDI32(00000000), ref: 003771CF
            • FrameRect.USER32(?,?,00000000), ref: 003771DE
            • DeleteObject.GDI32(00000000), ref: 003771E5
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00377230
            • FillRect.USER32(?,?,?), ref: 00377262
            • GetWindowLongW.USER32(?,000000F0), ref: 00377284
              • Part of subcall function 003773E8: GetSysColor.USER32(00000012), ref: 00377421
              • Part of subcall function 003773E8: SetTextColor.GDI32(?,?), ref: 00377425
              • Part of subcall function 003773E8: GetSysColorBrush.USER32(0000000F), ref: 0037743B
              • Part of subcall function 003773E8: GetSysColor.USER32(0000000F), ref: 00377446
              • Part of subcall function 003773E8: GetSysColor.USER32(00000011), ref: 00377463
              • Part of subcall function 003773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00377471
              • Part of subcall function 003773E8: SelectObject.GDI32(?,00000000), ref: 00377482
              • Part of subcall function 003773E8: SetBkColor.GDI32(?,00000000), ref: 0037748B
              • Part of subcall function 003773E8: SelectObject.GDI32(?,?), ref: 00377498
              • Part of subcall function 003773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003774B7
              • Part of subcall function 003773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003774CE
              • Part of subcall function 003773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003774DB
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: a258d2d1a45b9df36041dce2872b8a40addba03f1e4428ea0e520e66ab70ebe3
            • Instruction ID: 5ddba88dbca71353511dd52134d6b5e23066bcc72fa17244fc0abcc3e362764f
            • Opcode Fuzzy Hash: a258d2d1a45b9df36041dce2872b8a40addba03f1e4428ea0e520e66ab70ebe3
            • Instruction Fuzzy Hash: BCA1C272018301AFD7229F60DC48E6B7BADFF49320F105A2DF96A961E1D735E984CB91
            Function 002F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 002F8E14
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00336AC5
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00336AFE
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00336F43
              • Part of subcall function 002F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002F8BE8,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 002F8FC5
            • SendMessageW.USER32(?,00001053), ref: 00336F7F
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00336F96
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00336FAC
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 00336FB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 2760611726-4108050209
            • Opcode ID: 02d9ed5b08583494a1f6cb58b22757802129b0c35290cb36d5e034a3d83a1d64
            • Instruction ID: f32543cd8b2430ad30396ea3a5e37cee5c85b542e126d571202c0fd59213f5aa
            • Opcode Fuzzy Hash: 02d9ed5b08583494a1f6cb58b22757802129b0c35290cb36d5e034a3d83a1d64
            • Instruction Fuzzy Hash: EF12BA30610241AFDB26CF24C895BBAF7E9FB45304F558569F6898B261CB31ECA1CF91
            Function 00362711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 0036273E
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0036286A
            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003628A9
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003628B9
            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00362900
            • GetClientRect.USER32(00000000,?), ref: 0036290C
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00362955
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00362964
            • GetStockObject.GDI32(00000011), ref: 00362974
            • SelectObject.GDI32(00000000,00000000), ref: 00362978
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00362988
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00362991
            • DeleteDC.GDI32(00000000), ref: 0036299A
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003629C6
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 003629DD
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00362A1D
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00362A31
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00362A42
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00362A77
            • GetStockObject.GDI32(00000011), ref: 00362A82
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00362A8D
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00362A97
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: bfb71ed475e1da792aa2db26e87f16742aafeaacc3fbeb50c60d0a975bd9269f
            • Instruction ID: 8b58586226a8e558fa99946a860fe0688bdb239f01ee32a5106cf6fd5413c082
            • Opcode Fuzzy Hash: bfb71ed475e1da792aa2db26e87f16742aafeaacc3fbeb50c60d0a975bd9269f
            • Instruction Fuzzy Hash: 6BB16D75A50605AFEB25DF68CC45FAF7BA9EB08710F418118FA19E7290D770AD40CFA0
            Function 00354ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00354AED
            • GetDriveTypeW.KERNEL32(?,0037CB68,?,\\.\,0037CC08), ref: 00354BCA
            • SetErrorMode.KERNEL32(00000000,0037CB68,?,\\.\,0037CC08), ref: 00354D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: a52a04761764a4fd45ea4c11c04b6def133ee76b423571a83c25601e70b9ca1f
            • Instruction ID: 1767eb61cfd77eb6f922288ca9737cd964a3870273270037b4908c346a9922c2
            • Opcode Fuzzy Hash: a52a04761764a4fd45ea4c11c04b6def133ee76b423571a83c25601e70b9ca1f
            • Instruction Fuzzy Hash: 7361C330645205BBCB0BDF24C982DAC77B4EB8534AB244015FC06AB6A6DB35EDC99F41
            Function 003773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00377421
            • SetTextColor.GDI32(?,?), ref: 00377425
            • GetSysColorBrush.USER32(0000000F), ref: 0037743B
            • GetSysColor.USER32(0000000F), ref: 00377446
            • CreateSolidBrush.GDI32(?), ref: 0037744B
            • GetSysColor.USER32(00000011), ref: 00377463
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00377471
            • SelectObject.GDI32(?,00000000), ref: 00377482
            • SetBkColor.GDI32(?,00000000), ref: 0037748B
            • SelectObject.GDI32(?,?), ref: 00377498
            • InflateRect.USER32(?,000000FF,000000FF), ref: 003774B7
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003774CE
            • GetWindowLongW.USER32(00000000,000000F0), ref: 003774DB
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0037752A
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00377554
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00377572
            • DrawFocusRect.USER32(?,?), ref: 0037757D
            • GetSysColor.USER32(00000011), ref: 0037758E
            • SetTextColor.GDI32(?,00000000), ref: 00377596
            • DrawTextW.USER32(?,003770F5,000000FF,?,00000000), ref: 003775A8
            • SelectObject.GDI32(?,?), ref: 003775BF
            • DeleteObject.GDI32(?), ref: 003775CA
            • SelectObject.GDI32(?,?), ref: 003775D0
            • DeleteObject.GDI32(?), ref: 003775D5
            • SetTextColor.GDI32(?,?), ref: 003775DB
            • SetBkColor.GDI32(?,?), ref: 003775E5
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 388fed5c6847b2a8d7fd7882e7fcf26b3e850c6c3d67e7a7e10f5e62da5a5a44
            • Instruction ID: 544b5e8e95f8bc3dae932215a454b6e2e919f015704657fb684d3350d3270666
            • Opcode Fuzzy Hash: 388fed5c6847b2a8d7fd7882e7fcf26b3e850c6c3d67e7a7e10f5e62da5a5a44
            • Instruction Fuzzy Hash: EA617472900218AFDF229FA4DC49EEE7F79EF09320F119125F919A72A1D7759980CF90
            Function 00370FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00371128
            • GetDesktopWindow.USER32 ref: 0037113D
            • GetWindowRect.USER32(00000000), ref: 00371144
            • GetWindowLongW.USER32(?,000000F0), ref: 00371199
            • DestroyWindow.USER32(?), ref: 003711B9
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003711ED
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0037120B
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0037121D
            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00371232
            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00371245
            • IsWindowVisible.USER32(00000000), ref: 003712A1
            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003712BC
            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003712D0
            • GetWindowRect.USER32(00000000,?), ref: 003712E8
            • MonitorFromPoint.USER32(?,?,00000002), ref: 0037130E
            • GetMonitorInfoW.USER32(00000000,?), ref: 00371328
            • CopyRect.USER32(?,?), ref: 0037133F
            • SendMessageW.USER32(00000000,00000412,00000000), ref: 003713AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: bc9ec2dd076682251439e0e4c4dbcbdd854b43a6674a402a216e9f14d343b1d7
            • Instruction ID: 1789814d8c8bb83f14ef97f6232a42af3b94df72e7aeffd50a02fbd683446c6f
            • Opcode Fuzzy Hash: bc9ec2dd076682251439e0e4c4dbcbdd854b43a6674a402a216e9f14d343b1d7
            • Instruction Fuzzy Hash: D5B18972614341AFD721DF69C884B6ABBE8FF84310F40891DF9999B2A1CB75E844CF91
            Function 00370241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 003702E5
            • _wcslen.LIBCMT ref: 0037031F
            • _wcslen.LIBCMT ref: 00370389
            • _wcslen.LIBCMT ref: 003703F1
            • _wcslen.LIBCMT ref: 00370475
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003704C5
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00370504
              • Part of subcall function 002FF9F2: _wcslen.LIBCMT ref: 002FF9FD
              • Part of subcall function 0034223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00342258
              • Part of subcall function 0034223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0034228A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 1103490817-719923060
            • Opcode ID: 9db1741ee577a8478c4bea418b0af2ef890af4dfe154799136208eec8a396f1e
            • Instruction ID: da45aa01346bae3d9d9e099d9ecae65f1f3681ffc1208f47428b0a0d6bdb4a11
            • Opcode Fuzzy Hash: 9db1741ee577a8478c4bea418b0af2ef890af4dfe154799136208eec8a396f1e
            • Instruction Fuzzy Hash: 91E1D031218240DFC72ADF25C99082AB3E5FF89314F55896CF89AAB6A1DB34ED45CB41
            Function 002F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002F8968
            • GetSystemMetrics.USER32(00000007), ref: 002F8970
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002F899B
            • GetSystemMetrics.USER32(00000008), ref: 002F89A3
            • GetSystemMetrics.USER32(00000004), ref: 002F89C8
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002F89E5
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002F89F5
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002F8A28
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002F8A3C
            • GetClientRect.USER32(00000000,000000FF), ref: 002F8A5A
            • GetStockObject.GDI32(00000011), ref: 002F8A76
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 002F8A81
              • Part of subcall function 002F912D: GetCursorPos.USER32(?), ref: 002F9141
              • Part of subcall function 002F912D: ScreenToClient.USER32(00000000,?), ref: 002F915E
              • Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000001), ref: 002F9183
              • Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000002), ref: 002F919D
            • SetTimer.USER32(00000000,00000000,00000028,002F90FC), ref: 002F8AA8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: b6887f94bf6a3d84b5fd47cade093463b694ba5d811fcd4efd9f5078402f86af
            • Instruction ID: 52b5c465ff5c877ef25b3e0df804ac7d2e4d676ba9e6a02420121b17321c71bf
            • Opcode Fuzzy Hash: b6887f94bf6a3d84b5fd47cade093463b694ba5d811fcd4efd9f5078402f86af
            • Instruction Fuzzy Hash: EAB19031A10209AFDB15DF68CC96BAE7BB5FB48354F104229FA15E7290DB70E950CF50
            Function 00340D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00341114
              • Part of subcall function 003410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341120
              • Part of subcall function 003410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 0034112F
              • Part of subcall function 003410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341136
              • Part of subcall function 003410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0034114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00340DF5
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00340E29
            • GetLengthSid.ADVAPI32(?), ref: 00340E40
            • GetAce.ADVAPI32(?,00000000,?), ref: 00340E7A
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00340E96
            • GetLengthSid.ADVAPI32(?), ref: 00340EAD
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00340EB5
            • HeapAlloc.KERNEL32(00000000), ref: 00340EBC
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00340EDD
            • CopySid.ADVAPI32(00000000), ref: 00340EE4
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00340F13
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00340F35
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00340F47
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340F6E
            • HeapFree.KERNEL32(00000000), ref: 00340F75
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340F7E
            • HeapFree.KERNEL32(00000000), ref: 00340F85
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00340F8E
            • HeapFree.KERNEL32(00000000), ref: 00340F95
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00340FA1
            • HeapFree.KERNEL32(00000000), ref: 00340FA8
              • Part of subcall function 00341193: GetProcessHeap.KERNEL32(00000008,00340BB1,?,00000000,?,00340BB1,?), ref: 003411A1
              • Part of subcall function 00341193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00340BB1,?), ref: 003411A8
              • Part of subcall function 00341193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00340BB1,?), ref: 003411B7
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 1f787d59d0407c8c22de7fa56e1bf8b0aa2db8660b65260823193a998798ed1f
            • Instruction ID: f20263281ef62ba3390fa4fcc23431700419a4c5c529feda17d746d954532897
            • Opcode Fuzzy Hash: 1f787d59d0407c8c22de7fa56e1bf8b0aa2db8660b65260823193a998798ed1f
            • Instruction Fuzzy Hash: 56715071A0020AABDF269FA4DC44FAEBBBCFF05310F054129FA19AA151D775A945CB60
            Function 0036C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036C4BD
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0037CC08,00000000,?,00000000,?,?), ref: 0036C544
            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0036C5A4
            • _wcslen.LIBCMT ref: 0036C5F4
            • _wcslen.LIBCMT ref: 0036C66F
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0036C6B2
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0036C7C1
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0036C84D
            • RegCloseKey.ADVAPI32(?), ref: 0036C881
            • RegCloseKey.ADVAPI32(00000000), ref: 0036C88E
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0036C960
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 9721498-966354055
            • Opcode ID: e20cf39f5b813a90851dfc5436c1d1740aee375dcc3d6eb5f3d8db97c2f38765
            • Instruction ID: 44a908d799395991fe81dfec4d4cd132dae6ef5db8b9efeb2a309b68b7e4d393
            • Opcode Fuzzy Hash: e20cf39f5b813a90851dfc5436c1d1740aee375dcc3d6eb5f3d8db97c2f38765
            • Instruction Fuzzy Hash: EB1279356142009FCB26DF15C881A2AB7E5FF88714F45889DF88A9B3A2DB31ED41CF91
            Function 0037091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 003709C6
            • _wcslen.LIBCMT ref: 00370A01
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00370A54
            • _wcslen.LIBCMT ref: 00370A8A
            • _wcslen.LIBCMT ref: 00370B06
            • _wcslen.LIBCMT ref: 00370B81
              • Part of subcall function 002FF9F2: _wcslen.LIBCMT ref: 002FF9FD
              • Part of subcall function 00342BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00342BFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 1103490817-4258414348
            • Opcode ID: c430777ff0efc3bfc6ea2acfbe14c1f398e16bc925a052fc89a0fefe3cc11f8f
            • Instruction ID: ef7d4eb263b2197a17eeae8c72bca681ac0f80d854086dd6e89991fab79822a8
            • Opcode Fuzzy Hash: c430777ff0efc3bfc6ea2acfbe14c1f398e16bc925a052fc89a0fefe3cc11f8f
            • Instruction Fuzzy Hash: 90E1A935218341CFC72ADF24C49092AB7E1BF98314F55895CF89AAB7A2D734EE45CB81
            Function 0036C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 1256254125-909552448
            • Opcode ID: a394f97f80a153e1c852351ee5436f987d3e9f899eb2b9dd58caa808887f7975
            • Instruction ID: 88cbbfa3493bec0d7687337be27277e4e94243197215d18a4335f97d7e6c0954
            • Opcode Fuzzy Hash: a394f97f80a153e1c852351ee5436f987d3e9f899eb2b9dd58caa808887f7975
            • Instruction Fuzzy Hash: 9371263263016A8BCB22DEBCCD515BF3395AF61754F56A128FCD69B288E631CD41C7A0
            Function 0037833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0037835A
            • _wcslen.LIBCMT ref: 0037836E
            • _wcslen.LIBCMT ref: 00378391
            • _wcslen.LIBCMT ref: 003783B4
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003783F2
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00375BF2), ref: 0037844E
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00378487
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003784CA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00378501
            • FreeLibrary.KERNEL32(?), ref: 0037850D
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0037851D
            • DestroyIcon.USER32(?,?,?,?,?,00375BF2), ref: 0037852C
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00378549
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00378555
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
            • String ID: .dll$.exe$.icl
            • API String ID: 799131459-1154884017
            • Opcode ID: 8125548486208b70348437d2a5e48322d8c394d4629ae465a0f3c868e4706036
            • Instruction ID: dd061970c99d7a3d0d6076e214fa8d367d6d299d234900999403bbfd9f9e2a82
            • Opcode Fuzzy Hash: 8125548486208b70348437d2a5e48322d8c394d4629ae465a0f3c868e4706036
            • Instruction Fuzzy Hash: 32610371580205BEEB26DF65CC85FBE77ACFB04720F108509F919DA0D1DBB89A90CBA0
            Function 002E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 0-1645009161
            • Opcode ID: 88102942d3cebd3d5718693e6c8bd27ea8ed013fa1d6ac2f32f96f4bceaf5af8
            • Instruction ID: bb3338de90263c0ba3ca075365d96dd18a52e8c8f0c70618ccfac46426a1fb34
            • Opcode Fuzzy Hash: 88102942d3cebd3d5718693e6c8bd27ea8ed013fa1d6ac2f32f96f4bceaf5af8
            • Instruction Fuzzy Hash: E481F8716A4215BBDF22AF61DC42FBF77A8AF15300F444025F905AB1D2EB70DA61CBA1
            Function 00345A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00345A2E
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00345A40
            • SetWindowTextW.USER32(?,?), ref: 00345A57
            • GetDlgItem.USER32(?,000003EA), ref: 00345A6C
            • SetWindowTextW.USER32(00000000,?), ref: 00345A72
            • GetDlgItem.USER32(?,000003E9), ref: 00345A82
            • SetWindowTextW.USER32(00000000,?), ref: 00345A88
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00345AA9
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00345AC3
            • GetWindowRect.USER32(?,?), ref: 00345ACC
            • _wcslen.LIBCMT ref: 00345B33
            • SetWindowTextW.USER32(?,?), ref: 00345B6F
            • GetDesktopWindow.USER32 ref: 00345B75
            • GetWindowRect.USER32(00000000), ref: 00345B7C
            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00345BD3
            • GetClientRect.USER32(?,?), ref: 00345BE0
            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00345C05
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00345C2F
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
            • String ID:
            • API String ID: 895679908-0
            • Opcode ID: 5a9c3ef589854d653bb5d09a10aab3babe7cea23c8fcc341a613f2c80e57ae52
            • Instruction ID: 2abe063d047738199af7b0e23898faf02d7dc2304fbaa442a6e64229601178e8
            • Opcode Fuzzy Hash: 5a9c3ef589854d653bb5d09a10aab3babe7cea23c8fcc341a613f2c80e57ae52
            • Instruction Fuzzy Hash: E7718C31900B09AFDB22DFA8CE85AAEBBF9FF48704F10451CE546AA5A1D775F940CB50
            Function 003430F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[:
            • API String ID: 176396367-640847564
            • Opcode ID: 03eb708a0e4695450c643c045c9d05ba162228381b2ae40498bfc6861f6a48b4
            • Instruction ID: e1ac92fecdb0023fa575eb8fd3712f7f02422474fcf834939ab361aa16d7ed88
            • Opcode Fuzzy Hash: 03eb708a0e4695450c643c045c9d05ba162228381b2ae40498bfc6861f6a48b4
            • Instruction Fuzzy Hash: 7FE1E332A00516ABCB1ADFA8C4516FDBBF4FF45710F558129E456AB280DB30BE958BA0
            Function 003000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
            Download Yara Rule
            APIs
            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003000C6
              • Part of subcall function 003000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(003B070C,00000FA0,AD90CB4C,?,?,?,?,003223B3,000000FF), ref: 0030011C
              • Part of subcall function 003000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003223B3,000000FF), ref: 00300127
              • Part of subcall function 003000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003223B3,000000FF), ref: 00300138
              • Part of subcall function 003000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0030014E
              • Part of subcall function 003000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0030015C
              • Part of subcall function 003000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0030016A
              • Part of subcall function 003000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00300195
              • Part of subcall function 003000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003001A0
            • ___scrt_fastfail.LIBCMT ref: 003000E7
              • Part of subcall function 003000A3: __onexit.LIBCMT ref: 003000A9
            Strings
            • SleepConditionVariableCS, xrefs: 00300154
            • kernel32.dll, xrefs: 00300133
            • InitializeConditionVariable, xrefs: 00300148
            • WakeAllConditionVariable, xrefs: 00300162
            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00300122
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
            • API String ID: 66158676-1714406822
            • Opcode ID: 42154a223dac3135d84eb3a6d6e5a4b91cb35649c4f6f6ef18198fa0b859ceca
            • Instruction ID: 6a25d21fb586114d9a0eec4775880916dbdcee9d5731f44173770a6951b16d74
            • Opcode Fuzzy Hash: 42154a223dac3135d84eb3a6d6e5a4b91cb35649c4f6f6ef18198fa0b859ceca
            • Instruction Fuzzy Hash: 4F212636A567106FE73F5B74AC1ABAA7398EB05B90F01413EF909A66D1DF7498008A90
            Function 003544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(00000000,00000000,0037CC08), ref: 00354527
            • _wcslen.LIBCMT ref: 0035453B
            • _wcslen.LIBCMT ref: 00354599
            • _wcslen.LIBCMT ref: 003545F4
            • _wcslen.LIBCMT ref: 0035463F
            • _wcslen.LIBCMT ref: 003546A7
              • Part of subcall function 002FF9F2: _wcslen.LIBCMT ref: 002FF9FD
            • GetDriveTypeW.KERNEL32(?,003A6BF0,00000061), ref: 00354743
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$BuffCharDriveLowerType
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2055661098-1000479233
            • Opcode ID: 7e0199c498102ad8df97593464d0c544881112fa5f6d66be84e4e5e3c2549065
            • Instruction ID: 8203ce80d4b1dd9ce4def2a078e2f1baa77c81961cc46626cfb76433c998283b
            • Opcode Fuzzy Hash: 7e0199c498102ad8df97593464d0c544881112fa5f6d66be84e4e5e3c2549065
            • Instruction Fuzzy Hash: D6B127315083029FC719DF28C890E6AB7E4EFA6759F51491DF896C72A1E730D988CB52
            Function 0037911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2
            • DragQueryPoint.SHELL32(?,?), ref: 00379147
              • Part of subcall function 00377674: ClientToScreen.USER32(?,?), ref: 0037769A
              • Part of subcall function 00377674: GetWindowRect.USER32(?,?), ref: 00377710
              • Part of subcall function 00377674: PtInRect.USER32(?,?,00378B89), ref: 00377720
            • SendMessageW.USER32(?,000000B0,?,?), ref: 003791B0
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003791BB
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003791DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00379225
            • SendMessageW.USER32(?,000000B0,?,?), ref: 0037923E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00379255
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00379277
            • DragFinish.SHELL32(?), ref: 0037927E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00379371
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#;
            • API String ID: 221274066-3242378617
            • Opcode ID: 41a4bf916d6778091e937363b2106f4b1735871ca8d958642e690802d3504ab7
            • Instruction ID: 7eaaca7736d032d501e60c93a94b89a69d58a0d096530fed5a088ae464206ee3
            • Opcode Fuzzy Hash: 41a4bf916d6778091e937363b2106f4b1735871ca8d958642e690802d3504ab7
            • Instruction Fuzzy Hash: 2F619C71108340AFC712EF65CC85EAFBBE8FF89750F400A1EF595921A1DB309A99CB52
            Function 0036AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0036B198
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0036B1B0
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0036B1D4
            • _wcslen.LIBCMT ref: 0036B200
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0036B214
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0036B236
            • _wcslen.LIBCMT ref: 0036B332
              • Part of subcall function 003505A7: GetStdHandle.KERNEL32(000000F6), ref: 003505C6
            • _wcslen.LIBCMT ref: 0036B34B
            • _wcslen.LIBCMT ref: 0036B366
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0036B3B6
            • GetLastError.KERNEL32(00000000), ref: 0036B407
            • CloseHandle.KERNEL32(?), ref: 0036B439
            • CloseHandle.KERNEL32(00000000), ref: 0036B44A
            • CloseHandle.KERNEL32(00000000), ref: 0036B45C
            • CloseHandle.KERNEL32(00000000), ref: 0036B46E
            • CloseHandle.KERNEL32(?), ref: 0036B4E3
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
            • String ID:
            • API String ID: 2178637699-0
            • Opcode ID: d7927ff1a5e0d2bb0bae81aee65b63ab71177d16794954d27cb17be356505f98
            • Instruction ID: eaed841b5ecd9954fe769a96a7d2889bf683effa390d9659e9d4a671ec3037f7
            • Opcode Fuzzy Hash: d7927ff1a5e0d2bb0bae81aee65b63ab71177d16794954d27cb17be356505f98
            • Instruction Fuzzy Hash: D9F1BE316043409FC726EF25C891B2EBBE5AF85314F15885DF9998B2A6DB31EC84CF52
            Function 002E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemCount.USER32(003B1990), ref: 00322F8D
            • GetMenuItemCount.USER32(003B1990), ref: 0032303D
            • GetCursorPos.USER32(?), ref: 00323081
            • SetForegroundWindow.USER32(00000000), ref: 0032308A
            • TrackPopupMenuEx.USER32(003B1990,00000000,?,00000000,00000000,00000000), ref: 0032309D
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003230A9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
            • String ID: 0
            • API String ID: 36266755-4108050209
            • Opcode ID: b53dc9c07da0496859464ce90d2e4c4a85783393010183b24de9d63e62b510f0
            • Instruction ID: 8917715fbc3123dd1cdb86070ab8e1e8587f970523c5930e0e78601645bbe7f9
            • Opcode Fuzzy Hash: b53dc9c07da0496859464ce90d2e4c4a85783393010183b24de9d63e62b510f0
            • Instruction Fuzzy Hash: 10712B70644255BEEB328F25DD89F9ABF78FF05324F204216FA196A1E0C7B1AD50DB50
            Function 00376CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 00376DEB
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00376E5F
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00376E81
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00376E94
            • DestroyWindow.USER32(?), ref: 00376EB5
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002E0000,00000000), ref: 00376EE4
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00376EFD
            • GetDesktopWindow.USER32 ref: 00376F16
            • GetWindowRect.USER32(00000000), ref: 00376F1D
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00376F35
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00376F4D
              • Part of subcall function 002F9944: GetWindowLongW.USER32(?,000000EB), ref: 002F9952
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
            • String ID: 0$tooltips_class32
            • API String ID: 2429346358-3619404913
            • Opcode ID: 78e4d5c2a4cc42f55735f8ed499f9668ed57977aec4f967d5cc90f80e7336471
            • Instruction ID: 12bf4193ea20dd9773715480de94d6f64727fefc85b4bda1eab5ac0eb5c31c80
            • Opcode Fuzzy Hash: 78e4d5c2a4cc42f55735f8ed499f9668ed57977aec4f967d5cc90f80e7336471
            • Instruction Fuzzy Hash: 2071A870100280AFDB22DF28DCA9FBABBF9FB89304F54451DF98987261C774A949CB11
            Function 0035C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0035C4B0
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0035C4C3
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0035C4D7
            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0035C4F0
            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0035C533
            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0035C549
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0035C554
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0035C584
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0035C5DC
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0035C5F0
            • InternetCloseHandle.WININET(00000000), ref: 0035C5FB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
            • String ID:
            • API String ID: 3800310941-3916222277
            • Opcode ID: 9e6b0ce0862a1a98668de0e928c1047f9f147634e4ec0f633f2895cfefbef536
            • Instruction ID: 8f1446e8997928da7428093ab3bf3565c7c9b7608b6156cdfffdbb0e3b55bc11
            • Opcode Fuzzy Hash: 9e6b0ce0862a1a98668de0e928c1047f9f147634e4ec0f633f2895cfefbef536
            • Instruction Fuzzy Hash: 37515FB0510304BFDB228FA5C988EAB7BBCFF09749F01541DF94596560EB34EA48DB60
            Function 0037856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00378592
            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785A2
            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785AD
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785BA
            • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785C8
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785D7
            • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785E0
            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785E7
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003785F8
            • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0037FC38,?), ref: 00378611
            • GlobalFree.KERNEL32(00000000), ref: 00378621
            • GetObjectW.GDI32(?,00000018,?), ref: 00378641
            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00378671
            • DeleteObject.GDI32(?), ref: 00378699
            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003786AF
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
            • String ID:
            • API String ID: 3840717409-0
            • Opcode ID: f5adbcec2ccbed5591a32da30c5edb2d3403b433ec1d27042e84c97cc9e1097a
            • Instruction ID: ad8fc7170268acb66c4aaba91f3e5adfc3294b0940d6084317e19b5e95d8f7d5
            • Opcode Fuzzy Hash: f5adbcec2ccbed5591a32da30c5edb2d3403b433ec1d27042e84c97cc9e1097a
            • Instruction Fuzzy Hash: 39411975640209BFDB229FA5CC8CEAA7BBCFF89711F148458F909E7260DB349941DB60
            Function 003514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000000), ref: 00351502
            • VariantCopy.OLEAUT32(?,?), ref: 0035150B
            • VariantClear.OLEAUT32(?), ref: 00351517
            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003515FB
            • VarR8FromDec.OLEAUT32(?,?), ref: 00351657
            • VariantInit.OLEAUT32(?), ref: 00351708
            • SysFreeString.OLEAUT32(?), ref: 0035178C
            • VariantClear.OLEAUT32(?), ref: 003517D8
            • VariantClear.OLEAUT32(?), ref: 003517E7
            • VariantInit.OLEAUT32(00000000), ref: 00351823
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
            • String ID: %4d%02d%02d%02d%02d%02d$Default
            • API String ID: 1234038744-3931177956
            • Opcode ID: 6d0ff4b7fa55c18fbddf49fd2c4614efe1a6cd92cb7a9bbfb2027c88b2bb7a7f
            • Instruction ID: c94a39d894a373584991701fb50f530c12dc7a193e0a686d80d4a639bc925da8
            • Opcode Fuzzy Hash: 6d0ff4b7fa55c18fbddf49fd2c4614efe1a6cd92cb7a9bbfb2027c88b2bb7a7f
            • Instruction Fuzzy Hash: 1CD13472A00105DBCB12AF65D885F7DB7B8BF46701F10886AFC06AB5A0EB34DC59DB61
            Function 0036B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
              • Part of subcall function 0036C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036C9F1
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA68
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036B6F4
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0036B772
            • RegDeleteValueW.ADVAPI32(?,?), ref: 0036B80A
            • RegCloseKey.ADVAPI32(?), ref: 0036B87E
            • RegCloseKey.ADVAPI32(?), ref: 0036B89C
            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0036B8F2
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0036B904
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0036B922
            • FreeLibrary.KERNEL32(00000000), ref: 0036B983
            • RegCloseKey.ADVAPI32(00000000), ref: 0036B994
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 146587525-4033151799
            • Opcode ID: f674889662c05a8695d1157b501f9c6c9ca0a632d6e706b99ff266806940702a
            • Instruction ID: 99ceb515c5f7d756fa3ca9eadf9830ce672f5764fca5e4a87bb15322f6b9dfa9
            • Opcode Fuzzy Hash: f674889662c05a8695d1157b501f9c6c9ca0a632d6e706b99ff266806940702a
            • Instruction Fuzzy Hash: F5C17B30218241AFD725DF15C495F2ABBE5BF84308F55C49CE59A8B6A2CB31EC86CF91
            Function 0036255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 003625D8
            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003625E8
            • CreateCompatibleDC.GDI32(?), ref: 003625F4
            • SelectObject.GDI32(00000000,?), ref: 00362601
            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0036266D
            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003626AC
            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003626D0
            • SelectObject.GDI32(?,?), ref: 003626D8
            • DeleteObject.GDI32(?), ref: 003626E1
            • DeleteDC.GDI32(?), ref: 003626E8
            • ReleaseDC.USER32(00000000,?), ref: 003626F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: 773f707f40253a5f03b209aa35ab7e232eca9e4858eecabaf60bf68b261d6353
            • Instruction ID: bc6a732c38f9c11174b71c6ae18cceba9754d4daaad49288df58cb7052ef5c04
            • Opcode Fuzzy Hash: 773f707f40253a5f03b209aa35ab7e232eca9e4858eecabaf60bf68b261d6353
            • Instruction Fuzzy Hash: 4B61E3B5D10219EFCF15CFA4D884EAEBBB9FF48310F208529E959A7250D770A951CFA0
            Function 0031DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___free_lconv_mon.LIBCMT ref: 0031DAA1
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D659
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D66B
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D67D
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D68F
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6A1
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6B3
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6C5
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6D7
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6E9
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D6FB
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D70D
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D71F
              • Part of subcall function 0031D63C: _free.LIBCMT ref: 0031D731
            • _free.LIBCMT ref: 0031DA96
              • Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
              • Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0
            • _free.LIBCMT ref: 0031DAB8
            • _free.LIBCMT ref: 0031DACD
            • _free.LIBCMT ref: 0031DAD8
            • _free.LIBCMT ref: 0031DAFA
            • _free.LIBCMT ref: 0031DB0D
            • _free.LIBCMT ref: 0031DB1B
            • _free.LIBCMT ref: 0031DB26
            • _free.LIBCMT ref: 0031DB5E
            • _free.LIBCMT ref: 0031DB65
            • _free.LIBCMT ref: 0031DB82
            • _free.LIBCMT ref: 0031DB9A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
            • String ID:
            • API String ID: 161543041-0
            • Opcode ID: a428218b89eec92f462104db61a213d922ba771a0d8aca7e5ea35ae768ea3674
            • Instruction ID: 2c7955dde759002af074e260ad6234a5ef2b0a04e56e065f51216858bfc21b08
            • Opcode Fuzzy Hash: a428218b89eec92f462104db61a213d922ba771a0d8aca7e5ea35ae768ea3674
            • Instruction Fuzzy Hash: 11313D326047059FEB2BAA39E845BD777E9FF0A320F168419E449DB191DF35ACE08720
            Function 0034365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 0034369C
            • _wcslen.LIBCMT ref: 003436A7
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00343797
            • GetClassNameW.USER32(?,?,00000400), ref: 0034380C
            • GetDlgCtrlID.USER32(?), ref: 0034385D
            • GetWindowRect.USER32(?,?), ref: 00343882
            • GetParent.USER32(?), ref: 003438A0
            • ScreenToClient.USER32(00000000), ref: 003438A7
            • GetClassNameW.USER32(?,?,00000100), ref: 00343921
            • GetWindowTextW.USER32(?,?,00000400), ref: 0034395D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
            • String ID: %s%u
            • API String ID: 4010501982-679674701
            • Opcode ID: 03f3de456d5442d06fb814350f1d0eef69418e721f324d2bead45da94b2f809e
            • Instruction ID: b230b2ea5e18d28d32a5559f051f9ebe354fd5b0937265453da758a3ceb469e3
            • Opcode Fuzzy Hash: 03f3de456d5442d06fb814350f1d0eef69418e721f324d2bead45da94b2f809e
            • Instruction Fuzzy Hash: D091AF71204606AFD71ADF24C885BAAF7E8FF44350F108629F999DB190DB30FA59CB91
            Function 00344954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000400), ref: 00344994
            • GetWindowTextW.USER32(?,?,00000400), ref: 003449DA
            • _wcslen.LIBCMT ref: 003449EB
            • CharUpperBuffW.USER32(?,00000000), ref: 003449F7
            • _wcsstr.LIBVCRUNTIME ref: 00344A2C
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00344A64
            • GetWindowTextW.USER32(?,?,00000400), ref: 00344A9D
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00344AE6
            • GetClassNameW.USER32(?,?,00000400), ref: 00344B20
            • GetWindowRect.USER32(?,?), ref: 00344B8B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
            • String ID: ThumbnailClass
            • API String ID: 1311036022-1241985126
            • Opcode ID: cef1388160b8f0e1c1eccbd7cab66bf62dff3da7eed372e5a8a6f61359363c17
            • Instruction ID: 2a5f88751de956a9c29b0f611bcda197d05ab027f03ed3ae27a9ba6de3c0a065
            • Opcode Fuzzy Hash: cef1388160b8f0e1c1eccbd7cab66bf62dff3da7eed372e5a8a6f61359363c17
            • Instruction Fuzzy Hash: 2E91AB71008205AFDB16DF14C985BAA77E8FF84314F08847AFD899E196EB30ED45CBA1
            Function 00378D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00378D5A
            • GetFocus.USER32 ref: 00378D6A
            • GetDlgCtrlID.USER32(00000000), ref: 00378D75
            • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00378E1D
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00378ECF
            • GetMenuItemCount.USER32(?), ref: 00378EEC
            • GetMenuItemID.USER32(?,00000000), ref: 00378EFC
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00378F2E
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00378F70
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00378FA1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
            • String ID: 0
            • API String ID: 1026556194-4108050209
            • Opcode ID: 4a70c83b9a00eb7d5a12b93d90751041c253b4686efb26aaafb27c39dd15ca0b
            • Instruction ID: b75fa41eeb54bc0b85dc9b8beed1927e94df1d9de92d5c31adef80cb362ce26b
            • Opcode Fuzzy Hash: 4a70c83b9a00eb7d5a12b93d90751041c253b4686efb26aaafb27c39dd15ca0b
            • Instruction Fuzzy Hash: 1881CE715483019FD732CF24D888AABBBE9FB89354F15891DF98C97291DB34D940CBA2
            Function 0036CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0036CC64
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0036CC8D
            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0036CD48
              • Part of subcall function 0036CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0036CCAA
              • Part of subcall function 0036CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0036CCBD
              • Part of subcall function 0036CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0036CCCF
              • Part of subcall function 0036CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0036CD05
              • Part of subcall function 0036CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0036CD28
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 0036CCF3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2734957052-4033151799
            • Opcode ID: 78db4b1c7979c58bf2311547560883653b9652055cb82a726c5286854eaa4c7a
            • Instruction ID: 60e69c44c8e202979d30e4630e24dc74d643b1636f6cdcc9aeba05533866a9bc
            • Opcode Fuzzy Hash: 78db4b1c7979c58bf2311547560883653b9652055cb82a726c5286854eaa4c7a
            • Instruction Fuzzy Hash: 48318071911128BBD7329B50DC88EFFBB7CEF05740F015169E94AE2144D7349A85DAF0
            Function 0034E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 0034E6B4
              • Part of subcall function 002FE551: timeGetTime.WINMM(?,?,0034E6D4), ref: 002FE555
            • Sleep.KERNEL32(0000000A), ref: 0034E6E1
            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0034E705
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0034E727
            • SetActiveWindow.USER32 ref: 0034E746
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0034E754
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 0034E773
            • Sleep.KERNEL32(000000FA), ref: 0034E77E
            • IsWindow.USER32 ref: 0034E78A
            • EndDialog.USER32(00000000), ref: 0034E79B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: 5b9318b071a6079a5a2faf59e7a6bf64bf2006438c1046dc2a69a2122f3ae77a
            • Instruction ID: 816cab8fa0c53676797d893311b85a77c23dc1ce0a218a1858276ce14bb010a8
            • Opcode Fuzzy Hash: 5b9318b071a6079a5a2faf59e7a6bf64bf2006438c1046dc2a69a2122f3ae77a
            • Instruction Fuzzy Hash: AD218470710204AFEB135F60ECCAB267BADF75539DF152629F6498A1B1DBB2BC408B14
            Function 0034E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0034EA5D
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0034EA73
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0034EA84
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0034EA96
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0034EAA7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: SendString$_wcslen
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2420728520-1007645807
            • Opcode ID: 2157a0565d342246364307ae530ea09d0bc05ccc34f61cbcb2d1c0ec76ac242e
            • Instruction ID: 85cdcc1d2221326de91b7a780b0ce963121de021738105fec294847ee1bfa1d6
            • Opcode Fuzzy Hash: 2157a0565d342246364307ae530ea09d0bc05ccc34f61cbcb2d1c0ec76ac242e
            • Instruction Fuzzy Hash: 03117331AA029979D721E7A2DC4ADFF6BBCFBD2B00F450429B811A60D1EF705D55C9B0
            Function 002F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002F8BE8,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 002F8FC5
            • DestroyWindow.USER32(?), ref: 002F8C81
            • KillTimer.USER32(00000000,?,?,?,?,002F8BBA,00000000,?), ref: 002F8D1B
            • DestroyAcceleratorTable.USER32(00000000), ref: 00336973
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 003369A1
            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,002F8BBA,00000000,?), ref: 003369B8
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,002F8BBA,00000000), ref: 003369D4
            • DeleteObject.GDI32(00000000), ref: 003369E6
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: 46d67374a7e5d7da085e1ed7e77fc6b1e16e7b53052be6d7d25cde9ffbaf0513
            • Instruction ID: db424a24332b05bfb68498aa0764afe16b1936e60ce6052cf67bc8a7f1e9eefc
            • Opcode Fuzzy Hash: 46d67374a7e5d7da085e1ed7e77fc6b1e16e7b53052be6d7d25cde9ffbaf0513
            • Instruction Fuzzy Hash: 9061AE31121608EFDB3A8F14C999B35F7F5FB40356F54862DE2469A560CB71A9A0CF90
            Function 002F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9944: GetWindowLongW.USER32(?,000000EB), ref: 002F9952
            • GetSysColor.USER32(0000000F), ref: 002F9862
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: 588417b7c3256a80e4c036d31cf061006ce46a55bc161f8df8a71a2b2c752ef3
            • Instruction ID: d2310d954357b114e8fc2352fc17e7dd05d95144b4181fa7616766fb0ffcedd9
            • Opcode Fuzzy Hash: 588417b7c3256a80e4c036d31cf061006ce46a55bc161f8df8a71a2b2c752ef3
            • Instruction Fuzzy Hash: 2941F631120648AFDB325F389C88BB97B69EB473B0F154629FAA6871E1C7719CD1DB10
            Function 003496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0032F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00349717
            • LoadStringW.USER32(00000000,?,0032F7F8,00000001), ref: 00349720
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0032F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00349742
            • LoadStringW.USER32(00000000,?,0032F7F8,00000001), ref: 00349745
            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00349866
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wcslen
            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
            • API String ID: 747408836-2268648507
            • Opcode ID: d412565847456145230682238858dc4c83bb0acbd1076b7ea3bd2b85916198b2
            • Instruction ID: 4ebe8768257239830f5e252ed681cd7447de8df2b0af11f388243cf6b4088813
            • Opcode Fuzzy Hash: d412565847456145230682238858dc4c83bb0acbd1076b7ea3bd2b85916198b2
            • Instruction Fuzzy Hash: 43417F72850149AACB15EBE1CD46EEE7778EF15340FA00066F60576092EB356F98CF60
            Function 003406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003407A2
            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003407BE
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003407DA
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00340804
            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0034082C
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00340837
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0034083C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
            • API String ID: 323675364-22481851
            • Opcode ID: 87d2001e91e6dfe84b8063e7d6e18cae0fdab2e0adfd09cb604eea4f08beacaa
            • Instruction ID: 313f05975c18ad3808817eb74d6765d91bf7b2a0a214f6bcf9123c85b1c8c1f6
            • Opcode Fuzzy Hash: 87d2001e91e6dfe84b8063e7d6e18cae0fdab2e0adfd09cb604eea4f08beacaa
            • Instruction Fuzzy Hash: E6414C71D20128ABCF26EBA4DC85CEDB7B8FF44350F454129E905A7161EB30AE54CFA0
            Function 00363C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00363C5C
            • CoInitialize.OLE32(00000000), ref: 00363C8A
            • CoUninitialize.OLE32 ref: 00363C94
            • _wcslen.LIBCMT ref: 00363D2D
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00363DB1
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00363ED5
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00363F0E
            • CoGetObject.OLE32(?,00000000,0037FB98,?), ref: 00363F2D
            • SetErrorMode.KERNEL32(00000000), ref: 00363F40
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00363FC4
            • VariantClear.OLEAUT32(?), ref: 00363FD8
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
            • String ID:
            • API String ID: 429561992-0
            • Opcode ID: 07df02f700026b69b8426dae7b21f576683a6be0ca17bf2fa94f573d95922a49
            • Instruction ID: b88408d52300ac1c75637a7ffdcdb0d054d3bec99448b47972f50cdd639aaffe
            • Opcode Fuzzy Hash: 07df02f700026b69b8426dae7b21f576683a6be0ca17bf2fa94f573d95922a49
            • Instruction Fuzzy Hash: 4AC16771608305AFC712DF68C88492BBBE9FF89744F10891DF98A9B251D731EE45CB62
            Function 00357A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00357AF3
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00357B8F
            • SHGetDesktopFolder.SHELL32(?), ref: 00357BA3
            • CoCreateInstance.OLE32(0037FD08,00000000,00000001,003A6E6C,?), ref: 00357BEF
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00357C74
            • CoTaskMemFree.OLE32(?,?), ref: 00357CCC
            • SHBrowseForFolderW.SHELL32(?), ref: 00357D57
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00357D7A
            • CoTaskMemFree.OLE32(00000000), ref: 00357D81
            • CoTaskMemFree.OLE32(00000000), ref: 00357DD6
            • CoUninitialize.OLE32 ref: 00357DDC
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
            • String ID:
            • API String ID: 2762341140-0
            • Opcode ID: c5d71ec8a2428630b112cc56db510cde2f92d02b0d9fa2646ddcc4e6a47375cd
            • Instruction ID: f9f7407219c718444fae34691d69e8ef21779312ab7af9035cbe9edb4ff7cc5b
            • Opcode Fuzzy Hash: c5d71ec8a2428630b112cc56db510cde2f92d02b0d9fa2646ddcc4e6a47375cd
            • Instruction Fuzzy Hash: C8C14A75A10109AFCB15DFA4D884DAEBBF9FF48305B148099E81A9B261D730EE85CF90
            Function 0037541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00375504
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00375515
            • CharNextW.USER32(00000158), ref: 00375544
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00375585
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0037559B
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003755AC
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$CharNext
            • String ID:
            • API String ID: 1350042424-0
            • Opcode ID: 56a27bf449c2411ec6f37fb0ee41fbb919e3850677b3810c361c8abd54e9e6e6
            • Instruction ID: aed7e0a04aba274d3f53466e712743ecc5bc23d63a8fe29a469b23004ddd99e9
            • Opcode Fuzzy Hash: 56a27bf449c2411ec6f37fb0ee41fbb919e3850677b3810c361c8abd54e9e6e6
            • Instruction Fuzzy Hash: 3161B430904608EFDF368F51CC849FE7BB9EB06721F118149F619A7290D7B89A80DB60
            Function 0033FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0033FAAF
            • SafeArrayAllocData.OLEAUT32(?), ref: 0033FB08
            • VariantInit.OLEAUT32(?), ref: 0033FB1A
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 0033FB3A
            • VariantCopy.OLEAUT32(?,?), ref: 0033FB8D
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 0033FBA1
            • VariantClear.OLEAUT32(?), ref: 0033FBB6
            • SafeArrayDestroyData.OLEAUT32(?), ref: 0033FBC3
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0033FBCC
            • VariantClear.OLEAUT32(?), ref: 0033FBDE
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0033FBE9
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 4f391b017525942490146cb650c21762743c0390e07a6f564442901cffe1df58
            • Instruction ID: 840da2565c6b888c5ef388eb914c59ec780cc397643b2e4105e69e1319eee3c6
            • Opcode Fuzzy Hash: 4f391b017525942490146cb650c21762743c0390e07a6f564442901cffe1df58
            • Instruction Fuzzy Hash: 92417075E102199FCF16DFA5D898DAEBBB9FF08344F408069E909A7261CB30A945CF90
            Function 0036055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 003605BC
            • inet_addr.WSOCK32(?), ref: 0036061C
            • gethostbyname.WSOCK32(?), ref: 00360628
            • IcmpCreateFile.IPHLPAPI ref: 00360636
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003606C6
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003606E5
            • IcmpCloseHandle.IPHLPAPI(?), ref: 003607B9
            • WSACleanup.WSOCK32 ref: 003607BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: a8aad981df82de5f898d7f10da9feeab6f68ef3f8ca9d27cbe0dd48b072a72cb
            • Instruction ID: d95c7a0bdf22157298d01a37d43c50127eda6a9912b146eb6db0012c5c509bd2
            • Opcode Fuzzy Hash: a8aad981df82de5f898d7f10da9feeab6f68ef3f8ca9d27cbe0dd48b072a72cb
            • Instruction Fuzzy Hash: F3918C356082419FD326CF15D48AF1ABBE4EF44318F15C5A9E56A8B6A2C730ED81CF91
            Function 00368CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$BuffCharLower
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 707087890-567219261
            • Opcode ID: 8ce24f884c6a52f3eb53e6da3a0eef01c62c25cde5293647c439a74637d0acb9
            • Instruction ID: ce1010c5e2ef1e034912c4d1099acdd100a8e128c360e98727896b9524921de7
            • Opcode Fuzzy Hash: 8ce24f884c6a52f3eb53e6da3a0eef01c62c25cde5293647c439a74637d0acb9
            • Instruction Fuzzy Hash: BF51D571A001169BCF25DF6CC8508BEB7A5BF69324B618329E926E72C8DB31DD40C790
            Function 0036372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32 ref: 00363774
            • CoUninitialize.OLE32 ref: 0036377F
            • CoCreateInstance.OLE32(?,00000000,00000017,0037FB78,?), ref: 003637D9
            • IIDFromString.OLE32(?,?), ref: 0036384C
            • VariantInit.OLEAUT32(?), ref: 003638E4
            • VariantClear.OLEAUT32(?), ref: 00363936
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 636576611-1287834457
            • Opcode ID: fc5e152bc509174688e60f1640b74992f8dfcc85b5550b470f18b282b194f8ff
            • Instruction ID: 1063518ab92e83f7298dd51b2f6be42bdc1b44d2b52e74f6681f33328928bc7e
            • Opcode Fuzzy Hash: fc5e152bc509174688e60f1640b74992f8dfcc85b5550b470f18b282b194f8ff
            • Instruction Fuzzy Hash: 6D61B371608311AFD312DF54D889FAABBE8EF49714F10881DF9859B291D770EE48CB92
            Function 00378B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2
              • Part of subcall function 002F912D: GetCursorPos.USER32(?), ref: 002F9141
              • Part of subcall function 002F912D: ScreenToClient.USER32(00000000,?), ref: 002F915E
              • Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000001), ref: 002F9183
              • Part of subcall function 002F912D: GetAsyncKeyState.USER32(00000002), ref: 002F919D
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00378B6B
            • ImageList_EndDrag.COMCTL32 ref: 00378B71
            • ReleaseCapture.USER32 ref: 00378B77
            • SetWindowTextW.USER32(?,00000000), ref: 00378C12
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00378C25
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00378CFF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#;
            • API String ID: 1924731296-3448554761
            • Opcode ID: 3fd75aac436078d01c99249254c9f2b1d6b2c1c6eeb08ba798acb6362bf4f3a1
            • Instruction ID: 6f6b07004c1a6c649fdddc8e41749211062e3f6069658c025b6bea61705dc673
            • Opcode Fuzzy Hash: 3fd75aac436078d01c99249254c9f2b1d6b2c1c6eeb08ba798acb6362bf4f3a1
            • Instruction Fuzzy Hash: 9251BF70114344AFD712DF14CC9AFAAB7E8FB88714F40062DF95A972E1CB359954CBA2
            Function 00353388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003533CF
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003533F0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-3080491070
            • Opcode ID: 3c3006bbda19f3353193408575f488418c5bfa9db8f6426f26add742c106cdd0
            • Instruction ID: 3d4ae99b58119870a39fb63fcf33a0afcfba76f46c552c3faa73094285e4f14b
            • Opcode Fuzzy Hash: 3c3006bbda19f3353193408575f488418c5bfa9db8f6426f26add742c106cdd0
            • Instruction Fuzzy Hash: ED51E571840249AADF16EBE1CD46EEEB7B8EF14341F644166F50572062EB312FA8CF60
            Function 0034B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 1256254125-769500911
            • Opcode ID: 6a7fe85242313d9eb10d05743741326ebf9ea6ab052137b365200ee956854568
            • Instruction ID: a4321328c181db9bdeb193520c2a01992970b9a221501bf8664fed2bc7e1bca6
            • Opcode Fuzzy Hash: 6a7fe85242313d9eb10d05743741326ebf9ea6ab052137b365200ee956854568
            • Instruction Fuzzy Hash: DC41F632A010269BCB219F7DC8905BEF7E5EFA1754B274129E921DF284E739ED81C790
            Function 00355393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 003553A0
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00355416
            • GetLastError.KERNEL32 ref: 00355420
            • SetErrorMode.KERNEL32(00000000,READY), ref: 003554A7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 12c9a1357e9af777a386d455eee362da1aea4656d0297e62217c646667cb6e41
            • Instruction ID: 3cbcbbee25499e8b59a1fff62a96cdb94615b16f548ad76fa2d1c632e49c9154
            • Opcode Fuzzy Hash: 12c9a1357e9af777a386d455eee362da1aea4656d0297e62217c646667cb6e41
            • Instruction Fuzzy Hash: FB31D875A00504DFD712DF69C495EA97BB8EF05306F598069E805CF2A2D731ED8ACB90
            Function 00373A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00373A9D
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00373AA0
            • GetWindowLongW.USER32(?,000000F0), ref: 00373AC7
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00373AEA
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00373B62
            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00373BAC
            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00373BC7
            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00373BE2
            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00373BF6
            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00373C13
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$LongWindow
            • String ID:
            • API String ID: 312131281-0
            • Opcode ID: 610061f720cbffe814e266635588d1bd18ded99f0111f10165014bdf5bd19e7e
            • Instruction ID: 8c6b522e465eda0eaafa0424895077110533db40aa3d20c0f8f44da7bf3666b4
            • Opcode Fuzzy Hash: 610061f720cbffe814e266635588d1bd18ded99f0111f10165014bdf5bd19e7e
            • Instruction Fuzzy Hash: FC615C75900248AFDB22DFA8CC81EEE77F8EB09704F104199FA19AB291D774AE45DF50
            Function 0034B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 0034B151
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B165
            • GetWindowThreadProcessId.USER32(00000000), ref: 0034B16C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B17B
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0034B18D
            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B1A6
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B1B8
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B1FD
            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B212
            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0034A1E1,?,00000001), ref: 0034B21D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: cbbf19c10f7b454246bd9e7afcc1307208e09703d2b1eb20d5b22150d2fa6494
            • Instruction ID: 9fc9c3444e743e9232af5afaff8c89bebeafa45a47034cb7c6936b3906f243ee
            • Opcode Fuzzy Hash: cbbf19c10f7b454246bd9e7afcc1307208e09703d2b1eb20d5b22150d2fa6494
            • Instruction Fuzzy Hash: 8031CC71550218BFDB23AF24DC88BADBBEDBF50315F154509FA06DA190D7B4EA808F60
            Function 00312C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00312C94
              • Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
              • Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0
            • _free.LIBCMT ref: 00312CA0
            • _free.LIBCMT ref: 00312CAB
            • _free.LIBCMT ref: 00312CB6
            • _free.LIBCMT ref: 00312CC1
            • _free.LIBCMT ref: 00312CCC
            • _free.LIBCMT ref: 00312CD7
            • _free.LIBCMT ref: 00312CE2
            • _free.LIBCMT ref: 00312CED
            • _free.LIBCMT ref: 00312CFB
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: abf8cddbdf1c08dd0c6fc3ced910277b505062ddcdf0cfe0213478d07370acd1
            • Instruction ID: 7a9546618e18f4f3c3a3a312906a4b743c128fd43103f030ae2f895dedd8c453
            • Opcode Fuzzy Hash: abf8cddbdf1c08dd0c6fc3ced910277b505062ddcdf0cfe0213478d07370acd1
            • Instruction Fuzzy Hash: 16114676510108AFCB0BEF59D942CDE3BA5FF0A360F5145A5FA485F222D731EAB09B90
            Function 002E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002E1459
            • OleUninitialize.OLE32(?,00000000), ref: 002E14F8
            • UnregisterHotKey.USER32(?), ref: 002E16DD
            • DestroyWindow.USER32(?), ref: 003224B9
            • FreeLibrary.KERNEL32(?), ref: 0032251E
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0032254B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: 761704764f31804e7757af5706f959295f20e93c00ed814c301c17872d8a50fc
            • Instruction ID: fdd57a2ed2c55aeed8981199f48afc19c09931ba18753aba6c60154e026a5877
            • Opcode Fuzzy Hash: 761704764f31804e7757af5706f959295f20e93c00ed814c301c17872d8a50fc
            • Instruction Fuzzy Hash: 98D1F431721262DFCB2AEF16D895A29F7A4BF05700F6141ADE54A6B261CB30ED32CF50
            Function 002E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 002E5C7A
              • Part of subcall function 002E5D0A: GetClientRect.USER32(?,?), ref: 002E5D30
              • Part of subcall function 002E5D0A: GetWindowRect.USER32(?,?), ref: 002E5D71
              • Part of subcall function 002E5D0A: ScreenToClient.USER32(?,?), ref: 002E5D99
            • GetDC.USER32 ref: 003246F5
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00324708
            • SelectObject.GDI32(00000000,00000000), ref: 00324716
            • SelectObject.GDI32(00000000,00000000), ref: 0032472B
            • ReleaseDC.USER32(?,00000000), ref: 00324733
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003247C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: ba48aa45cf608d73bff001dcaca2e0999be87456c614e94d546331d395e44538
            • Instruction ID: 79c8d70f2b177be8eddf8d1f47b887f1d9218246bd01e190a98150c35506500e
            • Opcode Fuzzy Hash: ba48aa45cf608d73bff001dcaca2e0999be87456c614e94d546331d395e44538
            • Instruction Fuzzy Hash: 9D712130510215DFCF238F68D984ABA7BB5FF4A324F28426AED655A1A6C331CC91DF50
            Function 0035359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003535E4
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • LoadStringW.USER32(003B2390,?,00000FFF,?), ref: 0035360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-2391861430
            • Opcode ID: ffd3b7544b81f3b13c2d9ec54ecc8733f836e1a18bb9c8e326f3d1bee99ef1c2
            • Instruction ID: 1dd5871dbc01b374c343bf608f0e6a2aa754332b4258ae7612152bd776b18bc8
            • Opcode Fuzzy Hash: ffd3b7544b81f3b13c2d9ec54ecc8733f836e1a18bb9c8e326f3d1bee99ef1c2
            • Instruction Fuzzy Hash: BF519F71C50249BACF16EBA1CC52EEEBB78EF04341F944165F505720A1EB302AE9DFA0
            Function 0035C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0035C272
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0035C29A
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0035C2CA
            • GetLastError.KERNEL32 ref: 0035C322
            • SetEvent.KERNEL32(?), ref: 0035C336
            • InternetCloseHandle.WININET(00000000), ref: 0035C341
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: ae152e8509bb3104dbee99e5d119f7aab3c64ee391e6bd54af8d681023bff4d7
            • Instruction ID: 35b64ffc02d51c964c57a76d8e6f6b56711d4f936f583f4b9aeff352498ba051
            • Opcode Fuzzy Hash: ae152e8509bb3104dbee99e5d119f7aab3c64ee391e6bd54af8d681023bff4d7
            • Instruction Fuzzy Hash: CC318FB5510348AFDB229F648C88EAB7AFCEB49749F14951DF84696220DB34DD488B60
            Function 0034989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00323AAF,?,?,Bad directive syntax error,0037CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003498BC
            • LoadStringW.USER32(00000000,?,00323AAF,?), ref: 003498C3
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00349987
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: HandleLoadMessageModuleString_wcslen
            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
            • API String ID: 858772685-4153970271
            • Opcode ID: 57b6609c4fd1eaf2b89b75ec6a2a5ae57aacb99c5fea1791edc60652ebbb70d4
            • Instruction ID: f3b11a74dbcd31c23d453fcd58af95b1e69e898a87ec7981724533cd8a9f0641
            • Opcode Fuzzy Hash: 57b6609c4fd1eaf2b89b75ec6a2a5ae57aacb99c5fea1791edc60652ebbb70d4
            • Instruction Fuzzy Hash: FD21823185025EABCF16EF90CC0AEEE7779FF18300F44446AF515660A1EB71AAA8CF50
            Function 0034209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 003420AB
            • GetClassNameW.USER32(00000000,?,00000100), ref: 003420C0
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0034214D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1290815626-3381328864
            • Opcode ID: 7823d1752eb60ecc326dfca9a0f0196da5e2890fecb3a441544feab17d5e6270
            • Instruction ID: 7e915a81ba3d949e0249ae93eaebf492773625ac86bed8470c67232a8f1c1e84
            • Opcode Fuzzy Hash: 7823d1752eb60ecc326dfca9a0f0196da5e2890fecb3a441544feab17d5e6270
            • Instruction Fuzzy Hash: 0211367A288306B9FA132224DC06DE773DCDB05325F61001AFB04BC0D2EAA578515624
            Function 0031CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
            • String ID:
            • API String ID: 1282221369-0
            • Opcode ID: b8f4385088b2ff7871e37d3b2945f29ea85ef5cb1fbf001a7664a1723ffe5571
            • Instruction ID: 201ca2cae8014e8cca358df3fe3bc7c66de71d279dd7d541ddecd951e14cad3a
            • Opcode Fuzzy Hash: b8f4385088b2ff7871e37d3b2945f29ea85ef5cb1fbf001a7664a1723ffe5571
            • Instruction Fuzzy Hash: 01613971954300AFDB2FAFB49881AEA7BA9EF0E324F05416DF9449B281D7319DD2C790
            Function 003750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00375186
            • ShowWindow.USER32(?,00000000), ref: 003751C7
            • ShowWindow.USER32(?,00000005,?,00000000), ref: 003751CD
            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 003751D1
              • Part of subcall function 00376FBA: DeleteObject.GDI32(00000000), ref: 00376FE6
            • GetWindowLongW.USER32(?,000000F0), ref: 0037520D
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0037521A
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0037524D
            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00375287
            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00375296
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
            • String ID:
            • API String ID: 3210457359-0
            • Opcode ID: 56630fa6544ad1938b85e4af9a767f5024293d4b393f0ff6a547f697e0c403fe
            • Instruction ID: 175321bbd60bb084f37453fecdffa358714852d06cf526a66be8422f80f89db1
            • Opcode Fuzzy Hash: 56630fa6544ad1938b85e4af9a767f5024293d4b393f0ff6a547f697e0c403fe
            • Instruction Fuzzy Hash: 4F51D330A50A08BEEF3A9F24CC45BD87B69EB05362F54C415F61D9A2E1C7F9A990DF40
            Function 002F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00336890
            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003368A9
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003368B9
            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003368D1
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003368F2
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00336901
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0033691E
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0033692D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend
            • String ID:
            • API String ID: 1268354404-0
            • Opcode ID: d16bd2095d56976a5fa9a8e15a461cc6499d6aa19f3b40bdbbdd6d0423ee5b66
            • Instruction ID: 698d9f1e6eb8fd9fc45b2ac3d9881b8ec7c5fc28998cbba087dd72c8dbc53f7e
            • Opcode Fuzzy Hash: d16bd2095d56976a5fa9a8e15a461cc6499d6aa19f3b40bdbbdd6d0423ee5b66
            • Instruction Fuzzy Hash: F2517070610209AFDB21CF25CC96FAABBB5FB58754F104528FA16D7290DB70E9A0DB50
            Function 0035C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0035C182
            • GetLastError.KERNEL32 ref: 0035C195
            • SetEvent.KERNEL32(?), ref: 0035C1A9
              • Part of subcall function 0035C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0035C272
              • Part of subcall function 0035C253: GetLastError.KERNEL32 ref: 0035C322
              • Part of subcall function 0035C253: SetEvent.KERNEL32(?), ref: 0035C336
              • Part of subcall function 0035C253: InternetCloseHandle.WININET(00000000), ref: 0035C341
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
            • String ID:
            • API String ID: 337547030-0
            • Opcode ID: 84ccbbdde4bd7ec3fde5ce4086576192eb567a6bf1354797ffabb7ca37de9334
            • Instruction ID: 08a6375eb34f923d8a751a8da473836c86a081ca4c9ffc2af27a4f957a358071
            • Opcode Fuzzy Hash: 84ccbbdde4bd7ec3fde5ce4086576192eb567a6bf1354797ffabb7ca37de9334
            • Instruction Fuzzy Hash: C231BE70120704AFDB228FA4DC44E66BBECFF18306F00681DF94A86621CB30E858DBA0
            Function 003425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00343A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00343A57
              • Part of subcall function 00343A3D: GetCurrentThreadId.KERNEL32 ref: 00343A5E
              • Part of subcall function 00343A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003425B3), ref: 00343A65
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003425BD
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003425DB
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003425DF
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003425E9
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00342601
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00342605
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 0034260F
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00342623
            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00342627
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 6247743c77996a6b5fd47191c57d20ae256380d45ad0f7e06dd0f21847bb7ec8
            • Instruction ID: b2569a63ea56e77cfec86e2d24ddfc18b064e5b311823e4ae00a0e0f719554e0
            • Opcode Fuzzy Hash: 6247743c77996a6b5fd47191c57d20ae256380d45ad0f7e06dd0f21847bb7ec8
            • Instruction Fuzzy Hash: 6801D830390210BBFB2167689C8AF597F9DDF4EB11F501019F358AF0D1C9E12484CA6A
            Function 00341803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00341449,?,?,00000000), ref: 0034180C
            • HeapAlloc.KERNEL32(00000000,?,00341449,?,?,00000000), ref: 00341813
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00341449,?,?,00000000), ref: 00341828
            • GetCurrentProcess.KERNEL32(?,00000000,?,00341449,?,?,00000000), ref: 00341830
            • DuplicateHandle.KERNEL32(00000000,?,00341449,?,?,00000000), ref: 00341833
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00341449,?,?,00000000), ref: 00341843
            • GetCurrentProcess.KERNEL32(00341449,00000000,?,00341449,?,?,00000000), ref: 0034184B
            • DuplicateHandle.KERNEL32(00000000,?,00341449,?,?,00000000), ref: 0034184E
            • CreateThread.KERNEL32(00000000,00000000,00341874,00000000,00000000,00000000), ref: 00341868
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: 0a23e03c9382c931060646799669e31519a3d5c44f76b3b848888583575fc392
            • Instruction ID: ebab691d5b0af223e94459269e192820c4b2616885333537e5998070ad1d66b8
            • Opcode Fuzzy Hash: 0a23e03c9382c931060646799669e31519a3d5c44f76b3b848888583575fc392
            • Instruction Fuzzy Hash: 7A01CDB5250308BFE721AFB5DC4DF6B3BACEB89B11F405425FA09DB1A1CA749840CB20
            Function 0036A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0034D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0034D501
              • Part of subcall function 0034D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0034D50F
              • Part of subcall function 0034D4DC: CloseHandle.KERNEL32(00000000), ref: 0034D5DC
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0036A16D
            • GetLastError.KERNEL32 ref: 0036A180
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0036A1B3
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0036A268
            • GetLastError.KERNEL32(00000000), ref: 0036A273
            • CloseHandle.KERNEL32(00000000), ref: 0036A2C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 48b181e207b3ba716530d7b38c769e4a7f7c6b7fc18b63441cbdf04d02b96ca5
            • Instruction ID: 16331c902682d7e9a36cd96584005dc3b174f202546b0e571ad3a30b7d45e1ba
            • Opcode Fuzzy Hash: 48b181e207b3ba716530d7b38c769e4a7f7c6b7fc18b63441cbdf04d02b96ca5
            • Instruction Fuzzy Hash: 7861BA302046429FD721DF19C494F16BBE5AF44308F59C49CE46A9BBA2C772EC85CF92
            Function 00373886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00373925
            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0037393A
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00373954
            • _wcslen.LIBCMT ref: 00373999
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 003739C6
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003739F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$Window_wcslen
            • String ID: SysListView32
            • API String ID: 2147712094-78025650
            • Opcode ID: 803da561df8d33da4863bc60ef135aee556ac8a82e0d0e36fba558a7aceba733
            • Instruction ID: 8467e84bb7a5f02d6fc685ac99243a8454a44767b4309487d06b760432c24402
            • Opcode Fuzzy Hash: 803da561df8d33da4863bc60ef135aee556ac8a82e0d0e36fba558a7aceba733
            • Instruction Fuzzy Hash: 6B41D371A00218BBDB329F64CC49BEA77A9FF08350F11412AF958E7281D3759A84DB90
            Function 00302D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
            Download Yara Rule
            APIs
            • _ValidateLocalCookies.LIBCMT ref: 00302D4B
            • ___except_validate_context_record.LIBVCRUNTIME ref: 00302D53
            • _ValidateLocalCookies.LIBCMT ref: 00302DE1
            • __IsNonwritableInCurrentImage.LIBCMT ref: 00302E0C
            • _ValidateLocalCookies.LIBCMT ref: 00302E61
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
            • String ID: &H0$csm
            • API String ID: 1170836740-4157724386
            • Opcode ID: 447938d8e5887466db99ea48a18724c5162a00f33a024961e7af171ca35c78ac
            • Instruction ID: ad3e8581103c8648e81eaf21feee8fef337f01709cb81794fa4b547749951251
            • Opcode Fuzzy Hash: 447938d8e5887466db99ea48a18724c5162a00f33a024961e7af171ca35c78ac
            • Instruction Fuzzy Hash: 98419534A02209EBCF12DF68C869A9FBBB9BF45314F158195E8246B3D2D731DE05CB90
            Function 0034C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 0034C913
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 201bd3c4ff175b584082a50baf1b7ee1411d2aeb363e1fe251193cf00ac339e7
            • Instruction ID: 3eeafbf16e17f6f08c63a0e72684ae85a81864657c36eb66fbdd19c63246a41a
            • Opcode Fuzzy Hash: 201bd3c4ff175b584082a50baf1b7ee1411d2aeb363e1fe251193cf00ac339e7
            • Instruction Fuzzy Hash: A1110A327AB306BAE707AB549C83CEA77DCDF16354B21102EF500AE1C2EBB57E405264
            Function 0034ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$LocalTime
            • String ID:
            • API String ID: 952045576-0
            • Opcode ID: 42a1988afb51a0d88100579c39d1cdca91ae8bc515e7f6cbea25203f7e776b45
            • Instruction ID: f0b981eb14380bda08e2d24e2e337901ee7cb0243655b4d2acb7ba626d739f77
            • Opcode Fuzzy Hash: 42a1988afb51a0d88100579c39d1cdca91ae8bc515e7f6cbea25203f7e776b45
            • Instruction Fuzzy Hash: C0419165C1121875CB12EBF4C88AACFB7ACAF45710F508862E918EB162FB34E355C3E5
            Function 002FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 002FF953
            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 0033F3D1
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 0033F454
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 07843ac0d7b14eb67dd9561310dc98100e48d386b4b1f06cb620156f30dd9397
            • Instruction ID: c37097f404f400acde0aa55e770194293df1ae4eae28ec01420aee7487f3701b
            • Opcode Fuzzy Hash: 07843ac0d7b14eb67dd9561310dc98100e48d386b4b1f06cb620156f30dd9397
            • Instruction Fuzzy Hash: 4F413C316346C8BEC7BA8F298AC8B36FB956F46354F94443CE24752560C6F19890CB10
            Function 00372D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00372D1B
            • GetDC.USER32(00000000), ref: 00372D23
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00372D2E
            • ReleaseDC.USER32(00000000,00000000), ref: 00372D3A
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00372D76
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00372D87
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00375A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00372DC2
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00372DE1
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: f42d991b6d578277fde02d2a18146eab1815644f9229313c9b2ee37d3373cd5b
            • Instruction ID: 91bf9baeb4010e0f26300f2234f665db09061bd7912706fb52257db189ddb76a
            • Opcode Fuzzy Hash: f42d991b6d578277fde02d2a18146eab1815644f9229313c9b2ee37d3373cd5b
            • Instruction Fuzzy Hash: 9B316D72211214BFEB324F508C89FEB3BADEB09715F044059FE0C9A291D6759C90C7A4
            Function 00345622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 9f305511d0c904e751a1fbce341e08e6509d0b52f191a0279d06cd50bc255a4a
            • Instruction ID: 9edbffa9dd05818c7b0f22ba3135279a3b1fddc2749eec38f376aca65f4fa8e8
            • Opcode Fuzzy Hash: 9f305511d0c904e751a1fbce341e08e6509d0b52f191a0279d06cd50bc255a4a
            • Instruction Fuzzy Hash: F7219565E41A097BD22755208E92FFA33DCBE21785F564034FD089EA82F728FD1185A5
            Function 00364FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: NULL Pointer assignment$Not an Object type
            • API String ID: 0-572801152
            • Opcode ID: b2dd5553c67d749884bf44392a3ea8b1d197120532cc954af77aea653a158296
            • Instruction ID: 1eb579ce7bdf111792609b70ebdd8470368fd7a3765bc6545d8f79b9da1dd043
            • Opcode Fuzzy Hash: b2dd5553c67d749884bf44392a3ea8b1d197120532cc954af77aea653a158296
            • Instruction Fuzzy Hash: 24D1D175A0060AAFDF11CFA8C880BAEB7B5BF48344F15C479E915AB285E770DD41CB90
            Function 00321522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003217FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003215CE
            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00321651
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003217FB,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003216E4
            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003216FB
              • Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003217FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00321777
            • __freea.LIBCMT ref: 003217A2
            • __freea.LIBCMT ref: 003217AE
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
            • String ID:
            • API String ID: 2829977744-0
            • Opcode ID: 2d360adbba5e33399d30054f6484400e752437d199dbe14a07fc8477cdc71e38
            • Instruction ID: f0f2ddb152b07c635fd7e35a93949f3166203c77e4b102acd243a6b7afd4f9de
            • Opcode Fuzzy Hash: 2d360adbba5e33399d30054f6484400e752437d199dbe14a07fc8477cdc71e38
            • Instruction Fuzzy Hash: 0991F871E102269EDF228E78EE41AEE7BF9AFA9310F290569E805E7140D735CD40C7A0
            Function 00364523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2610073882-625585964
            • Opcode ID: 4af90256a97736052b4481931c590ee79dadad382b6f569aac4ceb3dbfdb1999
            • Instruction ID: 15e3d8981aa0c9c9ae507b943da8b7b3d401e6997b73385e332a809488d4b73a
            • Opcode Fuzzy Hash: 4af90256a97736052b4481931c590ee79dadad382b6f569aac4ceb3dbfdb1999
            • Instruction Fuzzy Hash: E9917871E00219ABDF26CFA5C888FAEBBB8EF46710F108559F515AB284D7709945CFA0
            Function 00351187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            APIs
            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0035125C
            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00351284
            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003512A8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003512D8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0035135F
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003513C4
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00351430
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ArraySafe$Data$Access$UnaccessVartype
            • String ID:
            • API String ID: 2550207440-0
            • Opcode ID: 5d2dd8446b06441177c20cf312a81f3c8b2b76894c2d865cc85529d1922b52cf
            • Instruction ID: 7818718f14847fbde2c2dd3e7eaed10fab5fb8c976c8c827da44446955adf341
            • Opcode Fuzzy Hash: 5d2dd8446b06441177c20cf312a81f3c8b2b76894c2d865cc85529d1922b52cf
            • Instruction Fuzzy Hash: 67910375A00208AFDB02DF95C885FBEB7B9FF45316F114429ED10EB2A1D774A949CB90
            Function 002F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 77266ceb4c2e1da3e58644068c885e09ad4591732098604491de77f7335e61f3
            • Instruction ID: 6e174b584b0f9f84af5e746b294ea0de298a593ef914a6f226ca9aed45aea70d
            • Opcode Fuzzy Hash: 77266ceb4c2e1da3e58644068c885e09ad4591732098604491de77f7335e61f3
            • Instruction Fuzzy Hash: DB913571D1021AEFCB15CFA9C884AEEBBB8FF49320F148459E615B7251D374A991CBA0
            Function 00363947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 0036396B
            • CharUpperBuffW.USER32(?,?), ref: 00363A7A
            • _wcslen.LIBCMT ref: 00363A8A
            • VariantClear.OLEAUT32(?), ref: 00363C1F
              • Part of subcall function 00350CDF: VariantInit.OLEAUT32(00000000), ref: 00350D1F
              • Part of subcall function 00350CDF: VariantCopy.OLEAUT32(?,?), ref: 00350D28
              • Part of subcall function 00350CDF: VariantClear.OLEAUT32(?), ref: 00350D34
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4137639002-1221869570
            • Opcode ID: a750350ff4c4610dd9c607e3ab5a1cc4bd5311a4fc3fe9b5a50efd0411960a6b
            • Instruction ID: 66cf2111e45f7e4ffec54f72a5852c0b0ab67e7c74caa7ab993f1ee631f51f23
            • Opcode Fuzzy Hash: a750350ff4c4610dd9c607e3ab5a1cc4bd5311a4fc3fe9b5a50efd0411960a6b
            • Instruction Fuzzy Hash: 799132756183459FC711EF28C48196AB7E8BF89314F14882EF88A9B351DB30EE45CB92
            Function 00364BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0034000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?,?,0034035E), ref: 0034002B
              • Part of subcall function 0034000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340046
              • Part of subcall function 0034000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340054
              • Part of subcall function 0034000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?), ref: 00340064
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00364C51
            • _wcslen.LIBCMT ref: 00364D59
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00364DCF
            • CoTaskMemFree.OLE32(?), ref: 00364DDA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 614568839-2785691316
            • Opcode ID: 99731fe3c49e593b415c00b8b587b39b8bac6784a9008ce3318b3946c0b14ac6
            • Instruction ID: ef9f7a7f8f8fedc4a4a04b1833b45de38d6c87d54ff92caa03aa7221d75f1fd2
            • Opcode Fuzzy Hash: 99731fe3c49e593b415c00b8b587b39b8bac6784a9008ce3318b3946c0b14ac6
            • Instruction Fuzzy Hash: F3912871D0021DAFDF25DFA4D891AEEB7B9BF08300F50816AE915AB251DB34AE54CF60
            Function 003720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00372183
            • GetMenuItemCount.USER32(00000000), ref: 003721B5
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003721DD
            • _wcslen.LIBCMT ref: 00372213
            • GetMenuItemID.USER32(?,?), ref: 0037224D
            • GetSubMenu.USER32(?,?), ref: 0037225B
              • Part of subcall function 00343A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00343A57
              • Part of subcall function 00343A3D: GetCurrentThreadId.KERNEL32 ref: 00343A5E
              • Part of subcall function 00343A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003425B3), ref: 00343A65
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003722E3
              • Part of subcall function 0034E97B: Sleep.KERNEL32 ref: 0034E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
            • String ID:
            • API String ID: 4196846111-0
            • Opcode ID: a65cd29fd5169e66bbbe45d4d8e06c9e73ba42e931a0e78abf1c48c7321fc247
            • Instruction ID: 630e9efb74939cc876f7c2cefc18b98d0e677c0f19ea38973b99256833644a26
            • Opcode Fuzzy Hash: a65cd29fd5169e66bbbe45d4d8e06c9e73ba42e931a0e78abf1c48c7321fc247
            • Instruction Fuzzy Hash: A871B175A00205AFCB22DF65C881AAEB7F5FF48310F158459E81AEB351DB38EE418F90
            Function 0034AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 0034AEF9
            • GetKeyboardState.USER32(?), ref: 0034AF0E
            • SetKeyboardState.USER32(?), ref: 0034AF6F
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 0034AF9D
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 0034AFBC
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 0034AFFD
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0034B020
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 5074e22ad7b5417adc77258940e0d8ed37f6edca1b434ea9ee3916dfbd38ad10
            • Instruction ID: e17e0d78dc6d802fca1b80fdcd4f5921cc3f870deb6f364fee4d504fc4f27dfd
            • Opcode Fuzzy Hash: 5074e22ad7b5417adc77258940e0d8ed37f6edca1b434ea9ee3916dfbd38ad10
            • Instruction Fuzzy Hash: 0651BDA0644AD53DFB3782348C45BBBBEE95B06304F098889E1E94D8C2C3D8F9C8D751
            Function 0034ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 0034AD19
            • GetKeyboardState.USER32(?), ref: 0034AD2E
            • SetKeyboardState.USER32(?), ref: 0034AD8F
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0034ADBB
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0034ADD8
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0034AE17
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0034AE38
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 5281f471154f607ee1f789d790ae258f89e50ab259bb5300c2b9ec9ce8213e1a
            • Instruction ID: 867f6390c68d7633490bf19c235fdc9b69b3d94395f86814d5a31a82dd7b97d6
            • Opcode Fuzzy Hash: 5281f471154f607ee1f789d790ae258f89e50ab259bb5300c2b9ec9ce8213e1a
            • Instruction Fuzzy Hash: C251D6A1988BD53DFB3783348C95B7ABED85B46300F098489E1E54E8C2D294FDC4E752
            Function 0031542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(00323CD6,?,?,?,?,?,?,?,?,00315BA3,?,?,00323CD6,?,?), ref: 00315470
            • __fassign.LIBCMT ref: 003154EB
            • __fassign.LIBCMT ref: 00315506
            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00323CD6,00000005,00000000,00000000), ref: 0031552C
            • WriteFile.KERNEL32(?,00323CD6,00000000,00315BA3,00000000,?,?,?,?,?,?,?,?,?,00315BA3,?), ref: 0031554B
            • WriteFile.KERNEL32(?,?,00000001,00315BA3,00000000,?,?,?,?,?,?,?,?,?,00315BA3,?), ref: 00315584
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: fe0658cc12ade7cf58fae1d34fcc8bf86c3b3e4287b984f143e9d5233326da31
            • Instruction ID: 5b431e24aedf582b0ef9fe5b7aaf5382825d7804f85ed74e301b67fb41cc493c
            • Opcode Fuzzy Hash: fe0658cc12ade7cf58fae1d34fcc8bf86c3b3e4287b984f143e9d5233326da31
            • Instruction Fuzzy Hash: 6C51B471A00649DFDB16CFA8D885AEEBBFAEF4D300F14411AF556E7291D7309A81CB60
            Function 003610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0036304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0036307A
              • Part of subcall function 0036304E: _wcslen.LIBCMT ref: 0036309B
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00361112
            • WSAGetLastError.WSOCK32 ref: 00361121
            • WSAGetLastError.WSOCK32 ref: 003611C9
            • closesocket.WSOCK32(00000000), ref: 003611F9
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
            • String ID:
            • API String ID: 2675159561-0
            • Opcode ID: 4c38fbe742ff354056f39e4daef47fdf02008bb095f74b8860abc95e26e0c80b
            • Instruction ID: 8386c9fd63465b7096ebd9cd76d9589fcaba4007fb7a8caa54e0c833086c92b0
            • Opcode Fuzzy Hash: 4c38fbe742ff354056f39e4daef47fdf02008bb095f74b8860abc95e26e0c80b
            • Instruction Fuzzy Hash: F541E731610204AFDB229F54C845BAAB7E9EF46324F18C059FD199B295C774ED81CBE1
            Function 0034CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0034CF22,?), ref: 0034DDFD
              • Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0034CF22,?), ref: 0034DE16
            • lstrcmpiW.KERNEL32(?,?), ref: 0034CF45
            • MoveFileW.KERNEL32(?,?), ref: 0034CF7F
            • _wcslen.LIBCMT ref: 0034D005
            • _wcslen.LIBCMT ref: 0034D01B
            • SHFileOperationW.SHELL32(?), ref: 0034D061
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
            • String ID: \*.*
            • API String ID: 3164238972-1173974218
            • Opcode ID: 2da4c3f7bda9bd690dab736d6cdfa4918b7d418f84da30cbe49efbbce51fc294
            • Instruction ID: a1c240eca4581caf9e13bfe08e2ac30095d4f6e5f5ef309f62949cb1b8eb8d00
            • Opcode Fuzzy Hash: 2da4c3f7bda9bd690dab736d6cdfa4918b7d418f84da30cbe49efbbce51fc294
            • Instruction Fuzzy Hash: C64143719462189EDF13EBA4C981ADEB7FCAF08740F1000A6E505EF142EA35B688CB50
            Function 00372DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00372E1C
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00372E4F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00372E84
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00372EB6
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00372EE0
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00372EF1
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00372F0B
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 1936313513cbf1c281d223bee8023b42feb2594bc3720dea5bfe41568e5b8074
            • Instruction ID: b563c0437eca7eeb862f500e6059a591ad16f9a69babfb909cdbaf69dc8b5747
            • Opcode Fuzzy Hash: 1936313513cbf1c281d223bee8023b42feb2594bc3720dea5bfe41568e5b8074
            • Instruction Fuzzy Hash: A03126306041409FDB32CF18DC94F6677E8FB4A710F1A5168FA488F6B1CB75A880DB81
            Function 00347726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00347769
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0034778F
            • SysAllocString.OLEAUT32(00000000), ref: 00347792
            • SysAllocString.OLEAUT32(?), ref: 003477B0
            • SysFreeString.OLEAUT32(?), ref: 003477B9
            • StringFromGUID2.OLE32(?,?,00000028), ref: 003477DE
            • SysAllocString.OLEAUT32(?), ref: 003477EC
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 9eb148e72beda1a7a26625c2cb50b75c1e91196b24d5338fd4948f076b3e1d13
            • Instruction ID: 090c0f079f2c95d0b02bbfe6c1dfc0fbde7a4aab7d534bd117b04b4015756555
            • Opcode Fuzzy Hash: 9eb148e72beda1a7a26625c2cb50b75c1e91196b24d5338fd4948f076b3e1d13
            • Instruction Fuzzy Hash: A321B576604219AFDB12DFA8CC88DBB77ECEB09764B408025FA15DB150D770EC418760
            Function 003477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00347842
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00347868
            • SysAllocString.OLEAUT32(00000000), ref: 0034786B
            • SysAllocString.OLEAUT32 ref: 0034788C
            • SysFreeString.OLEAUT32 ref: 00347895
            • StringFromGUID2.OLE32(?,?,00000028), ref: 003478AF
            • SysAllocString.OLEAUT32(?), ref: 003478BD
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: eeaca2cb1f6df6792ce787f181587d5e204362955ea976a7ec2de7fc428824e4
            • Instruction ID: bc558074d0ed2a47c4c4cfc02f415e77b2a4c3a55aae028f9cb0b301464880a9
            • Opcode Fuzzy Hash: eeaca2cb1f6df6792ce787f181587d5e204362955ea976a7ec2de7fc428824e4
            • Instruction Fuzzy Hash: 46217131608208AFDB129FA9DC8DDBA77ECEB09760B118125F915DB2A1D774EC81CB64
            Function 003504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 003504F2
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0035052E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: f8126aac04e32556d07b7230efdce9fbe81b1933fb065996baac6793487488f9
            • Instruction ID: 3732f4f5140d5bfcd04156d5bf93fe2df31e799fd5757407975829b8d0d5a790
            • Opcode Fuzzy Hash: f8126aac04e32556d07b7230efdce9fbe81b1933fb065996baac6793487488f9
            • Instruction Fuzzy Hash: A8218075504305ABDF268F29DC05E9A77B8AF46725F204E19FCA1E62F0E7719948CF20
            Function 003505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 003505C6
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00350601
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: 8e9067010044757061e3cb94368f2ce1ba8f4b79251befb664cc518dd5ac06d9
            • Instruction ID: bc899ba776e03340897a91791405083a0623b4bd31b86fa3a9fc61bf5207196b
            • Opcode Fuzzy Hash: 8e9067010044757061e3cb94368f2ce1ba8f4b79251befb664cc518dd5ac06d9
            • Instruction Fuzzy Hash: 9521B2755003069BDB268F68CC04E9A77E8FF85721F200A19FCA1E72F0D77299A4CB50
            Function 003740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002E604C
              • Part of subcall function 002E600E: GetStockObject.GDI32(00000011), ref: 002E6060
              • Part of subcall function 002E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002E606A
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00374112
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0037411F
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0037412A
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00374139
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00374145
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 50a18b080d592800ee33fab56d46947c1cd926a3144b683e913664e3fb65b739
            • Instruction ID: 1067c3f45b9c9432c8dd73536249e9d034100655e955b8e311e7ddf93b81177d
            • Opcode Fuzzy Hash: 50a18b080d592800ee33fab56d46947c1cd926a3144b683e913664e3fb65b739
            • Instruction Fuzzy Hash: 4D11B2B2150219BEEF229F64CC85EE7BF9DEF08798F018110FB18A6150C7769C61DBA4
            Function 0031D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 0031D7A3: _free.LIBCMT ref: 0031D7CC
            • _free.LIBCMT ref: 0031D82D
              • Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
              • Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0
            • _free.LIBCMT ref: 0031D838
            • _free.LIBCMT ref: 0031D843
            • _free.LIBCMT ref: 0031D897
            • _free.LIBCMT ref: 0031D8A2
            • _free.LIBCMT ref: 0031D8AD
            • _free.LIBCMT ref: 0031D8B8
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
            • Instruction ID: 55700d6211750c2c29ac01741a244f369aa5c4173404b3e514211ddccef8a0db
            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
            • Instruction Fuzzy Hash: 1B115171540B04AAD527BFB0CC47FCB7BDC6F0A710F440825B299AE0D2DBA6B5A54650
            Function 0034DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0034DA74
            • LoadStringW.USER32(00000000), ref: 0034DA7B
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0034DA91
            • LoadStringW.USER32(00000000), ref: 0034DA98
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0034DADC
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 0034DAB9
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 4072794657-3128320259
            • Opcode ID: 7aed6702ffaa08dfde390c1a03bac1e3d59d65ace578f1b23f792ded40682590
            • Instruction ID: 45da5028b17ab52d8670086b55eb24d5474d2440435eab4c7e50ba6e65b7c5b7
            • Opcode Fuzzy Hash: 7aed6702ffaa08dfde390c1a03bac1e3d59d65ace578f1b23f792ded40682590
            • Instruction Fuzzy Hash: 1F018BF65102087FE712ABA49D89EE7376CD708701F405459F749E6041E6749DC44F74
            Function 0035096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(0135EC68,0135EC68), ref: 0035097B
            • EnterCriticalSection.KERNEL32(0135EC48,00000000), ref: 0035098D
            • TerminateThread.KERNEL32(0135EC60,000001F6), ref: 0035099B
            • WaitForSingleObject.KERNEL32(0135EC60,000003E8), ref: 003509A9
            • CloseHandle.KERNEL32(0135EC60), ref: 003509B8
            • InterlockedExchange.KERNEL32(0135EC68,000001F6), ref: 003509C8
            • LeaveCriticalSection.KERNEL32(0135EC48), ref: 003509CF
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 1ee7217f6692b93caaf0f2165d3c64cd4c3fec12584e627da01e23b9df20955c
            • Instruction ID: fa4b005fdfd1d68b02fb57284976148e501113dd689812e4ecdae40693a95d61
            • Opcode Fuzzy Hash: 1ee7217f6692b93caaf0f2165d3c64cd4c3fec12584e627da01e23b9df20955c
            • Instruction Fuzzy Hash: 10F03132452502BBDB675F94EE8CBD6BB39FF01702F402429F205608B5C77594A5CF90
            Function 003101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 003100BA
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003100D6
            • __allrem.LIBCMT ref: 003100ED
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0031010B
            • __allrem.LIBCMT ref: 00310122
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00310140
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1992179935-0
            • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
            • Instruction ID: 37928d6f6e00668700003f9ca32d26de42ab0ee475a4aadcf0df69d3b5c7220b
            • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
            • Instruction Fuzzy Hash: 46812875A01706AFE72E9E28CC41BABB3E8AF49720F254639F451DA6C1E7B4D9C08750
            Function 003161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003082D9,003082D9,?,?,?,0031644F,00000001,00000001,8BE85006), ref: 00316258
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0031644F,00000001,00000001,8BE85006,?,?,?), ref: 003162DE
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003163D8
            • __freea.LIBCMT ref: 003163E5
              • Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852
            • __freea.LIBCMT ref: 003163EE
            • __freea.LIBCMT ref: 00316413
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocateHeap
            • String ID:
            • API String ID: 1414292761-0
            • Opcode ID: 66f209247d9a82882c6cf664ffadfec36d3f438611a0771737820977a2f6b33c
            • Instruction ID: e1c7aefc67049b42dfaf0df9488053cd716eef4f70de0fd07402ca658cefa4ad
            • Opcode Fuzzy Hash: 66f209247d9a82882c6cf664ffadfec36d3f438611a0771737820977a2f6b33c
            • Instruction Fuzzy Hash: 0051E472600216ABDB2F8FA4CC82EEF77A9EB48710F164A29FC15DA150DB34DCD0C660
            Function 0036BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
              • Part of subcall function 0036C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036C9F1
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA68
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036BCCA
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0036BD25
            • RegCloseKey.ADVAPI32(00000000), ref: 0036BD6A
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0036BD99
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0036BDF3
            • RegCloseKey.ADVAPI32(?), ref: 0036BDFF
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
            • String ID:
            • API String ID: 1120388591-0
            • Opcode ID: 35a49e3a537acf47950c1bac0515803945c50283214ccd0fde6c7b1121a13c81
            • Instruction ID: 204cb3931ab1ee0aca63379515d8c7f8c0274dfdf20b015889b436dae819d830
            • Opcode Fuzzy Hash: 35a49e3a537acf47950c1bac0515803945c50283214ccd0fde6c7b1121a13c81
            • Instruction Fuzzy Hash: 80818F30218241AFD715DF24C885E2ABBE9FF84308F54856DF5598B2A2DB31ED85CF92
            Function 0033F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000035), ref: 0033F7B9
            • SysAllocString.OLEAUT32(00000001), ref: 0033F860
            • VariantCopy.OLEAUT32(0033FA64,00000000), ref: 0033F889
            • VariantClear.OLEAUT32(0033FA64), ref: 0033F8AD
            • VariantCopy.OLEAUT32(0033FA64,00000000), ref: 0033F8B1
            • VariantClear.OLEAUT32(?), ref: 0033F8BB
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$ClearCopy$AllocInitString
            • String ID:
            • API String ID: 3859894641-0
            • Opcode ID: 8c4c09447dc717e8377cf3aa97aa3b15a8b90f6b5892c90162d4af79e83ea23c
            • Instruction ID: 11a72c47ea701804fd76f331b205393a18c6b7469b89dbf7ab42b1ccccac6b48
            • Opcode Fuzzy Hash: 8c4c09447dc717e8377cf3aa97aa3b15a8b90f6b5892c90162d4af79e83ea23c
            • Instruction Fuzzy Hash: 5F51D431E10314BFCF26AB65D8D5B29B3A8EF45310FA4946BE906DF291DB708C50CB96
            Function 0035910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
            • GetOpenFileNameW.COMDLG32(00000058), ref: 003594E5
            • _wcslen.LIBCMT ref: 00359506
            • _wcslen.LIBCMT ref: 0035952D
            • GetSaveFileNameW.COMDLG32(00000058), ref: 00359585
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$FileName$OpenSave
            • String ID: X
            • API String ID: 83654149-3081909835
            • Opcode ID: fa71100b3351d8c2d4f8ed509f80f0100c6b35baadd68d5807bfe6df0300f6db
            • Instruction ID: 878430680dff64cd307a3df3eb9a5e3736d971a8eb66726c1de01b938c36d024
            • Opcode Fuzzy Hash: fa71100b3351d8c2d4f8ed509f80f0100c6b35baadd68d5807bfe6df0300f6db
            • Instruction Fuzzy Hash: 06E1BF31514340CFC725EF25C881F6AB7E4BF85314F55896EE8899B2A2EB30DD49CB92
            Function 002F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2
            • BeginPaint.USER32(?,?,?), ref: 002F9241
            • GetWindowRect.USER32(?,?), ref: 002F92A5
            • ScreenToClient.USER32(?,?), ref: 002F92C2
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002F92D3
            • EndPaint.USER32(?,?,?,?,?), ref: 002F9321
            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003371EA
              • Part of subcall function 002F9339: BeginPath.GDI32(00000000), ref: 002F9357
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
            • String ID:
            • API String ID: 3050599898-0
            • Opcode ID: e2208715bbf483f7fee951465712bb0e4c5c0a89196dd16a5649ba3986eeec77
            • Instruction ID: c68da743acb766a65fde2d8ae90052f74beae0e3231eee203fa549dc28eaec17
            • Opcode Fuzzy Hash: e2208715bbf483f7fee951465712bb0e4c5c0a89196dd16a5649ba3986eeec77
            • Instruction Fuzzy Hash: 7841EE71524205AFD722DF24CCD4FBABBA8EB49364F040269FAA4872A1C7309895CB61
            Function 003507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0035080C
            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00350847
            • EnterCriticalSection.KERNEL32(?), ref: 00350863
            • LeaveCriticalSection.KERNEL32(?), ref: 003508DC
            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003508F3
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00350921
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
            • String ID:
            • API String ID: 3368777196-0
            • Opcode ID: 59e750fc6d2982db327a9f10890166951887b4b2ad276faae4b7e0d394ff4952
            • Instruction ID: d33c7db9226d7213bdb57c034d681e98f0cface28d60c0187f1c3f22360641d9
            • Opcode Fuzzy Hash: 59e750fc6d2982db327a9f10890166951887b4b2ad276faae4b7e0d394ff4952
            • Instruction Fuzzy Hash: C8417C71910205EBDF1A9F54DC85A6AB7B8FF04300F1440B9ED04AE2A7D731DE64DBA0
            Function 003781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0033F3AB,00000000,?,?,00000000,?,0033682C,00000004,00000000,00000000), ref: 0037824C
            • EnableWindow.USER32(00000000,00000000), ref: 00378272
            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003782D1
            • ShowWindow.USER32(00000000,00000004), ref: 003782E5
            • EnableWindow.USER32(00000000,00000001), ref: 0037830B
            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0037832F
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 6bc05477e8ff081f8ebabe25ba3e6fb1996b53bed9971cba7c55acb0a5872ccd
            • Instruction ID: 16fa251b7d9f4b030aea8172f424a0c4f53dbf626811f8821d2931a3e49aca7b
            • Opcode Fuzzy Hash: 6bc05477e8ff081f8ebabe25ba3e6fb1996b53bed9971cba7c55acb0a5872ccd
            • Instruction Fuzzy Hash: F841A338641644AFDB37CF14D89DBA47BF4BB0A715F199269E60C4B263CB35A841CB90
            Function 00344C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00344C95
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00344CB2
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00344CEA
            • _wcslen.LIBCMT ref: 00344D08
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00344D10
            • _wcsstr.LIBVCRUNTIME ref: 00344D1A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
            • String ID:
            • API String ID: 72514467-0
            • Opcode ID: 3748941572e66100940c6523d2d2b679aee01b0775bac4cf3214a93d6bf0b8f9
            • Instruction ID: c259fafba66dfff24e0b31960ca5cb938d5c300611046e3621c260ecb55bb7cb
            • Opcode Fuzzy Hash: 3748941572e66100940c6523d2d2b679aee01b0775bac4cf3214a93d6bf0b8f9
            • Instruction Fuzzy Hash: C021F9716042047BEB275B35AC89F7BBBDCDF46750F15803DF909CE192EA61EC4096A0
            Function 0035581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002E3A97,?,?,002E2E7F,?,?,?,00000000), ref: 002E3AC2
            • _wcslen.LIBCMT ref: 0035587B
            • CoInitialize.OLE32(00000000), ref: 00355995
            • CoCreateInstance.OLE32(0037FCF8,00000000,00000001,0037FB68,?), ref: 003559AE
            • CoUninitialize.OLE32 ref: 003559CC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 3172280962-24824748
            • Opcode ID: 31fd56e16794ad489a56e8152434dfaedc0b67fedc158145581a93229103f119
            • Instruction ID: d35eae5a4df7468ac19f27cedd3b7a3e502c17c7bb35d01373a5c35af9418c1d
            • Opcode Fuzzy Hash: 31fd56e16794ad489a56e8152434dfaedc0b67fedc158145581a93229103f119
            • Instruction Fuzzy Hash: 1BD161706087019FCB15DF25C4A4E2ABBE5EF89311F55885DF88A9B361CB31EC49CB92
            Function 0034175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00340FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00340FCA
              • Part of subcall function 00340FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00340FD6
              • Part of subcall function 00340FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00340FE5
              • Part of subcall function 00340FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00340FEC
              • Part of subcall function 00340FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00341002
            • GetLengthSid.ADVAPI32(?,00000000,00341335), ref: 003417AE
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003417BA
            • HeapAlloc.KERNEL32(00000000), ref: 003417C1
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 003417DA
            • GetProcessHeap.KERNEL32(00000000,00000000,00341335), ref: 003417EE
            • HeapFree.KERNEL32(00000000), ref: 003417F5
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: dfe7e762d6ea1d93c2e3992276913a3a595152d5d4eb08b5d0b774289a575b84
            • Instruction ID: 536f9bb3b8af4fc220f95facd0d2956b8a13289179e686eb767c8e7098b561b7
            • Opcode Fuzzy Hash: dfe7e762d6ea1d93c2e3992276913a3a595152d5d4eb08b5d0b774289a575b84
            • Instruction Fuzzy Hash: 33118E71620605FFDB269FA4CC49BAE7BFDEB45355F11402CF4459B210D736A984CB60
            Function 003414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003414FF
            • OpenProcessToken.ADVAPI32(00000000), ref: 00341506
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00341515
            • CloseHandle.KERNEL32(00000004), ref: 00341520
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0034154F
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00341563
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: fc720729cf24c0de2d98d339b562992d152c387ce36d7846203ce67a4a5d0ab5
            • Instruction ID: 71a752d6044b492d4039dbd308740720b2f6b54cc99a3ab4311b5e2ff038d7b5
            • Opcode Fuzzy Hash: fc720729cf24c0de2d98d339b562992d152c387ce36d7846203ce67a4a5d0ab5
            • Instruction Fuzzy Hash: 04115972500209AFDF228F98DD49BDE7BADEF49704F054058FA09A6160C375DEA0DB60
            Function 00303382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,00303379,00302FE5), ref: 00303390
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0030339E
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003033B7
            • SetLastError.KERNEL32(00000000,?,00303379,00302FE5), ref: 00303409
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: 0ce46c49cfcc332f95445b126fabd4a52f2582913aead8a2fdcbd07d11371868
            • Instruction ID: 1698c32cdc93a4daaefc2896289d23a5c53f7a3ea0c5bed72ada6bd4c2b6822d
            • Opcode Fuzzy Hash: 0ce46c49cfcc332f95445b126fabd4a52f2582913aead8a2fdcbd07d11371868
            • Instruction Fuzzy Hash: 7101D43662B311BEE62B27757CE56672A9CEB06379B20122DF610891F0FF228E515644
            Function 00312D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,00315686,00323CD6,?,00000000,?,00315B6A,?,?,?,?,?,0030E6D1,?,003A8A48), ref: 00312D78
            • _free.LIBCMT ref: 00312DAB
            • _free.LIBCMT ref: 00312DD3
            • SetLastError.KERNEL32(00000000,?,?,?,?,0030E6D1,?,003A8A48,00000010,002E4F4A,?,?,00000000,00323CD6), ref: 00312DE0
            • SetLastError.KERNEL32(00000000,?,?,?,?,0030E6D1,?,003A8A48,00000010,002E4F4A,?,?,00000000,00323CD6), ref: 00312DEC
            • _abort.LIBCMT ref: 00312DF2
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLast$_free$_abort
            • String ID:
            • API String ID: 3160817290-0
            • Opcode ID: b14fcca9f422b8bb6190fb750f81a46979e1648155c26ce6382870c3d42c6a7b
            • Instruction ID: 60df125185e962f49a797777fd8665101b31c7ed21612a3cf94e587ecd714ef9
            • Opcode Fuzzy Hash: b14fcca9f422b8bb6190fb750f81a46979e1648155c26ce6382870c3d42c6a7b
            • Instruction Fuzzy Hash: CAF0A4365446006BD62F3738FC06ADB255DABCE7B1F26441CF8389A1D2EF2488F24260
            Function 00378A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002F9693
              • Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96A2
              • Part of subcall function 002F9639: BeginPath.GDI32(?), ref: 002F96B9
              • Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96E2
            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00378A4E
            • LineTo.GDI32(?,00000003,00000000), ref: 00378A62
            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00378A70
            • LineTo.GDI32(?,00000000,00000003), ref: 00378A80
            • EndPath.GDI32(?), ref: 00378A90
            • StrokePath.GDI32(?), ref: 00378AA0
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: ac955de24baa9e49a06894c045e9d362a4263307648087d451a2ccf751933b1d
            • Instruction ID: d6cc3b6ce040c8a8cb26e1e884f3a7852a83805fe2d9d66b57bfe46b12f4143b
            • Opcode Fuzzy Hash: ac955de24baa9e49a06894c045e9d362a4263307648087d451a2ccf751933b1d
            • Instruction Fuzzy Hash: E3111B7604014CFFDF229F90DC88EEA7F6DEB08354F008026BA199A1A1C7719D95DFA0
            Function 003451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00345218
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00345229
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00345230
            • ReleaseDC.USER32(00000000,00000000), ref: 00345238
            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0034524F
            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00345261
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CapsDevice$Release
            • String ID:
            • API String ID: 1035833867-0
            • Opcode ID: f4e514e6264fdba66fbdad836feb0c8756c08b2354667f5309a8c47e54ca43d4
            • Instruction ID: 5b4580b06d5c1f9181ce4d2be6d2ca6b82d9b1479cd118a0a201b27e52946ccd
            • Opcode Fuzzy Hash: f4e514e6264fdba66fbdad836feb0c8756c08b2354667f5309a8c47e54ca43d4
            • Instruction Fuzzy Hash: 43016275E01718BBEB119BA59C49E5EBFBCFF48751F04446AFA08AB291D6709C00CFA0
            Function 002E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002E1BF4
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 002E1BFC
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002E1C07
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002E1C12
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 002E1C1A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 002E1C22
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 8ac9898f6f9a262462f2c72613c0d0003c101fd12e22fd10f5aaaa33da726b9d
            • Instruction ID: 5a25086deed785fdcdbf3b2c9e6ad601073fbbb54a60922dd97870b0ca00811f
            • Opcode Fuzzy Hash: 8ac9898f6f9a262462f2c72613c0d0003c101fd12e22fd10f5aaaa33da726b9d
            • Instruction Fuzzy Hash: 08016CB09027597DE3008F5A8C85B52FFA8FF19754F04411F915C47941C7F5A864CBE5
            Function 0034EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0034EB30
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0034EB46
            • GetWindowThreadProcessId.USER32(?,?), ref: 0034EB55
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0034EB64
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0034EB6E
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0034EB75
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 4ce100c876d9b0610d675d665246fd061141747d2547aeea3ad849a5f45beff8
            • Instruction ID: c7798ca7482ed94ecd18eb28e3aa9356b19d307c7b9a59e708fc8bf38a1d07ad
            • Opcode Fuzzy Hash: 4ce100c876d9b0610d675d665246fd061141747d2547aeea3ad849a5f45beff8
            • Instruction Fuzzy Hash: CDF05E72250158BBE7325B629C4EEEF7E7CEFCAB11F00116CF605E1191D7A05A41CAB5
            Function 00337439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?), ref: 00337452
            • SendMessageW.USER32(?,00001328,00000000,?), ref: 00337469
            • GetWindowDC.USER32(?), ref: 00337475
            • GetPixel.GDI32(00000000,?,?), ref: 00337484
            • ReleaseDC.USER32(?,00000000), ref: 00337496
            • GetSysColor.USER32(00000005), ref: 003374B0
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ClientColorMessagePixelRectReleaseSendWindow
            • String ID:
            • API String ID: 272304278-0
            • Opcode ID: d15a87b4753037280546186b6aa5fbe14aebdce9e4691cfbbbc9854f698f663e
            • Instruction ID: 010c691b720b25abd91270ba72f99f3e1dee47bb5dae68c328a1cd96ce360770
            • Opcode Fuzzy Hash: d15a87b4753037280546186b6aa5fbe14aebdce9e4691cfbbbc9854f698f663e
            • Instruction Fuzzy Hash: EB01AD31410205EFDB625F65DC48BEABBB9FF04321F551168FA1AA20A0CB312E91EB10
            Function 00341874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0034187F
            • UnloadUserProfile.USERENV(?,?), ref: 0034188B
            • CloseHandle.KERNEL32(?), ref: 00341894
            • CloseHandle.KERNEL32(?), ref: 0034189C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 003418A5
            • HeapFree.KERNEL32(00000000), ref: 003418AC
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: d5a77c500c2bbf7b0f5c01628c47b64af3424d758ed07a06a6fa134214bea07e
            • Instruction ID: a4e9f6e409264342d7d30ea05dcdea7079296f8d2b96113fa06ae1370f4d9f9c
            • Opcode Fuzzy Hash: d5a77c500c2bbf7b0f5c01628c47b64af3424d758ed07a06a6fa134214bea07e
            • Instruction Fuzzy Hash: 9CE0E536014101BFEB125FA1ED0CA0ABF3DFF49B22F509228F22991470CB3294A0DF50
            Function 002EBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 002EBEB3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: D%;$D%;$D%;$D%;D%;
            • API String ID: 1385522511-674813006
            • Opcode ID: ca718a65326429a5698784d5b9a942512279bcdf8b68d46644938d0e5b141f5a
            • Instruction ID: cd4f443052ff53fcd08b7170fca0911013a209a06665cf6002de7e9bc56191f2
            • Opcode Fuzzy Hash: ca718a65326429a5698784d5b9a942512279bcdf8b68d46644938d0e5b141f5a
            • Instruction Fuzzy Hash: 7291BB75A5024ACFCB19CF5AC4906ABB7F1FF59304FA4816ADA41AB340D731ED91CB90
            Function 00367B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00300242: EnterCriticalSection.KERNEL32(003B070C,003B1884,?,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030024D
              • Part of subcall function 00300242: LeaveCriticalSection.KERNEL32(003B070C,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030028A
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
              • Part of subcall function 003000A3: __onexit.LIBCMT ref: 003000A9
            • __Init_thread_footer.LIBCMT ref: 00367BFB
              • Part of subcall function 003001F8: EnterCriticalSection.KERNEL32(003B070C,?,?,002F8747,003B2514), ref: 00300202
              • Part of subcall function 003001F8: LeaveCriticalSection.KERNEL32(003B070C,?,002F8747,003B2514), ref: 00300235
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
            • String ID: +T3$5$G$Variable must be of type 'Object'.
            • API String ID: 535116098-603792018
            • Opcode ID: d0efc1f7ecc489058a85cece6a240b03272ee34794c33d5e6d376fc5a3110596
            • Instruction ID: bd6aebdca05d4b6aaa665a5706667b1bb38aa337efdfb4f7ce72c823f902e8fd
            • Opcode Fuzzy Hash: d0efc1f7ecc489058a85cece6a240b03272ee34794c33d5e6d376fc5a3110596
            • Instruction Fuzzy Hash: 7191AA74A04209EFCB16EF54C891DBDB7B5FF49308F908459F806AB296DB31AE41CB51
            Function 0034C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0034C6EE
            • _wcslen.LIBCMT ref: 0034C735
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0034C79C
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0034C7CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ItemMenu$Info_wcslen$Default
            • String ID: 0
            • API String ID: 1227352736-4108050209
            • Opcode ID: 7d4778c91cac65ee8d1dfc5865f878c63203854bb91814e06a7c9a91cfc5ee36
            • Instruction ID: 6fc7f1d7720ea19531ff7ecc83d346db4b2459c734575971301efc96a5c2e0d0
            • Opcode Fuzzy Hash: 7d4778c91cac65ee8d1dfc5865f878c63203854bb91814e06a7c9a91cfc5ee36
            • Instruction Fuzzy Hash: B45133716263009FD3929F28C894A6BBBE8AF45314F052A2DF995DB1A0DB70E804CF52
            Function 0036AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
            Download Yara Rule
            APIs
            • ShellExecuteExW.SHELL32(0000003C), ref: 0036AEA3
              • Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625
            • GetProcessId.KERNEL32(00000000), ref: 0036AF38
            • CloseHandle.KERNEL32(00000000), ref: 0036AF67
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CloseExecuteHandleProcessShell_wcslen
            • String ID: <$@
            • API String ID: 146682121-1426351568
            • Opcode ID: e80c35e062cdeddb66f2cbc7bde4220270f616c4f9d83359cd9d23d2528fe5a1
            • Instruction ID: b34c2c70473c4164b364a81bcd9500de95c26623c2fb31d386ddd234df15a5eb
            • Opcode Fuzzy Hash: e80c35e062cdeddb66f2cbc7bde4220270f616c4f9d83359cd9d23d2528fe5a1
            • Instruction Fuzzy Hash: 6C718770A10A58DFCB15DF55C484A9EBBF0BF08300F448499E81AAB3A2C735ED51CFA1
            Function 0034719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00347206
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0034723C
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0034724D
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003472CF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 0c6c97e06a7e73671535de01ea396908756bc357c03c0788f943e335cb0d6e52
            • Instruction ID: 9af84b700ffba35d8b84f38e925393caacd9c278bfd22c2b5916236d918de31e
            • Opcode Fuzzy Hash: 0c6c97e06a7e73671535de01ea396908756bc357c03c0788f943e335cb0d6e52
            • Instruction Fuzzy Hash: 1A414F71A04204EFDB26CF64C885A9A7BE9EF45310F1584ADBD099F20AD7F5E944CBA0
            Function 00372F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00372F8D
            • LoadLibraryW.KERNEL32(?), ref: 00372F94
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00372FA9
            • DestroyWindow.USER32(?), ref: 00372FB1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$DestroyLibraryLoadWindow
            • String ID: SysAnimate32
            • API String ID: 3529120543-1011021900
            • Opcode ID: f35bdf09abae30a3a5b7513d16e94587c52c35b4f2b82320d37820bec8131ed7
            • Instruction ID: 6ef17cedcaf65efbc23f9c02952f875ec7d96b38f0dd37f51385976a31c81302
            • Opcode Fuzzy Hash: f35bdf09abae30a3a5b7513d16e94587c52c35b4f2b82320d37820bec8131ed7
            • Instruction Fuzzy Hash: B521FD72200205ABEF324F64DC80EBB77BDEB59364F118618FA18D6090D335DC919B60
            Function 00304D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00304D1E,003128E9,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002), ref: 00304D8D
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00304DA0
            • FreeLibrary.KERNEL32(00000000,?,?,?,00304D1E,003128E9,?,00304CBE,003128E9,003A88B8,0000000C,00304E15,003128E9,00000002,00000000), ref: 00304DC3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: 3cb1d2f4c84d3a31c152a387af7b3a7b6ed1d8fb50a7b3f02fca198019f92984
            • Instruction ID: d044da1e80cb7994ca083d9bc4063071784d46b87ade0c05dd618127f5f443ce
            • Opcode Fuzzy Hash: 3cb1d2f4c84d3a31c152a387af7b3a7b6ed1d8fb50a7b3f02fca198019f92984
            • Instruction Fuzzy Hash: D5F04474651208BBDB169F90DC59BDDBBB9EF44751F4500A8F909A2191CB305A80CB91
            Function 002E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E9C
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002E4EAE
            • FreeLibrary.KERNEL32(00000000,?,?,002E4EDD,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4EC0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-3689287502
            • Opcode ID: 832a663faafc56cdbabbfb08c4ff9bb3dace32736319efda88f79f10a44a8385
            • Instruction ID: 43caef7dc8762e7c5d544b080dde374244e26d9eca756922e7bdd3f85955475c
            • Opcode Fuzzy Hash: 832a663faafc56cdbabbfb08c4ff9bb3dace32736319efda88f79f10a44a8385
            • Instruction Fuzzy Hash: 5AE0CD35E615635BD2332F266C18B9FA69CAFC2F62F490129FC09D2100DB64CD4185A0
            Function 002E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E62
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002E4E74
            • FreeLibrary.KERNEL32(00000000,?,?,00323CDE,?,003B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 002E4E87
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-1355242751
            • Opcode ID: 06b7e8d0ecc36e352e3f81f18ff185ed0fdb9b8e0fe3b3968d6590c6c879833a
            • Instruction ID: 9458a07ed78adbb75c63f7b5daccb2b466b267f5ca646fb41b126d1b99bfa7b2
            • Opcode Fuzzy Hash: 06b7e8d0ecc36e352e3f81f18ff185ed0fdb9b8e0fe3b3968d6590c6c879833a
            • Instruction Fuzzy Hash: DED0C2319626625746332F266C08DCFAA1CAF8AB1178D0128F809A2110CF30CD51C5D0
            Function 0036A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32 ref: 0036A427
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0036A435
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0036A468
            • CloseHandle.KERNEL32(?), ref: 0036A63D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$CloseCountersCurrentHandleOpen
            • String ID:
            • API String ID: 3488606520-0
            • Opcode ID: f17f85ce0d732e1a8b199488f66a9027f7a24ffb234db2b00b4d40d3494830c0
            • Instruction ID: ef02f88d1928897dc181cb9617a4a018dc421b794a1a883b61104b792da70106
            • Opcode Fuzzy Hash: f17f85ce0d732e1a8b199488f66a9027f7a24ffb234db2b00b4d40d3494830c0
            • Instruction Fuzzy Hash: 77A1E0716047009FD721DF24C886F2AB7E5AF84714F54881DFA9A9B392CBB0EC418F92
            Function 0031BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00383700), ref: 0031BB91
            • WideCharToMultiByte.KERNEL32(00000000,00000000,003B121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0031BC09
            • WideCharToMultiByte.KERNEL32(00000000,00000000,003B1270,000000FF,?,0000003F,00000000,?), ref: 0031BC36
            • _free.LIBCMT ref: 0031BB7F
              • Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
              • Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0
            • _free.LIBCMT ref: 0031BD4B
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
            • String ID:
            • API String ID: 1286116820-0
            • Opcode ID: 7af70819150537515a9c77dee428f8d4160a6c9653f0fd19f55c4382a8bef170
            • Instruction ID: 76eddbfde9a1e0451ca52080949b6fca18aca5485d6c30afa67de6baba27aa4e
            • Opcode Fuzzy Hash: 7af70819150537515a9c77dee428f8d4160a6c9653f0fd19f55c4382a8bef170
            • Instruction Fuzzy Hash: 8D512B71900209AFCB1BEF65DC819EEF7BCEF49310F51466AE564DB291DB309D908B90
            Function 0034E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0034CF22,?), ref: 0034DDFD
              • Part of subcall function 0034DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0034CF22,?), ref: 0034DE16
              • Part of subcall function 0034E199: GetFileAttributesW.KERNEL32(?,0034CF95), ref: 0034E19A
            • lstrcmpiW.KERNEL32(?,?), ref: 0034E473
            • MoveFileW.KERNEL32(?,?), ref: 0034E4AC
            • _wcslen.LIBCMT ref: 0034E5EB
            • _wcslen.LIBCMT ref: 0034E603
            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0034E650
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
            • String ID:
            • API String ID: 3183298772-0
            • Opcode ID: c2d0db89a2130684c606b05aac5c6d98610a72f80c993c6e7ffccd569837b712
            • Instruction ID: c2ee4f7240f8899b75792b6ef106d3309c98f2f9148664a43a0a19c7449616d3
            • Opcode Fuzzy Hash: c2d0db89a2130684c606b05aac5c6d98610a72f80c993c6e7ffccd569837b712
            • Instruction Fuzzy Hash: 9F5163B24083859BC736EB90DC919DB73DCAF85340F40491EF589DB191EF74B6888B66
            Function 0036B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
              • Part of subcall function 0036C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0036B6AE,?,?), ref: 0036C9B5
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036C9F1
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA68
              • Part of subcall function 0036C998: _wcslen.LIBCMT ref: 0036CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036BAA5
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0036BB00
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0036BB63
            • RegCloseKey.ADVAPI32(?,?), ref: 0036BBA6
            • RegCloseKey.ADVAPI32(00000000), ref: 0036BBB3
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
            • String ID:
            • API String ID: 826366716-0
            • Opcode ID: 999038dc3735d529f94571fc89445233ac9362d11c37d3eeabbc4d0f420402f0
            • Instruction ID: 67f310e2e704548c19edebf20a04be0553742bed56c63511280087ee763b9c1a
            • Opcode Fuzzy Hash: 999038dc3735d529f94571fc89445233ac9362d11c37d3eeabbc4d0f420402f0
            • Instruction Fuzzy Hash: 4B61AF31218241AFD315DF64C490E2ABBE9FF84308F54895DF4998B2A6DB31ED85CF92
            Function 00348BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00348BCD
            • VariantClear.OLEAUT32 ref: 00348C3E
            • VariantClear.OLEAUT32 ref: 00348C9D
            • VariantClear.OLEAUT32(?), ref: 00348D10
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00348D3B
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType
            • String ID:
            • API String ID: 4136290138-0
            • Opcode ID: b7f98f7f1eba8b7af1f3d53e7206e32bd75e729e23d2169c013c4987da651865
            • Instruction ID: 6bf3e25994aeea9d2c357281e9aa44e24c5c044a7baeeefc6fa9b64d590f19d8
            • Opcode Fuzzy Hash: b7f98f7f1eba8b7af1f3d53e7206e32bd75e729e23d2169c013c4987da651865
            • Instruction Fuzzy Hash: 375167B5A01219EFCB15CF68C894AAAB7F8FF89314F158569E909DB350E730E911CF90
            Function 00358AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00358BAE
            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00358BDA
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00358C32
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00358C57
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00358C5F
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String
            • String ID:
            • API String ID: 2832842796-0
            • Opcode ID: 4d3a56d759d957e822f6de30ddeffad194ab90d60f3f092d7f6c128486632b9d
            • Instruction ID: a0d9e61681b59ee5e188374c3f50970b595e55b88251acab4e6f45b76f592cf0
            • Opcode Fuzzy Hash: 4d3a56d759d957e822f6de30ddeffad194ab90d60f3f092d7f6c128486632b9d
            • Instruction Fuzzy Hash: 65515735A10218AFCB11DF65C880E6ABBF5BF48314F088458E849AB372CB31ED51CFA0
            Function 00368EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00368F40
            • GetProcAddress.KERNEL32(00000000,?), ref: 00368FD0
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00368FEC
            • GetProcAddress.KERNEL32(00000000,?), ref: 00369032
            • FreeLibrary.KERNEL32(00000000), ref: 00369052
              • Part of subcall function 002FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00351043,?,75C0E610), ref: 002FF6E6
              • Part of subcall function 002FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0033FA64,00000000,00000000,?,?,00351043,?,75C0E610,?,0033FA64), ref: 002FF70D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
            • String ID:
            • API String ID: 666041331-0
            • Opcode ID: 0d78e2d92a321996107bbc7fe2e9b5ead1d1c444cbfc72a636638c206010e2b8
            • Instruction ID: 225db10d858dd20376c145c14e3041bc9933a1dc99f8b49c79943e72122b3bb0
            • Opcode Fuzzy Hash: 0d78e2d92a321996107bbc7fe2e9b5ead1d1c444cbfc72a636638c206010e2b8
            • Instruction Fuzzy Hash: 34514834600245DFCB12DF68C4849ADBBF5FF49314B4581A9E80AAB366DB31ED85CF90
            Function 00376B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00376C33
            • SetWindowLongW.USER32(?,000000EC,?), ref: 00376C4A
            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00376C73
            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0035AB79,00000000,00000000), ref: 00376C98
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00376CC7
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Long$MessageSendShow
            • String ID:
            • API String ID: 3688381893-0
            • Opcode ID: c3282c47778147b799804722ba3378a78d8be76a65fd78a15d6af09eb63ce2ef
            • Instruction ID: b8d6a150930c2e3e0b7e8f850097c24519bea9cc4d3b53b744564c8ff3751925
            • Opcode Fuzzy Hash: c3282c47778147b799804722ba3378a78d8be76a65fd78a15d6af09eb63ce2ef
            • Instruction Fuzzy Hash: B341E735600505AFD737CF39CCA6FA97BA8EB09350F158268F95DA72E0C375AD40CA40
            Function 00312051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: ae0108eb8626652dee3f839088bde1f83dda90d048af1fa2b5fadb1e423714a7
            • Instruction ID: 74009a09450b28e043edaff2e464ab063ed7a4763ffe47cd5426495ede1bdc45
            • Opcode Fuzzy Hash: ae0108eb8626652dee3f839088bde1f83dda90d048af1fa2b5fadb1e423714a7
            • Instruction Fuzzy Hash: F041D432A00204AFDB29DF78C981A9EB7A5EF8D314F164568E615EB351DB31ED51CB80
            Function 002F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 002F9141
            • ScreenToClient.USER32(00000000,?), ref: 002F915E
            • GetAsyncKeyState.USER32(00000001), ref: 002F9183
            • GetAsyncKeyState.USER32(00000002), ref: 002F919D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: ce4ee2ba2ded62ebd4d0e0225bed7c3c52bb141d248b6c55b7982599b6643d18
            • Instruction ID: c7fc1867d918544a95b4c19b58d8eb127aa56f99821a0cc05b8c4f2031278251
            • Opcode Fuzzy Hash: ce4ee2ba2ded62ebd4d0e0225bed7c3c52bb141d248b6c55b7982599b6643d18
            • Instruction Fuzzy Hash: E841607190850BFBDF269F64C884BFEF774FB05364F208229E529A7290C7746990DB91
            Function 00353874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 003538CB
            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00353922
            • TranslateMessage.USER32(?), ref: 0035394B
            • DispatchMessageW.USER32(?), ref: 00353955
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00353966
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
            • String ID:
            • API String ID: 2256411358-0
            • Opcode ID: cdd2c4afbc0b2861ec83794c3810c9494a4ae1e24969a6e9e23c2d93c016bfdf
            • Instruction ID: 28f74cc5dd51f0cca14de1b0c51a3ba8f58d164f25597fb1f2df72a70ffac44e
            • Opcode Fuzzy Hash: cdd2c4afbc0b2861ec83794c3810c9494a4ae1e24969a6e9e23c2d93c016bfdf
            • Instruction Fuzzy Hash: D031D8B05083859EEB37CB349858FB677ECAB02386F45055DE956C24B0E7B0968CCB11
            Function 0035CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0035CF38
            • InternetReadFile.WININET(?,00000000,?,?), ref: 0035CF6F
            • GetLastError.KERNEL32(?,00000000,?,?,?,0035C21E,00000000), ref: 0035CFB4
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0035C21E,00000000), ref: 0035CFC8
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,0035C21E,00000000), ref: 0035CFF2
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
            • String ID:
            • API String ID: 3191363074-0
            • Opcode ID: 0e071c63f29aac02f6c1975406315ea37f84516c71444e3bec9052529741fee7
            • Instruction ID: 6a1b2e5fab1db2ec1b99e0446b05b34d4fca9fec51ea89d12eb05ae71098a202
            • Opcode Fuzzy Hash: 0e071c63f29aac02f6c1975406315ea37f84516c71444e3bec9052529741fee7
            • Instruction Fuzzy Hash: A4316D71624305AFDB25DFA5C884DAABBFDEF0435AB10542EF906D2121DB30AD449B60
            Function 00341901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00341915
            • PostMessageW.USER32(00000001,00000201,00000001), ref: 003419C1
            • Sleep.KERNEL32(00000000,?,?,?), ref: 003419C9
            • PostMessageW.USER32(00000001,00000202,00000000), ref: 003419DA
            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 003419E2
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: dd0a72189901978b40b97dd65e13847de1162d1257cef1dbda97d4049a8ba6a0
            • Instruction ID: 1911f37750da885b2e45d180440631bf11c34d07e1fb0fb14f73244b51c3ed1e
            • Opcode Fuzzy Hash: dd0a72189901978b40b97dd65e13847de1162d1257cef1dbda97d4049a8ba6a0
            • Instruction Fuzzy Hash: 9731D471A10219EFCB15CFA8CD99ADE7BB5FB04315F104229F925AB2D1C770AD84CB90
            Function 00375706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00375745
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 0037579D
            • _wcslen.LIBCMT ref: 003757AF
            • _wcslen.LIBCMT ref: 003757BA
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00375816
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$_wcslen
            • String ID:
            • API String ID: 763830540-0
            • Opcode ID: cf9f7c494f51b55289812b16b50b501b28f49bda6651cf1c163dbcd9cc5e0115
            • Instruction ID: 2f20589832b1ac417f9e26a3ce5cc5b03e0d276d6867556f91d8d868890b3e3c
            • Opcode Fuzzy Hash: cf9f7c494f51b55289812b16b50b501b28f49bda6651cf1c163dbcd9cc5e0115
            • Instruction Fuzzy Hash: F02185719046189ADB369F65CC85AEEB7BCFF04724F10C21AEA1DEA1C0D7B49985CF50
            Function 00360930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 00360951
            • GetForegroundWindow.USER32 ref: 00360968
            • GetDC.USER32(00000000), ref: 003609A4
            • GetPixel.GDI32(00000000,?,00000003), ref: 003609B0
            • ReleaseDC.USER32(00000000,00000003), ref: 003609E8
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$ForegroundPixelRelease
            • String ID:
            • API String ID: 4156661090-0
            • Opcode ID: b8cc0f5ce6a8da41230577aaa7ae8c733cc8328e657fd646ffbaecb0975c0580
            • Instruction ID: 3f5f6a0a6090aa2b8acb2adaea7b3d8d150e41e8b3957864f459f94ab8cf4da2
            • Opcode Fuzzy Hash: b8cc0f5ce6a8da41230577aaa7ae8c733cc8328e657fd646ffbaecb0975c0580
            • Instruction Fuzzy Hash: 8221AE35610204AFD719EF65C885AAFBBE9EF48701F04842CE84AA7762CB70AD44CB50
            Function 0031CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 0031CDC6
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0031CDE9
              • Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0031CE0F
            • _free.LIBCMT ref: 0031CE22
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0031CE31
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
            • String ID:
            • API String ID: 336800556-0
            • Opcode ID: decabb8bdad628b1091fbbb41544f29d3d5caa1282970722659a755507f07b62
            • Instruction ID: 897ca1e4a7b163a651e12bd2cd46cdebdceb73a68a40edcb31307955bedca5ec
            • Opcode Fuzzy Hash: decabb8bdad628b1091fbbb41544f29d3d5caa1282970722659a755507f07b62
            • Instruction Fuzzy Hash: 6A01D8726512157F632716B66C88CBF696DDFCEBA2315212DF905C7200DA608D9181B0
            Function 002F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002F9693
            • SelectObject.GDI32(?,00000000), ref: 002F96A2
            • BeginPath.GDI32(?), ref: 002F96B9
            • SelectObject.GDI32(?,00000000), ref: 002F96E2
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 868c9df911718a82605f07db4106277d14a7384d3f1a61c9c0af4a24276e1045
            • Instruction ID: e37d553a47f2aef68b441b812e50d0090eeceeff9ccbf40acbf1891d8c598868
            • Opcode Fuzzy Hash: 868c9df911718a82605f07db4106277d14a7384d3f1a61c9c0af4a24276e1045
            • Instruction Fuzzy Hash: B021607182134AEBDB229F24DC247B9BBACBB00399F500329F614A61A0D37098E1CFD4
            Function 00345711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 612d49ee8861b0a0e85c78278d550add46e4b23856c11f0189cba4c3cd6a5f8b
            • Instruction ID: b69b631e850a4229372abb6b61369a3dc23c55c904d0de509632c7bccec7922a
            • Opcode Fuzzy Hash: 612d49ee8861b0a0e85c78278d550add46e4b23856c11f0189cba4c3cd6a5f8b
            • Instruction Fuzzy Hash: FB01B9A5A42605BFE21B55109E52FFB779CAB31394F008031FD089E682F764FD11C6B1
            Function 00312DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,?,0030F2DE,00313863,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6), ref: 00312DFD
            • _free.LIBCMT ref: 00312E32
            • _free.LIBCMT ref: 00312E59
            • SetLastError.KERNEL32(00000000,002E1129), ref: 00312E66
            • SetLastError.KERNEL32(00000000,002E1129), ref: 00312E6F
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLast$_free
            • String ID:
            • API String ID: 3170660625-0
            • Opcode ID: 049ef1e4cfee25768045b2832478a856505ece3a9697e0798a0cb9cd38b4cd82
            • Instruction ID: f8e44285dacb73fb4e7eba2c5327c3a8f290483274b05ff4dc0cc86c1f38e894
            • Opcode Fuzzy Hash: 049ef1e4cfee25768045b2832478a856505ece3a9697e0798a0cb9cd38b4cd82
            • Instruction Fuzzy Hash: 1001F4362456006BD62F27346C85DEB265DABCE3B5F26442CF829A61D2EB348CF14030
            Function 0034000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?,?,0034035E), ref: 0034002B
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340046
            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340054
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?), ref: 00340064
            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0033FF41,80070057,?,?), ref: 00340070
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: e65e122b1cfb603d2c522fe9861fe984960378c901f93368e954542cb4d5fde4
            • Instruction ID: 6dd3cf1c0d68e3731140de9d2c4f3685c59dee987cb584ce15f7bd08796d27e9
            • Opcode Fuzzy Hash: e65e122b1cfb603d2c522fe9861fe984960378c901f93368e954542cb4d5fde4
            • Instruction Fuzzy Hash: C2018F76710204BFDB264F68DC04BAE7AEDEB44751F145128FE09DA210D775EE808BA0
            Function 0034E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?), ref: 0034E997
            • QueryPerformanceFrequency.KERNEL32(?), ref: 0034E9A5
            • Sleep.KERNEL32(00000000), ref: 0034E9AD
            • QueryPerformanceCounter.KERNEL32(?), ref: 0034E9B7
            • Sleep.KERNEL32 ref: 0034E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 8e7b1595139e5de155e45b154ef2bd99dd53780143faf13300e08428ebe3b6a5
            • Instruction ID: 08bb9f24f2ae7c4daed7da61a2138d8c4511268240bcf30c20814d5bf8068513
            • Opcode Fuzzy Hash: 8e7b1595139e5de155e45b154ef2bd99dd53780143faf13300e08428ebe3b6a5
            • Instruction Fuzzy Hash: 26016931C11629DBCF12AFE4DC49AEDBBBCFF08310F41055AE502B6281CB38A590CBA1
            Function 003410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00341114
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341120
            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 0034112F
            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00340B9B,?,?,?), ref: 00341136
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0034114D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: 3b7eefe6cab9493e4b8f247c47937a4112b64c2b6b047d54aee160f2daeccc8c
            • Instruction ID: daa41479aa2d4c21e2437e4ee1b479554971de9e7ea68921c7ce42444b6078ee
            • Opcode Fuzzy Hash: 3b7eefe6cab9493e4b8f247c47937a4112b64c2b6b047d54aee160f2daeccc8c
            • Instruction Fuzzy Hash: 5E018175100605BFDB224F64DC49E6A3FAEEF89361F110428FA45C7350DB31DC80CA60
            Function 00340FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00340FCA
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00340FD6
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00340FE5
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00340FEC
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00341002
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: c2b02319a58f10913099a30519a82dfd7c785661c6693ea7e565a4f2b5de0742
            • Instruction ID: 2c84b372c7feeb47978edd90d04f4f934783bf1f98e34d00179a6fb44c93a63b
            • Opcode Fuzzy Hash: c2b02319a58f10913099a30519a82dfd7c785661c6693ea7e565a4f2b5de0742
            • Instruction Fuzzy Hash: A8F06D39210701EBDB224FA4EC4DF563FADEF89762F514428FA49DB251CA70EC808A60
            Function 00341014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0034102A
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00341036
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341045
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0034104C
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341062
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 8b2f18b7974d720c6f9454d8abd3ae3e55ea3b0646af8044c1d0b1d4c927bf42
            • Instruction ID: 24118a56bf5752a42f8f291a18c280b04d17df0d2b193e315ff58697da5d76b6
            • Opcode Fuzzy Hash: 8b2f18b7974d720c6f9454d8abd3ae3e55ea3b0646af8044c1d0b1d4c927bf42
            • Instruction Fuzzy Hash: 76F06D39210701EBDB235FA4EC49F563BADEF89761F110428FA49DB260CA70E8908A60
            Function 0035030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350324
            • CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350331
            • CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 0035033E
            • CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 0035034B
            • CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350358
            • CloseHandle.KERNEL32(?,?,?,?,0035017D,?,003532FC,?,00000001,00322592,?), ref: 00350365
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: 6ec9c36572974b26240f34efaef307a9a0e41b3354167e581255882157b5a2d1
            • Instruction ID: b562b646f7a4fcf7ba52bdb5ea24a3424e03d50fbe1bf39b3cf0cb53d042df19
            • Opcode Fuzzy Hash: 6ec9c36572974b26240f34efaef307a9a0e41b3354167e581255882157b5a2d1
            • Instruction Fuzzy Hash: 1901A276800B159FC7369F66D880816F7F9BF503163168A3FD19652931C372A958CF80
            Function 0031D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 0031D752
              • Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
              • Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0
            • _free.LIBCMT ref: 0031D764
            • _free.LIBCMT ref: 0031D776
            • _free.LIBCMT ref: 0031D788
            • _free.LIBCMT ref: 0031D79A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: a65de244a2963f22eb9faef8e510b760f4b94ff15f8be3665617485bb5b80ed1
            • Instruction ID: a379690ab40aad581f66db80e2faa38db39bb69d14ceca69470a2a400226bb6d
            • Opcode Fuzzy Hash: a65de244a2963f22eb9faef8e510b760f4b94ff15f8be3665617485bb5b80ed1
            • Instruction Fuzzy Hash: 2EF0FF32554214ABC62BEF68F9C5C9777DDBB4E720B951809F048DB541CB24FCE086A4
            Function 003122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 003122BE
              • Part of subcall function 003129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000), ref: 003129DE
              • Part of subcall function 003129C8: GetLastError.KERNEL32(00000000,?,0031D7D1,00000000,00000000,00000000,00000000,?,0031D7F8,00000000,00000007,00000000,?,0031DBF5,00000000,00000000), ref: 003129F0
            • _free.LIBCMT ref: 003122D0
            • _free.LIBCMT ref: 003122E3
            • _free.LIBCMT ref: 003122F4
            • _free.LIBCMT ref: 00312305
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: d858ebe5630f00ed999b26766ff03259773b205620cdc032b0a1c5f77593ff7b
            • Instruction ID: e3cd55ff419511e1bae95254a6d156e2948a46de31399e41138ea1c07ec8de43
            • Opcode Fuzzy Hash: d858ebe5630f00ed999b26766ff03259773b205620cdc032b0a1c5f77593ff7b
            • Instruction Fuzzy Hash: 71F05E759101248B862BAF58BC018AE3B6CF71E764F451B0AF510DE3B1C73548B1AFE5
            Function 002F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 002F95D4
            • StrokeAndFillPath.GDI32(?,?,003371F7,00000000,?,?,?), ref: 002F95F0
            • SelectObject.GDI32(?,00000000), ref: 002F9603
            • DeleteObject.GDI32 ref: 002F9616
            • StrokePath.GDI32(?), ref: 002F9631
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 28fe92ec5ea58e8a92c4f00aed98c5ccd3de701672733b92a6d44b024c1cba0d
            • Instruction ID: 7a02b65d253dd9586a92475c62cd972cae7d2bd17813cdab9858dcd1ce174b35
            • Opcode Fuzzy Hash: 28fe92ec5ea58e8a92c4f00aed98c5ccd3de701672733b92a6d44b024c1cba0d
            • Instruction Fuzzy Hash: 1DF01931025249EBDB235F65ED287A43B6DAB0036AF948328F629950F0C73089E1DFA0
            Function 00310F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: __freea$_free
            • String ID: a/p$am/pm
            • API String ID: 3432400110-3206640213
            • Opcode ID: 270acd24ec2f7dce4ba4f50c3d96d220e80cabfdfbf9f1f56e601c811b6f2d2f
            • Instruction ID: 5adb8e63a346e705c2359aec1c5df27f8ba2298e7df781fb204a7c63385203f0
            • Opcode Fuzzy Hash: 270acd24ec2f7dce4ba4f50c3d96d220e80cabfdfbf9f1f56e601c811b6f2d2f
            • Instruction Fuzzy Hash: 05D11239900206DACB2F9F68C845BFAB7B5EF0D300F290569EB119BA58D3759DC1CB91
            Function 003661D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00300242: EnterCriticalSection.KERNEL32(003B070C,003B1884,?,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030024D
              • Part of subcall function 00300242: LeaveCriticalSection.KERNEL32(003B070C,?,002F198B,003B2518,?,?,?,002E12F9,00000000), ref: 0030028A
              • Part of subcall function 003000A3: __onexit.LIBCMT ref: 003000A9
            • __Init_thread_footer.LIBCMT ref: 00366238
              • Part of subcall function 003001F8: EnterCriticalSection.KERNEL32(003B070C,?,?,002F8747,003B2514), ref: 00300202
              • Part of subcall function 003001F8: LeaveCriticalSection.KERNEL32(003B070C,?,002F8747,003B2514), ref: 00300235
              • Part of subcall function 0035359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003535E4
              • Part of subcall function 0035359C: LoadStringW.USER32(003B2390,?,00000FFF,?), ref: 0035360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
            • String ID: x#;$x#;$x#;
            • API String ID: 1072379062-2819258285
            • Opcode ID: 7f17d150156f89f7a845a5f7c9d8d15e49eef52f51a74af4954c0363ec3ade23
            • Instruction ID: b976e71dd6e26d2c3b1bf06ca327d20db5b27c52c9b3b317f4cff0036d6d9e5c
            • Opcode Fuzzy Hash: 7f17d150156f89f7a845a5f7c9d8d15e49eef52f51a74af4954c0363ec3ade23
            • Instruction Fuzzy Hash: DDC1A371A00109AFCB16DF58C892EBEB7B9FF49340F11846AFA059B295DB70ED45CB90
            Function 00318A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00318B6E
            • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00318B7A
            • __dosmaperr.LIBCMT ref: 00318B81
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ByteCharErrorLastMultiWide__dosmaperr
            • String ID: .0
            • API String ID: 2434981716-2407493218
            • Opcode ID: a624466c89467df41ff884fd61862ef5ef503ccace8f52f29af9203d31a14349
            • Instruction ID: 866c39b7c19d1d775dc77ff6fbfbffd056024c941e959f6a3c47dada23b7d0e2
            • Opcode Fuzzy Hash: a624466c89467df41ff884fd61862ef5ef503ccace8f52f29af9203d31a14349
            • Instruction Fuzzy Hash: E7416070608145AFDB2F9F14CC90AF97FA9DF4D304F198569F44587542DE318C839758
            Function 00342716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0034B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003421D0,?,?,00000034,00000800,?,00000034), ref: 0034B42D
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00342760
              • Part of subcall function 0034B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0034B3F8
              • Part of subcall function 0034B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0034B355
              • Part of subcall function 0034B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00342194,00000034,?,?,00001004,00000000,00000000), ref: 0034B365
              • Part of subcall function 0034B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00342194,00000034,?,?,00001004,00000000,00000000), ref: 0034B37B
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003427CD
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0034281A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: 6f3535a2f1345b059c19d196b0b1ad528b1cb86ed14b30aa4c0eba2b69b105f6
            • Instruction ID: f019f0ab06eb3d33f3c6eb6453d45e53fa539086e1c524ecf94f3d409b92d93f
            • Opcode Fuzzy Hash: 6f3535a2f1345b059c19d196b0b1ad528b1cb86ed14b30aa4c0eba2b69b105f6
            • Instruction Fuzzy Hash: 8E411F76900218AFDB11DFA4CD85ADEBBB8EF05700F104099FA55BB181DB71BE85CB61
            Function 0031172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4iDSIZ8MhI.exe,00000104), ref: 00311769
            • _free.LIBCMT ref: 00311834
            • _free.LIBCMT ref: 0031183E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free$FileModuleName
            • String ID: C:\Users\user\Desktop\4iDSIZ8MhI.exe
            • API String ID: 2506810119-4072921816
            • Opcode ID: f14776f28874aa32b5f2d4bac75c2a696572d0debbc4c2eb6285ac406b3d9ba6
            • Instruction ID: 72abb55e937e858beb15e063078c17482032c0a03007b971e454194484dbc758
            • Opcode Fuzzy Hash: f14776f28874aa32b5f2d4bac75c2a696572d0debbc4c2eb6285ac406b3d9ba6
            • Instruction Fuzzy Hash: AB318D75A00218AFDB2BDF999881DDEBBBCEB89310F514166EA049B251D6708A80CB90
            Function 0034C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0034C306
            • DeleteMenu.USER32(?,00000007,00000000), ref: 0034C34C
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003B1990,01364B50), ref: 0034C395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem
            • String ID: 0
            • API String ID: 135850232-4108050209
            • Opcode ID: 03d02ea923e08de50b9f965ba9af029a7e645d4078ece5618530d49ecd023b95
            • Instruction ID: c6c40f6ebdde31107dc80bb08c8fc1075868981b79b5efe0d8317ee06accd1e6
            • Opcode Fuzzy Hash: 03d02ea923e08de50b9f965ba9af029a7e645d4078ece5618530d49ecd023b95
            • Instruction Fuzzy Hash: 3C41D2392163019FD722DF25D844B1ABBE8AF85320F009A5DF9A59B2D1D734FC04CB62
            Function 00374416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0037CC08,00000000,?,?,?,?), ref: 003744AA
            • GetWindowLongW.USER32 ref: 003744C7
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003744D7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: b509c85a03f157e87b6c51fc22bf67a5728623d3e642640d6c7cdc0d04b6f2d2
            • Instruction ID: d8e005b53836267b4b0ceaff4379186bd8b8f7b3959b360f87d652a905e5d319
            • Opcode Fuzzy Hash: b509c85a03f157e87b6c51fc22bf67a5728623d3e642640d6c7cdc0d04b6f2d2
            • Instruction Fuzzy Hash: 0B31A231210209AFDF228F39DC45BEA77A9EB09334F218719F979921E0DB75EC909B50
            Function 00346E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
            Download Yara Rule
            APIs
            • SysReAllocString.OLEAUT32(?,?), ref: 00346EED
            • VariantCopyInd.OLEAUT32(?,?), ref: 00346F08
            • VariantClear.OLEAUT32(?), ref: 00346F12
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyString
            • String ID: *j4
            • API String ID: 2173805711-1950182844
            • Opcode ID: 7e1284701b6ed37ecda8590f1792dda893cb2d2c6752af2d325e2a3ddeca7010
            • Instruction ID: 4f1e69ba6593ab4059f36999774cb30473041cabff6407f657c1167d752ad70e
            • Opcode Fuzzy Hash: 7e1284701b6ed37ecda8590f1792dda893cb2d2c6752af2d325e2a3ddeca7010
            • Instruction Fuzzy Hash: 1E31B371614245DFCB07AF65E8929BE37B9EF46304B5014A8F9824F2A1C730A925DBD2
            Function 0036304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0036335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00363077,?,?), ref: 00363378
            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0036307A
            • _wcslen.LIBCMT ref: 0036309B
            • htons.WSOCK32(00000000,?,?,00000000), ref: 00363106
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 946324512-2422070025
            • Opcode ID: 31ffcc805e5b4cf924e1d14e49084dbbc061596542c434d0eb26f73d5ff170c7
            • Instruction ID: f514cc81a17e5e53cf309e60c50cd44073d38b020e4d03887e5c4223351eede9
            • Opcode Fuzzy Hash: 31ffcc805e5b4cf924e1d14e49084dbbc061596542c434d0eb26f73d5ff170c7
            • Instruction Fuzzy Hash: 6931F3392042019FCB22DF28C485EAA77E0EF15318F25C059E9168F396CB32EF85CB61
            Function 00374653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00374705
            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00374713
            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0037471A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$DestroyWindow
            • String ID: msctls_updown32
            • API String ID: 4014797782-2298589950
            • Opcode ID: f61c62881aa872e6393d98bf3163f1f1ca21e10ec043180ab6da8b76d12d462a
            • Instruction ID: fed0cec4c109ad22a7bd6da42782847c356fc7abcf5726a1ac7470b1269ea8a4
            • Opcode Fuzzy Hash: f61c62881aa872e6393d98bf3163f1f1ca21e10ec043180ab6da8b76d12d462a
            • Instruction Fuzzy Hash: A02190B5600248AFDB22DF64DCD1DA737ADEB9A398B454149FA149B251CB34FC11CBA0
            Function 003495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 176396367-2734436370
            • Opcode ID: c58cafc9fb20552ab0d658397bfa265e0e629ab3324fcb5bc72e760c2ad082ed
            • Instruction ID: 527c4abf908af8675255f68dd997c503b2eb3394eb662656cc5e8bde88590193
            • Opcode Fuzzy Hash: c58cafc9fb20552ab0d658397bfa265e0e629ab3324fcb5bc72e760c2ad082ed
            • Instruction Fuzzy Hash: E121577224461066D333AB25EC12FBBB3DCAF91320F52802BF9499F081EB59BD95C695
            Function 003737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00373840
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00373850
            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00373876
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: de9cb072d80b34f84fc0abb58c70e86047c8e71e13c7738180f7797d3eb334d4
            • Instruction ID: c6898663faad883b335ce9201f84a9d4cfeb7115fb7f05afc2d997717f048a41
            • Opcode Fuzzy Hash: de9cb072d80b34f84fc0abb58c70e86047c8e71e13c7738180f7797d3eb334d4
            • Instruction Fuzzy Hash: C121D472650118BBEF228F54CC85FBB376EEF89750F11C114F9189B190C675DC5297A0
            Function 003549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00354A08
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00354A5C
            • SetErrorMode.KERNEL32(00000000,?,?,0037CC08), ref: 00354AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume
            • String ID: %lu
            • API String ID: 2507767853-685833217
            • Opcode ID: d051fe7bfb91e13debc42ac2d837385411d7f71e654c670a5fcc71583f40a272
            • Instruction ID: f4e33f1830382147c6a0f0ba7c48d3a3a5e87c8807af6172c1d074f2e3f27377
            • Opcode Fuzzy Hash: d051fe7bfb91e13debc42ac2d837385411d7f71e654c670a5fcc71583f40a272
            • Instruction Fuzzy Hash: 83316F71A00109AFDB11DF64C985EAA7BF8EF08308F1480A9F909DB262D771ED85CF61
            Function 003741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0037424F
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00374264
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00374271
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: e55992af0a0cc5813989ac159f1a42947d81d4f8124e4d83986a1c672466c851
            • Instruction ID: 427edc0faa3f5324b6d6bf9d5af5dbbff659d24bb054df97cb650a671121c281
            • Opcode Fuzzy Hash: e55992af0a0cc5813989ac159f1a42947d81d4f8124e4d83986a1c672466c851
            • Instruction Fuzzy Hash: B2112331240248BEEF325F28CC06FAB3BACEF85B54F124518FA58E2090C371EC219B10
            Function 00342F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
              • Part of subcall function 00342DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00342DC5
              • Part of subcall function 00342DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00342DD6
              • Part of subcall function 00342DA7: GetCurrentThreadId.KERNEL32 ref: 00342DDD
              • Part of subcall function 00342DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00342DE4
            • GetFocus.USER32 ref: 00342F78
              • Part of subcall function 00342DEE: GetParent.USER32(00000000), ref: 00342DF9
            • GetClassNameW.USER32(?,?,00000100), ref: 00342FC3
            • EnumChildWindows.USER32(?,0034303B), ref: 00342FEB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
            • String ID: %s%d
            • API String ID: 1272988791-1110647743
            • Opcode ID: f017759e6ee0c751c08d99cd8a6f8a1bce0fde751d7878af418135026fa2b88c
            • Instruction ID: f012c1ce138bd1030b2854cd11f8391cb44c520aac15ecfc806dec1da89883c0
            • Opcode Fuzzy Hash: f017759e6ee0c751c08d99cd8a6f8a1bce0fde751d7878af418135026fa2b88c
            • Instruction Fuzzy Hash: 7511B4716002056BCF167F748CC5EEE37AAEF95314F044079F919AF152DE30A9458B60
            Function 00375882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003758C1
            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003758EE
            • DrawMenuBar.USER32(?), ref: 003758FD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Menu$InfoItem$Draw
            • String ID: 0
            • API String ID: 3227129158-4108050209
            • Opcode ID: 296b200837aa0ba7ec91271d7d814a44027170aafc0fc7ed86a9083664851848
            • Instruction ID: e3af92267db989c84fd8dedaca6cfe83608aa9abc2ddf820a7ed699312ee63db
            • Opcode Fuzzy Hash: 296b200837aa0ba7ec91271d7d814a44027170aafc0fc7ed86a9083664851848
            • Instruction Fuzzy Hash: 8A018B32510208EEDB269F12DC44BAEBBB8FF46360F00C0A9E94DD6151DB748A94DF20
            Function 0033D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0033D3BF
            • FreeLibrary.KERNEL32 ref: 0033D3E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: AddressFreeLibraryProc
            • String ID: GetSystemWow64DirectoryW$X64
            • API String ID: 3013587201-2590602151
            • Opcode ID: 8d30eab0ba10bf7902e929877be0485d19fa58043261b52a593b6792ef393ea8
            • Instruction ID: 3745c8b0a651343337a0b20c6e17c3fe2aae1b03a3ac613d1ac132eca9655f68
            • Opcode Fuzzy Hash: 8d30eab0ba10bf7902e929877be0485d19fa58043261b52a593b6792ef393ea8
            • Instruction Fuzzy Hash: 41F0A37D91562197D37302105CD49AE73189F10701F95953DF407E2404DB30CD808782
            Function 0034007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 257619a4ef9bdedd562d525b877074e9f52ddfe4b8b26a407513750df22a7dcf
            • Instruction ID: 6f47e196d714712bf60f9e76989b2ddccd740c86b2e55b932af8552047d91b69
            • Opcode Fuzzy Hash: 257619a4ef9bdedd562d525b877074e9f52ddfe4b8b26a407513750df22a7dcf
            • Instruction Fuzzy Hash: 1CC13979A00206AFDB19CFA4C894AAEBBB5FF48704F118598E605EF251D771EE41CB90
            Function 0036342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Variant$ClearInitInitializeUninitialize
            • String ID:
            • API String ID: 1998397398-0
            • Opcode ID: 0b734d5891d0ed91b8c833ebeec481e5d450dac64a9678450ae75f015b3029b0
            • Instruction ID: 67c12a59012dfb2cf8a3fd76e77c6ce878b67f82668909a18ba9cb200a074faa
            • Opcode Fuzzy Hash: 0b734d5891d0ed91b8c833ebeec481e5d450dac64a9678450ae75f015b3029b0
            • Instruction Fuzzy Hash: CBA145752147009FC711DF29C485A2ABBE9EF89314F45885DF98A9B366DB30EE01CF91
            Function 00340436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0037FC08,?), ref: 003405F0
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0037FC08,?), ref: 00340608
            • CLSIDFromProgID.OLE32(?,?,00000000,0037CC40,000000FF,?,00000000,00000800,00000000,?,0037FC08,?), ref: 0034062D
            • _memcmp.LIBVCRUNTIME ref: 0034064E
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID:
            • API String ID: 314563124-0
            • Opcode ID: 4a000a7a375cd49dffa6b90e815057693551d5971a5007ef1f2ef47ff146e879
            • Instruction ID: 2c2f48fdd2f74eb91a2b042d860ca1ea617d01f6ee7de350e4ec42b49df10300
            • Opcode Fuzzy Hash: 4a000a7a375cd49dffa6b90e815057693551d5971a5007ef1f2ef47ff146e879
            • Instruction Fuzzy Hash: F5811871A00109EFCB05DF94C984EEEB7B9FF89315F214598E606AB250DB71AE46CF60
            Function 00321391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: d9544ae6adf6689f280853b5a71a0b6c18724f0a68043b254105a560940fdc24
            • Instruction ID: 3182aecc99db8db865c1f398a4fd4de1e7255bb35eef643ded39adbcd9f25c9c
            • Opcode Fuzzy Hash: d9544ae6adf6689f280853b5a71a0b6c18724f0a68043b254105a560940fdc24
            • Instruction Fuzzy Hash: 9C415B35A00120ABDB37BBBEBD456AE3AB8EF66730F254626F41CDA1D1E63448815361
            Function 00376278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(0136E158,?), ref: 003762E2
            • ScreenToClient.USER32(?,?), ref: 00376315
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00376382
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: 267893326064b418f457111aa2380bc727cf6e01b92b951e55a19e6649036f2c
            • Instruction ID: 804fb325f8718aaf5adda179cbac11405c48d241ee8c85d3a0147599d00ba28c
            • Opcode Fuzzy Hash: 267893326064b418f457111aa2380bc727cf6e01b92b951e55a19e6649036f2c
            • Instruction Fuzzy Hash: 3E516C34A00649EFDB22CF64D8919AE7BB5EF45324F118259F8199B2A0D734ED81CB90
            Function 00361AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 00361AFD
            • WSAGetLastError.WSOCK32 ref: 00361B0B
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00361B8A
            • WSAGetLastError.WSOCK32 ref: 00361B94
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorLast$socket
            • String ID:
            • API String ID: 1881357543-0
            • Opcode ID: 7fab1b1d1db8aeceff2b374d7b7c4858766982f9a8600e0cff802bee3a735a32
            • Instruction ID: f38f5d9c8394a1bd047bf25c22492f0917ee341a9fbea5a3fc11bfe10401fc17
            • Opcode Fuzzy Hash: 7fab1b1d1db8aeceff2b374d7b7c4858766982f9a8600e0cff802bee3a735a32
            • Instruction Fuzzy Hash: 0A4191346402006FE721AF25C886F2A77E5AB44718F98C458FA1A9F7D3D772DD518B90
            Function 0031B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 664e6759ea102690dfe28bbe850b43d27ba5f3594e5de2e4ec74e5101bac7a29
            • Instruction ID: b7ab683c8e2d8e0014aecbfd6af33d767ef407bbdff4bd311d224aeaed532557
            • Opcode Fuzzy Hash: 664e6759ea102690dfe28bbe850b43d27ba5f3594e5de2e4ec74e5101bac7a29
            • Instruction Fuzzy Hash: 78410475A00314AFD72AAF79CC41BAABBA9EF8C710F10852EF141DF682D77199818790
            Function 003556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00355783
            • GetLastError.KERNEL32(?,00000000), ref: 003557A9
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003557CE
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003557FA
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 7fbbf3d27e05d075f6c047ee97411b9cb12334f20050d2b46ac7b4f34088cdfa
            • Instruction ID: 39b47c49911a20f722293d2d413149c307de1ea38c9d2afc6a401a36251ff9ee
            • Opcode Fuzzy Hash: 7fbbf3d27e05d075f6c047ee97411b9cb12334f20050d2b46ac7b4f34088cdfa
            • Instruction Fuzzy Hash: 96412B39610A50DFCB11DF15C444A1EBBE2AF89321B598888EC4AAB372CB34FD55CF91
            Function 0031D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,?,00306D71,00000000,00000000,003082D9,?,003082D9,?,00000001,00306D71,?,00000001,003082D9,003082D9), ref: 0031D910
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0031D999
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0031D9AB
            • __freea.LIBCMT ref: 0031D9B4
              • Part of subcall function 00313820: RtlAllocateHeap.NTDLL(00000000,?,003B1444,?,002FFDF5,?,?,002EA976,00000010,003B1440,002E13FC,?,002E13C6,?,002E1129), ref: 00313852
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
            • String ID:
            • API String ID: 2652629310-0
            • Opcode ID: a2970d6420ea265c2aef2d52f3673233ff44c73b637f8147cf527ce03920c382
            • Instruction ID: 68fa825d73c3f1c61b1a4a93b5d608d22b272466ccc082b760f17eaae1c4103a
            • Opcode Fuzzy Hash: a2970d6420ea265c2aef2d52f3673233ff44c73b637f8147cf527ce03920c382
            • Instruction Fuzzy Hash: D431A072A1020AABDB2A9F64DC45EEF7BA5EB46310F064168FC04DA150EB35DD90CB90
            Function 003752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00375352
            • GetWindowLongW.USER32(?,000000F0), ref: 00375375
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00375382
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003753A8
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LongWindow$InvalidateMessageRectSend
            • String ID:
            • API String ID: 3340791633-0
            • Opcode ID: 3675e74cec617d17b8109dcad3a8e72cf06842e96cddaf52342e81fe9b86de65
            • Instruction ID: c1ca6273220baa60a77f9bccd4de4e6df11eaa1b71de808e0e33fc30d28455d2
            • Opcode Fuzzy Hash: 3675e74cec617d17b8109dcad3a8e72cf06842e96cddaf52342e81fe9b86de65
            • Instruction Fuzzy Hash: E931E638A55A0CEFFB3B9E14CC55BE877A9AB04390F598105FA19961F0C7F8AD809B41
            Function 0034AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0034ABF1
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 0034AC0D
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 0034AC74
            • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0034ACC6
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: c6019feb3db6cf0e16aed99ad25ef50676d42729c270ddcc2740ae3cc3142503
            • Instruction ID: bac4c8e4b85485080d8a8f0b2898a9ad1e3eaedfd8b80aa2ee4ef45b9863bbc9
            • Opcode Fuzzy Hash: c6019feb3db6cf0e16aed99ad25ef50676d42729c270ddcc2740ae3cc3142503
            • Instruction Fuzzy Hash: 33310870A84A18AFEF37CB658C847FA7BE9AB49310F04421AE485DE1D1C375AD858792
            Function 00377674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 0037769A
            • GetWindowRect.USER32(?,?), ref: 00377710
            • PtInRect.USER32(?,?,00378B89), ref: 00377720
            • MessageBeep.USER32(00000000), ref: 0037778C
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: 0b4f48578a8ed172a97ff4e10ea10a8afa98d3c07bfeae8ee8c29079c96e1a18
            • Instruction ID: a9082ea9cc04fb7e289a093e3889a250dcc42c7609e8a1b727f61e9acda17343
            • Opcode Fuzzy Hash: 0b4f48578a8ed172a97ff4e10ea10a8afa98d3c07bfeae8ee8c29079c96e1a18
            • Instruction Fuzzy Hash: 00419E34A052949FCB27CF58C894EA9B7F9BB49354F1581A8E5189F261C334A941CF90
            Function 003716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 003716EB
              • Part of subcall function 00343A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00343A57
              • Part of subcall function 00343A3D: GetCurrentThreadId.KERNEL32 ref: 00343A5E
              • Part of subcall function 00343A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003425B3), ref: 00343A65
            • GetCaretPos.USER32(?), ref: 003716FF
            • ClientToScreen.USER32(00000000,?), ref: 0037174C
            • GetForegroundWindow.USER32 ref: 00371752
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: 98d6414455bac3582b8f420ca632e5261883744cef7b685160d259858a17b364
            • Instruction ID: 867a8d22e65272ce2f4c0bb5f2190653e8c54bb304a96d084fec01229b65bb25
            • Opcode Fuzzy Hash: 98d6414455bac3582b8f420ca632e5261883744cef7b685160d259858a17b364
            • Instruction Fuzzy Hash: 5D315271D10149AFCB15DFAAC881CAEB7FDEF48304B5480AAE415E7211E7359E45CFA1
            Function 0034D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 0034D501
            • Process32FirstW.KERNEL32(00000000,?), ref: 0034D50F
            • Process32NextW.KERNEL32(00000000,?), ref: 0034D52F
            • CloseHandle.KERNEL32(00000000), ref: 0034D5DC
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 420147892-0
            • Opcode ID: f69cb48b935bf2d7915fbf85220981015bcddbc831cfeb6088ce900c03434841
            • Instruction ID: 4a24536161e9603fc448df40ab3c8953efdfa2eb54ce8353f68eedff44a9e196
            • Opcode Fuzzy Hash: f69cb48b935bf2d7915fbf85220981015bcddbc831cfeb6088ce900c03434841
            • Instruction Fuzzy Hash: C331C2311183409FD311EF54C881AAFBBF8EF99344F90092DF585861A2EB71A988CB92
            Function 00378FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 002F9BB2
            • GetCursorPos.USER32(?), ref: 00379001
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00337711,?,?,?,?,?), ref: 00379016
            • GetCursorPos.USER32(?), ref: 0037905E
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00337711,?,?,?), ref: 00379094
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: 781de0804963ca2ae7e90aa2580df0c610e5fa309cbeaa420e899de54b2ef790
            • Instruction ID: c27a4cc91049f121418ca937e4e6373b196ed7d312d2c4db8409a1eb78ab5f34
            • Opcode Fuzzy Hash: 781de0804963ca2ae7e90aa2580df0c610e5fa309cbeaa420e899de54b2ef790
            • Instruction Fuzzy Hash: 30218235610018AFDB368F54C854FFA7BF9FB49360F04825AF50947161C3359990EB60
            Function 0034D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNEL32(?,0037CB68), ref: 0034D2FB
            • GetLastError.KERNEL32 ref: 0034D30A
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0034D319
            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0037CB68), ref: 0034D376
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateDirectory$AttributesErrorFileLast
            • String ID:
            • API String ID: 2267087916-0
            • Opcode ID: fc4b4d8c24ce1d4dd487320fd3cc316553ede427e42db1948f1dcc2241c08654
            • Instruction ID: 3bafa7b32b9ba76a6b3c06a08f8f26ccd8a23da0830ea5bb5ade1f7fa4414eb2
            • Opcode Fuzzy Hash: fc4b4d8c24ce1d4dd487320fd3cc316553ede427e42db1948f1dcc2241c08654
            • Instruction Fuzzy Hash: F721A1745182019FC711DF28C8818AAB7E8EF5A324F504A5DF499DB2A1D731ED85CF93
            Function 00341571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00341014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0034102A
              • Part of subcall function 00341014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00341036
              • Part of subcall function 00341014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341045
              • Part of subcall function 00341014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0034104C
              • Part of subcall function 00341014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00341062
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003415BE
            • _memcmp.LIBVCRUNTIME ref: 003415E1
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00341617
            • HeapFree.KERNEL32(00000000), ref: 0034161E
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 2204792607e6ef722accd0ec6e7ac80a2af332f409178ebc4d70eacd40d4bbb4
            • Instruction ID: dc6d9d3bddc5454c05647f20687d6076062aec5af2e18315d1a59db12033e6f8
            • Opcode Fuzzy Hash: 2204792607e6ef722accd0ec6e7ac80a2af332f409178ebc4d70eacd40d4bbb4
            • Instruction Fuzzy Hash: D5218C31E00508EFDF11DFA4C945BEEB7F8EF44344F0A4499E845AB241E734AA85CBA0
            Function 00372782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EC), ref: 0037280A
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00372824
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00372832
            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00372840
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$Long$AttributesLayered
            • String ID:
            • API String ID: 2169480361-0
            • Opcode ID: 8214a478e8dbe50d48fc8ab21b7cf5bf1d14eebee1d28a4063e947b75dde05f4
            • Instruction ID: a0d6ec0297b77c399209b80ddac693f3614971bec871ece456e14711fb7725fb
            • Opcode Fuzzy Hash: 8214a478e8dbe50d48fc8ab21b7cf5bf1d14eebee1d28a4063e947b75dde05f4
            • Instruction Fuzzy Hash: 6E210331204150BFD7269B24C844FAB7B99EF45324F14815CF42A8B6E2CB7AFC82CB90
            Function 003478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00348D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0034790A,?,000000FF,?,00348754,00000000,?,0000001C,?,?), ref: 00348D8C
              • Part of subcall function 00348D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00348DB2
              • Part of subcall function 00348D7D: lstrcmpiW.KERNEL32(00000000,?,0034790A,?,000000FF,?,00348754,00000000,?,0000001C,?,?), ref: 00348DE3
            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00348754,00000000,?,0000001C,?,?,00000000), ref: 00347923
            • lstrcpyW.KERNEL32(00000000,?), ref: 00347949
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00348754,00000000,?,0000001C,?,?,00000000), ref: 00347984
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 37cd25a75e35991022728f0b214f0f89ff9311a5d13948c5e8e0c90037a65b2e
            • Instruction ID: ea4718c25e76d58f4c8c5fcbfc85f741df974fceadf9f502d9643377340cc066
            • Opcode Fuzzy Hash: 37cd25a75e35991022728f0b214f0f89ff9311a5d13948c5e8e0c90037a65b2e
            • Instruction Fuzzy Hash: 7511E93A200341ABDB269F34D845D7A77E9FF55390B50403AF946CF2A4EB31A851CB91
            Function 00375660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001060,?,00000004), ref: 003756BB
            • _wcslen.LIBCMT ref: 003756CD
            • _wcslen.LIBCMT ref: 003756D8
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00375816
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend_wcslen
            • String ID:
            • API String ID: 455545452-0
            • Opcode ID: 0d101d48897bfd3775bfb18693eb5aac6cac51855856085b67131d0b56ba1576
            • Instruction ID: 0dc1d9d296577754fa80b99b59322007b93b91240c337d912ae3be9978578b79
            • Opcode Fuzzy Hash: 0d101d48897bfd3775bfb18693eb5aac6cac51855856085b67131d0b56ba1576
            • Instruction Fuzzy Hash: 3811D675A0460896DB369F61CC85AEE77ACEF11764F50C02AFA1DD6081E7B8DA80CB60
            Function 00341A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00341A47
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00341A59
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00341A6F
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00341A8A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 2af5502c9fbc5407477cd2dcfa30bb06ea128ed63f7dae4348f4698f419d0085
            • Instruction ID: 02e534a250d926ca5fda624bee91b8ad0f9f16da6dc790ef9da792f339d2c89c
            • Opcode Fuzzy Hash: 2af5502c9fbc5407477cd2dcfa30bb06ea128ed63f7dae4348f4698f419d0085
            • Instruction Fuzzy Hash: 4F113C3AD01219FFEB11DBA4CD85FADFBB8EB04750F200495E604BB290D671AE50DB94
            Function 0034E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 0034E1FD
            • MessageBoxW.USER32(?,?,?,?), ref: 0034E230
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0034E246
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0034E24D
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
            • String ID:
            • API String ID: 2880819207-0
            • Opcode ID: 9c6ed07bd4fa2eb05b6b45805677ebbfc61dabb5a3610b3fa3b8292a47719e01
            • Instruction ID: 7352e49a8ee030c7e087cd6ffe21882c83cee5a28c4268d8c214e7beb4ed706a
            • Opcode Fuzzy Hash: 9c6ed07bd4fa2eb05b6b45805677ebbfc61dabb5a3610b3fa3b8292a47719e01
            • Instruction Fuzzy Hash: B7112B76904258BFD7139FA8DC05A9F7FECAB45324F404729F929E7290D6B4DD0087A0
            Function 0030D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,?,0030CFF9,00000000,00000004,00000000), ref: 0030D218
            • GetLastError.KERNEL32 ref: 0030D224
            • __dosmaperr.LIBCMT ref: 0030D22B
            • ResumeThread.KERNEL32(00000000), ref: 0030D249
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Thread$CreateErrorLastResume__dosmaperr
            • String ID:
            • API String ID: 173952441-0
            • Opcode ID: c80ff70c6194d49ef6b1c02881a913818550ceefc8f0af7833b40a3206f35aef
            • Instruction ID: 1d586afe4623b26d5c7c9c8ee88c37b7b3fb14ae4fc5d8c2ef2877251f8b2479
            • Opcode Fuzzy Hash: c80ff70c6194d49ef6b1c02881a913818550ceefc8f0af7833b40a3206f35aef
            • Instruction Fuzzy Hash: 2501D236816208BBDB236BE5DC19BAF7AADDF81730F110619F9299A5D0CF708951C7A0
            Function 002E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002E604C
            • GetStockObject.GDI32(00000011), ref: 002E6060
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 002E606A
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CreateMessageObjectSendStockWindow
            • String ID:
            • API String ID: 3970641297-0
            • Opcode ID: 7526b4651488463caf7a4b96cc442a36b9de8c803358e931d0ebb5d2683c76d1
            • Instruction ID: dace092a1ed3bfa07781868419e1d999819204d6417a61861b5287514bf1fa5f
            • Opcode Fuzzy Hash: 7526b4651488463caf7a4b96cc442a36b9de8c803358e931d0ebb5d2683c76d1
            • Instruction Fuzzy Hash: F611C472111599BFEF225F95DC48EEABB6DFF183A4F440215FA0452010C732ECA0DB90
            Function 00303B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___BuildCatchObject.LIBVCRUNTIME ref: 00303B56
              • Part of subcall function 00303AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00303AD2
              • Part of subcall function 00303AA3: ___AdjustPointer.LIBCMT ref: 00303AED
            • _UnwindNestedFrames.LIBCMT ref: 00303B6B
            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00303B7C
            • CallCatchBlock.LIBVCRUNTIME ref: 00303BA4
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
            • String ID:
            • API String ID: 737400349-0
            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction ID: edf4eda11425e0914c2100f7fcba5f66b4045b715288aac9835d9f7b10f6405e
            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction Fuzzy Hash: 93014C72101148BBDF126E95CC42EEB3F6DFF88758F054414FE485A161C732EA61DBA0
            Function 00313073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002E13C6,00000000,00000000,?,0031301A,002E13C6,00000000,00000000,00000000,?,0031328B,00000006,FlsSetValue), ref: 003130A5
            • GetLastError.KERNEL32(?,0031301A,002E13C6,00000000,00000000,00000000,?,0031328B,00000006,FlsSetValue,00382290,FlsSetValue,00000000,00000364,?,00312E46), ref: 003130B1
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0031301A,002E13C6,00000000,00000000,00000000,?,0031328B,00000006,FlsSetValue,00382290,FlsSetValue,00000000), ref: 003130BF
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: bd4848f172891bb0ef2a851cfca1ec22db6593afc4da261022e0d01a11ae01ef
            • Instruction ID: 38ff6c80318919cca0e24fbcc46a0d71b3919fd39b5c202a8e722ee50e0f0c4b
            • Opcode Fuzzy Hash: bd4848f172891bb0ef2a851cfca1ec22db6593afc4da261022e0d01a11ae01ef
            • Instruction Fuzzy Hash: 0E01AC36711622ABDB374B799C449A77BDC9F4D761F110624F90BE7140D721D981C7E0
            Function 00347464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0034747F
            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00347497
            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003474AC
            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003474CA
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Type$Register$FileLoadModuleNameUser
            • String ID:
            • API String ID: 1352324309-0
            • Opcode ID: f05c474344ec733184c5b5ee329e9cbe415e2c93a1c7e6494291bebd3b59b619
            • Instruction ID: cc3f23d2dff38dc9f3acc3272203d9d769c398a0fedaa1bb9b7ac8f526fdbc4f
            • Opcode Fuzzy Hash: f05c474344ec733184c5b5ee329e9cbe415e2c93a1c7e6494291bebd3b59b619
            • Instruction Fuzzy Hash: F411ADB1215310ABE7328F16DC08BB27BFCEB00B00F10856DA61ADA691D7B0F944DBA0
            Function 0034B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B0C4
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B0E9
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B0F3
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0034ACD3,?,00008000), ref: 0034B126
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 1888dee17325d1374a09d6a8afde54bcc3c2fe62ab68dcfcd738839cffa50cce
            • Instruction ID: 1f4d3ab13cde3b0113febc4c5d017d8109f44ab1e30dfeef459690b9fccf21ff
            • Opcode Fuzzy Hash: 1888dee17325d1374a09d6a8afde54bcc3c2fe62ab68dcfcd738839cffa50cce
            • Instruction Fuzzy Hash: 66115B31C1152CE7CF16AFE4E9696EEFBB8FF09711F114099D981B6181CB30A650CB51
            Function 00342DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00342DC5
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00342DD6
            • GetCurrentThreadId.KERNEL32 ref: 00342DDD
            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00342DE4
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: 75f7a8f762f9778f365a8d4f6359d7fcfd4ab49ff042f27140a82895eafac97d
            • Instruction ID: fb867a5c3dd615289822abeac9b0c55686239e0f12b6a878bc44fb325d83c747
            • Opcode Fuzzy Hash: 75f7a8f762f9778f365a8d4f6359d7fcfd4ab49ff042f27140a82895eafac97d
            • Instruction Fuzzy Hash: 16E06D71511224BAD7321B629C4DFEB7EACEB43BA1F84101DB109E50809AA49880C6B0
            Function 00378863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002F9693
              • Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96A2
              • Part of subcall function 002F9639: BeginPath.GDI32(?), ref: 002F96B9
              • Part of subcall function 002F9639: SelectObject.GDI32(?,00000000), ref: 002F96E2
            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00378887
            • LineTo.GDI32(?,?,?), ref: 00378894
            • EndPath.GDI32(?), ref: 003788A4
            • StrokePath.GDI32(?), ref: 003788B2
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 76120294aed6fe94a092227d62c447819ed2667abe5528291df24c0d9b555e9b
            • Instruction ID: a3107fbcea9823974b3d6b7a0953a64fcb9d6f84888c47d4a4213a9991824f23
            • Opcode Fuzzy Hash: 76120294aed6fe94a092227d62c447819ed2667abe5528291df24c0d9b555e9b
            • Instruction Fuzzy Hash: 64F03A36051258BADB236F94AC0DFCA3E5DAF06310F448104FB25650E1C77955A1CFE5
            Function 002F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 002F98CC
            • SetTextColor.GDI32(?,?), ref: 002F98D6
            • SetBkMode.GDI32(?,00000001), ref: 002F98E9
            • GetStockObject.GDI32(00000005), ref: 002F98F1
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Color$ModeObjectStockText
            • String ID:
            • API String ID: 4037423528-0
            • Opcode ID: 3655da679d760d653594560db8d123f1df0a5061dd8ca3a7cd60c474d0940d26
            • Instruction ID: 023381da849b18b3703997c907b8c2c02f5303fc2baa7d08af21b0574324aea2
            • Opcode Fuzzy Hash: 3655da679d760d653594560db8d123f1df0a5061dd8ca3a7cd60c474d0940d26
            • Instruction Fuzzy Hash: 63E06D31254284ABEB325B75AC09BE83F24AB16376F14822DF6FA580E1C3B24690DB10
            Function 0034162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00341634
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,003411D9), ref: 0034163B
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003411D9), ref: 00341648
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,003411D9), ref: 0034164F
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: 7624da81fabfbeaf6e948f3f1496953556bea5184793bb4873fa0a00569620ed
            • Instruction ID: 5113ede90d2f71088b34f8f37238af672c06e391184280663368df1c089b422e
            • Opcode Fuzzy Hash: 7624da81fabfbeaf6e948f3f1496953556bea5184793bb4873fa0a00569620ed
            • Instruction Fuzzy Hash: 8DE08631611211DBD7711FA0AD0DB463BBCBF44791F15480CF649DD090D638D4C0C7A4
            Function 0033D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 0033D858
            • GetDC.USER32(00000000), ref: 0033D862
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0033D882
            • ReleaseDC.USER32(?), ref: 0033D8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: bc4665a771383e3886e73fc35f310d26f68b55539d5fd49c529a9247807d58ba
            • Instruction ID: 75b91ca22cdeb3785f10ee87177cf4a24bd8e7576fda529a45aa6de23274a911
            • Opcode Fuzzy Hash: bc4665a771383e3886e73fc35f310d26f68b55539d5fd49c529a9247807d58ba
            • Instruction Fuzzy Hash: D6E01270820204DFCF52AFA0D84866DBBB9FB08310F14901DF80AE7250C7345551DF40
            Function 0033D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 0033D86C
            • GetDC.USER32(00000000), ref: 0033D876
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0033D882
            • ReleaseDC.USER32(?), ref: 0033D8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 186893fdc302a20cfba099fba70f53c911a6c9e32a0488d639ee304091c30c5d
            • Instruction ID: 14d872b71a51eba9a92825ee23dfa9f65eeaf2706343c64443f81fe4cdc2a102
            • Opcode Fuzzy Hash: 186893fdc302a20cfba099fba70f53c911a6c9e32a0488d639ee304091c30c5d
            • Instruction Fuzzy Hash: 1DE01A70820204DFCF62AFA0D84866DBBB9BB08310F14900DE90AE7260CB385951DF40
            Function 00354D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E7620: _wcslen.LIBCMT ref: 002E7625
            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00354ED4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Connection_wcslen
            • String ID: *$LPT
            • API String ID: 1725874428-3443410124
            • Opcode ID: 4686253821edbd4993cf1d2bcc8801724bd8aecb6d2501c6f8be7a6906e5e0a9
            • Instruction ID: 1a1bfbbde6e58607cc031a51d9c00a59ae07c1d86e0d8862503ae7fa33f855ac
            • Opcode Fuzzy Hash: 4686253821edbd4993cf1d2bcc8801724bd8aecb6d2501c6f8be7a6906e5e0a9
            • Instruction Fuzzy Hash: F5918475A002449FCB19DF59C484EA9BBF5BF44308F598099E80A9F7A2D731ED89CF90
            Function 0030E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 0030E30D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ErrorHandling__start
            • String ID: pow
            • API String ID: 3213639722-2276729525
            • Opcode ID: a8f7f43e1b17139d6d9e275d1769d5a2d8eaddebe96d591d5a135ce026f3b68b
            • Instruction ID: bbac7cb7ccd83882b4603f21a7ca9116b278fd58ea0993136716264a98b306e0
            • Opcode Fuzzy Hash: a8f7f43e1b17139d6d9e275d1769d5a2d8eaddebe96d591d5a135ce026f3b68b
            • Instruction Fuzzy Hash: 90513A71B0E20696CB1B7714DD213FA2BBCAB44740F394DE8E095862E9DB358CD19A86
            Function 00367771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(0033569E,00000000,?,0037CC08,?,00000000,00000000), ref: 003678DD
              • Part of subcall function 002E6B57: _wcslen.LIBCMT ref: 002E6B6A
            • CharUpperBuffW.USER32(0033569E,00000000,?,0037CC08,00000000,?,00000000,00000000), ref: 0036783B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: BuffCharUpper$_wcslen
            • String ID: <s:
            • API String ID: 3544283678-271464033
            • Opcode ID: 6d1c69fd99b8157abca014754c549ee3d5cf37bbf8f8cc4c6a47008bf88db8d2
            • Instruction ID: dde45ae39cb4e2f6c3a68eced3be41ecf21392892893bae4eefe4d1bc7dbb213
            • Opcode Fuzzy Hash: 6d1c69fd99b8157abca014754c549ee3d5cf37bbf8f8cc4c6a47008bf88db8d2
            • Instruction Fuzzy Hash: 77618032964158AACF06EBA5CC91DFDB3B8BF14304BD48129F542B3095EF306A55CFA0
            Function 002FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: a8465efd1b8f7e09f0d19fb99196bce78125e6a500de4133f6fdf0adfc347fb6
            • Instruction ID: a22bd5ae6370d0700edbb6262ab0a0ba7001af2baecfca23a2ae3ad52be4aa30
            • Opcode Fuzzy Hash: a8465efd1b8f7e09f0d19fb99196bce78125e6a500de4133f6fdf0adfc347fb6
            • Instruction Fuzzy Hash: 4851343590024ADFDF16DF28C4D1ABABBA8EF65310F654066FD519B2E0E7309D92CB90
            Function 002FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 002FF2A2
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 002FF2BB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: 517917f705aa16f6a2f36aff877283c11ea2c8ac3dcec22733f7af42f64e8ccc
            • Instruction ID: 86498d2fa4f163d6ae6f39e48e63ff8fed32cf364c79b8465a7d5555a854bc84
            • Opcode Fuzzy Hash: 517917f705aa16f6a2f36aff877283c11ea2c8ac3dcec22733f7af42f64e8ccc
            • Instruction Fuzzy Hash: 9E5135714287859BD320AF51E886BABBBF8FB84300F81885DF199411A5EB318539CB66
            Function 00365745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003657E0
            • _wcslen.LIBCMT ref: 003657EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: BuffCharUpper_wcslen
            • String ID: CALLARGARRAY
            • API String ID: 157775604-1150593374
            • Opcode ID: 9d0375973b2ecbf5718c47dd97a4fb17d523e62184247a48e3cb16c9c5383a56
            • Instruction ID: dedcafa0631cf7c8daae9361a60752ef04e01cf48bd5fcb65636fe22be5bac25
            • Opcode Fuzzy Hash: 9d0375973b2ecbf5718c47dd97a4fb17d523e62184247a48e3cb16c9c5383a56
            • Instruction Fuzzy Hash: 9D41BD31A102099FCB15DFA9C8858FEBBF5FF59320F518029E505AB256E7309D81CFA0
            Function 0035D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 0035D130
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0035D13A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CrackInternet_wcslen
            • String ID: |
            • API String ID: 596671847-2343686810
            • Opcode ID: 8b98ea032d07fb065f7aafe0284c815c0a43a68c252bc68c4395442d01143d41
            • Instruction ID: ebc42cd4918ff930069f984557d9fa16a64e53b3566e05fea3f62d58273b4cfe
            • Opcode Fuzzy Hash: 8b98ea032d07fb065f7aafe0284c815c0a43a68c252bc68c4395442d01143d41
            • Instruction Fuzzy Hash: 9D311971D10209ABCF15EFA5CC85EEEBFB9FF14340F400059E815A6162DB31AA56CF60
            Function 0037356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00373621
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0037365C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: d1348ff99b3f66f5a41d389a501fafd71d0ed77cfb1680429079b0a9441e21fa
            • Instruction ID: 06a9a4e8df75a45aaa9f393f9ea8cf10c212e214a94858ef280f315da3330346
            • Opcode Fuzzy Hash: d1348ff99b3f66f5a41d389a501fafd71d0ed77cfb1680429079b0a9441e21fa
            • Instruction Fuzzy Hash: 5F31AF71110204AEDB219F68DC80EFB73A9FF48720F11D61DF9A997280DA38AD91DB60
            Function 00374537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0037461F
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00374634
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: 9656c30a12a0bd22a150dc39bef33634247426f1cea74d443668d4375ae05fad
            • Instruction ID: d8bd3a951b25abee53b83b51d49a2faa227b968bd71fa62e75a70b1da0301dba
            • Opcode Fuzzy Hash: 9656c30a12a0bd22a150dc39bef33634247426f1cea74d443668d4375ae05fad
            • Instruction Fuzzy Hash: 46313974A003099FDB25CF69C990BDABBB9FF0A310F148069E908AB351D774E941CF90
            Function 003731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0037327C
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00373287
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: f92637c6f890fe48ba5c983ba10229edbd3ce42c76794c164b727d48c6d3b6c2
            • Instruction ID: c212be918ccbcdfdbd233f38f2d028b0dc94b6ccc8142e2f27057865238e3457
            • Opcode Fuzzy Hash: f92637c6f890fe48ba5c983ba10229edbd3ce42c76794c164b727d48c6d3b6c2
            • Instruction Fuzzy Hash: 141190713002086FEF229E54DC84EAB776AEB983A4F118928F918A7291D6359D51A760
            Function 00373710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002E604C
              • Part of subcall function 002E600E: GetStockObject.GDI32(00000011), ref: 002E6060
              • Part of subcall function 002E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 002E606A
            • GetWindowRect.USER32(00000000,?), ref: 0037377A
            • GetSysColor.USER32(00000012), ref: 00373794
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 5f787af18406b2cc1e2f6a3ae6c94d4859be68b7e6d140c8b6449876f4d05870
            • Instruction ID: 2fcf6b94df6e671bd7b76b4354a19382283d400cb2850da8ddee4ccc95badc29
            • Opcode Fuzzy Hash: 5f787af18406b2cc1e2f6a3ae6c94d4859be68b7e6d140c8b6449876f4d05870
            • Instruction Fuzzy Hash: 24113AB2610209AFDF12DFB8CC45EEA7BB8FB08354F015918F959E2250D739E8519B50
            Function 0035CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0035CD7D
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0035CDA6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: ddfbb20e59567862bbbec9414ca2a64c8019c2df264b262f7083a8cb67addfdb
            • Instruction ID: 4e8f3b1cc553adddd75bd32f2b0555e6bf9ade4e711e269d855dcacf26fabeb0
            • Opcode Fuzzy Hash: ddfbb20e59567862bbbec9414ca2a64c8019c2df264b262f7083a8cb67addfdb
            • Instruction Fuzzy Hash: B511A3712257357ED73A4A668C45FE7BEFCEB127A9F00522AB909C20A0D6609848D6F0
            Function 00373429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 003734AB
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003734BA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: f8abd8f4836f764116c3ef090f8014012c2aa000561fa4079ab5608141be45e6
            • Instruction ID: 802d2ca1815ccabd26ebe6ab9ecd94f146cfa668654e28d4c85d7760b9c0deb1
            • Opcode Fuzzy Hash: f8abd8f4836f764116c3ef090f8014012c2aa000561fa4079ab5608141be45e6
            • Instruction Fuzzy Hash: 6511BF71110108ABEB374E65DC84AFB376EEB15374F518328FA68A31D0C739DC91AB50
            Function 00346C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            • CharUpperBuffW.USER32(?,?,?), ref: 00346CB6
            • _wcslen.LIBCMT ref: 00346CC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: STOP
            • API String ID: 1256254125-2411985666
            • Opcode ID: f6f17f40d9e7cdfc8b1e9c4bc75efadb765f67564c0aa48b6f436d9871f8d7d0
            • Instruction ID: 36628569a6fba1001d9a45c093845127f3456b3145ccc2aed446a1f298312d31
            • Opcode Fuzzy Hash: f6f17f40d9e7cdfc8b1e9c4bc75efadb765f67564c0aa48b6f436d9871f8d7d0
            • Instruction Fuzzy Hash: 76010432A105268ACB22AFBDCC828BF33E8EF637147510539E8529A194EB31ED40C651
            Function 00341BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
              • Part of subcall function 00343CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00343CCA
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00341C46
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 417611fe85c9e195f04b371e992c507a44819057d69e001fd96ae81d0f5d5577
            • Instruction ID: c974b2a635a3bd14292391fc70d49b7616ac881aeb1954ad9378915ffa42f216
            • Opcode Fuzzy Hash: 417611fe85c9e195f04b371e992c507a44819057d69e001fd96ae81d0f5d5577
            • Instruction Fuzzy Hash: A801A7756D111866CB16FB90CD91AFF77ECDB16340F54001AE8066B281EA20AE988AB1
            Function 002FA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 002FA529
              • Part of subcall function 002E9CB3: _wcslen.LIBCMT ref: 002E9CBD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Init_thread_footer_wcslen
            • String ID: ,%;$3y3
            • API String ID: 2551934079-1555124621
            • Opcode ID: ab39143020845b3a587c8de580afbe9c8fd8f9e3995725dcae7901a0cf7c74fa
            • Instruction ID: de923ddaaf3d52bfb8e89e3b73c1208d818018389ad5d8dfd5a1c46054da98f1
            • Opcode Fuzzy Hash: ab39143020845b3a587c8de580afbe9c8fd8f9e3995725dcae7901a0cf7c74fa
            • Instruction Fuzzy Hash: BA017B71F6021987C51AF768DC17BBEB318CB06790FD00539F7091B1C2EE509D518A97
            Function 00378172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003B3018,003B305C), ref: 003781BF
            • CloseHandle.KERNEL32 ref: 003781D1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CloseCreateHandleProcess
            • String ID: \0;
            • API String ID: 3712363035-4104835345
            • Opcode ID: b1f8a04371362809c7168a198d68c9e8d9096194dfe418c8897f8c0aa1bc8748
            • Instruction ID: 4512d79d179d560e2a9de67a091586c6683738446af9ed3552d326013b829739
            • Opcode Fuzzy Hash: b1f8a04371362809c7168a198d68c9e8d9096194dfe418c8897f8c0aa1bc8748
            • Instruction Fuzzy Hash: B7F05EF5640320BAF2227761AC59FB73A5CDF04758F004464BB0DE91A2D679AA4083B8
            Function 0036747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: 3, 3, 16, 1
            • API String ID: 176396367-3042988571
            • Opcode ID: 1e9950aaadb4ab2d83790cc364130bee3419194884ed432579faa7df81f809c1
            • Instruction ID: b05f7d845df3606a34e4d1ff421e9dc4edb54bbbfd02b6265d77673e8b34efa7
            • Opcode Fuzzy Hash: 1e9950aaadb4ab2d83790cc364130bee3419194884ed432579faa7df81f809c1
            • Instruction Fuzzy Hash: B5E02B4620A22011D233127B9CC9A7F5689CFC6B50751183BFE81C62AEEF948E9193A0
            Function 00340B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00340B23
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Message
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 2030045667-4017498283
            • Opcode ID: a00146f8d6aae8ff657e980d15cd58579f7d0a4dbdfcc20c9c7f9291c466c761
            • Instruction ID: f198621b52efbcb94417717c1f1f3b032cbbe2fae41d814626d12c7b6486d4f1
            • Opcode Fuzzy Hash: a00146f8d6aae8ff657e980d15cd58579f7d0a4dbdfcc20c9c7f9291c466c761
            • Instruction Fuzzy Hash: E1E0D83239430C2AD26636947C43FC9BA84CF05B50F10442EF74C5D4C38BE164A04AA9
            Function 00300D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 002FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00300D71,?,?,?,002E100A), ref: 002FF7CE
            • IsDebuggerPresent.KERNEL32(?,?,?,002E100A), ref: 00300D75
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002E100A), ref: 00300D84
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00300D7F
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 55579361-631824599
            • Opcode ID: c3bec714cd3629c0a9e95405b5a553d91acc521a9dabaf27cfde30ae01eba319
            • Instruction ID: 52b61a1cf46725409a3f6ffed743d155d7c41bd4c3cc61c86797cdf53488c9a4
            • Opcode Fuzzy Hash: c3bec714cd3629c0a9e95405b5a553d91acc521a9dabaf27cfde30ae01eba319
            • Instruction Fuzzy Hash: 9CE092742007418FD7729FB8E854752BBE4BF04744F008D2DE48AC7692EBB4E484CBA1
            Function 002FE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 002FE3D5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: 0%;$8%;
            • API String ID: 1385522511-3897545404
            • Opcode ID: c539edbd77ae0b76b432dd0b9067564df55a393b505458efa73165cd490c7a28
            • Instruction ID: 5d193ec724c8f9eb546a59a7003cf7a99221556e51f0c3d34dcfedc60d77bd25
            • Opcode Fuzzy Hash: c539edbd77ae0b76b432dd0b9067564df55a393b505458efa73165cd490c7a28
            • Instruction Fuzzy Hash: 59E0D835420918CBCA2B9B18B868EF9F359AB06324F1107B6F3034B5E19B3019418755
            Function 0033D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: LocalTime
            • String ID: %.3d$X64
            • API String ID: 481472006-1077770165
            • Opcode ID: 190fa315df8a55bf92a8ada4c5e6e2cf81ffbbc4946ec77e557f20e053855f73
            • Instruction ID: 90e5ebd47d2f799b2f2ab55da532fe3a5f58fd32e4b96994fbe5b14c01eaec56
            • Opcode Fuzzy Hash: 190fa315df8a55bf92a8ada4c5e6e2cf81ffbbc4946ec77e557f20e053855f73
            • Instruction Fuzzy Hash: 83D01261818108EACF9296D0ECC58BBB37CEB08341F608866F906D1441D634C5586B61
            Function 00372322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0037232C
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0037233F
              • Part of subcall function 0034E97B: Sleep.KERNEL32 ref: 0034E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 8c55775d87260b440c84ac4761586f14b612ce13f262895a8d66a8251f297658
            • Instruction ID: f431c513f2f08db91c238226ea9acb649208650a9a6afab65a313ef0d3f03771
            • Opcode Fuzzy Hash: 8c55775d87260b440c84ac4761586f14b612ce13f262895a8d66a8251f297658
            • Instruction Fuzzy Hash: FED022323A0310B7E275B330DC0FFC6BA08AB00B10F00090AB309AE0D0CAF0B840CA04
            Function 00372356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0037236C
            • PostMessageW.USER32(00000000), ref: 00372373
              • Part of subcall function 0034E97B: Sleep.KERNEL32 ref: 0034E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1256779006.00000000002E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002E0000, based on PE: true
            • Associated: 00000000.00000002.1256764837.00000000002E0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.000000000037C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256825091.00000000003A2000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256861541.00000000003AC000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1256875495.00000000003B4000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2e0000_4iDSIZ8MhI.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: c05b0f6448b48b1550699ed59a55d17e830a94d0f04df4a674e69ca048e89f26
            • Instruction ID: a7701ddce4831747bb14ed3f02b1199ea983b6be35ba73088517ceee04ba3511
            • Opcode Fuzzy Hash: c05b0f6448b48b1550699ed59a55d17e830a94d0f04df4a674e69ca048e89f26
            • Instruction Fuzzy Hash: 11D0A9323A0310BAE276A3309C0FFC6B608AB01B10F00090AB209AE0D0CAA0B8408A08