Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
T.T_Copy.12.18.2024.exe

Overview

General Information

Sample name:T.T_Copy.12.18.2024.exe
Analysis ID:1578101
MD5:4542c9e57e9d955244262c035aaffe94
SHA1:3dfade02ec7892ebdfa977c25354a352e0c55f56
SHA256:98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a
Tags:exeuser-lowmal3
Infos:

Detection

ArrowRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected ArrowRAT
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Sigma detected: Explorer NOUACCHECK Flag
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found evasive API chain (date check)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion NT Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • T.T_Copy.12.18.2024.exe (PID: 1296 cmdline: "C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe" MD5: 4542C9E57E9D955244262C035AAFFE94)
    • cmd.exe (PID: 2828 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\oxfhxtr.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dfbzdfb.sfx.exe (PID: 5428 cmdline: dfbzdfb.sfx.exe -dC:\Users\user\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal MD5: 3181C79BFCB07A0B43A020F22641F2B2)
        • dfbzdfb.exe (PID: 6260 cmdline: "C:\Users\user\AppData\Local\Temp\dfbzdfb.exe" MD5: 06EB0777FCA570612C196D90F0499213)
          • cmd.exe (PID: 4640 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\zdsthsxu.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 60 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • zdfhrgzd.sfx.exe (PID: 4788 cmdline: zdfhrgzd.sfx.exe -dC:\Users\user\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku MD5: F59872E2FCC71EF9EB742E3792C37A76)
              • zdfhrgzd.exe (PID: 7264 cmdline: "C:\Users\user\AppData\Roaming\zdfhrgzd.exe" MD5: EC0967A3E53D490E8E1CE811CE53D003)
                • zdfhrgzd.exe (PID: 7396 cmdline: C:\Users\user\AppData\Roaming\zdfhrgzd.exe MD5: EC0967A3E53D490E8E1CE811CE53D003)
                  • explorer.exe (PID: 7480 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
                  • cvtres.exe (PID: 7508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
                    • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • zdfhrgzd.exe (PID: 7460 cmdline: C:\Users\user\AppData\Roaming\zdfhrgzd.exe MD5: EC0967A3E53D490E8E1CE811CE53D003)
                  • explorer.exe (PID: 7604 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
                  • cvtres.exe (PID: 7644 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
                    • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Acrobat.exe (PID: 1892 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\mts103wift.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
            • AcroCEF.exe (PID: 3700 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
              • AcroCEF.exe (PID: 3272 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2008 --field-trial-handle=1568,i,4831233176812548805,4032145808458294769,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • explorer.exe (PID: 7664 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 7808 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
ArrowRATIt is available as a service, purchasable by anyone to use in their own campaigns. Its features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat

Malware Configuration

Threatname: ArrowRAT

{"C2 url": "127.0.0.1", "Port": "1338", "Identifier": "Client01", "Mutex": "OSHPAW"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
    00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
      0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
        00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
          0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.cvtres.exe.400000.0.unpackJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
              15.2.zdfhrgzd.exe.2bd13c0.0.unpackJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
                17.2.cvtres.exe.400000.0.unpackJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
                  15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpackJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
                    14.2.zdfhrgzd.exe.2d02d00.1.unpackJoeSecurity_ArrowRATYara detected ArrowRATJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Explorer NOUACCHECK Flag
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 7664, ProcessName: explorer.exe
                      Sigma detected: CurrentVersion NT Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, C:\Users\user\AppData\Roaming\ZO5WB9\I4R41F.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\zdfhrgzd.exe, ProcessId: 7396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Roaming\ZO5WB9\I4R41F.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Found malware configuration
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpackMalware Configuration Extractor: ArrowRAT {"C2 url": "127.0.0.1", "Port": "1338", "Identifier": "Client01", "Mutex": "OSHPAW"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeReversingLabs: Detection: 18%
                      Multi AV Scanner detection for submitted file
                      Source: T.T_Copy.12.18.2024.exeReversingLabs: Detection: 34%
                      Source: T.T_Copy.12.18.2024.exeVirustotal: Detection: 42%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.8% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\ZO5WB9\I4R41F.exeJoe Sandbox ML: detected
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: T.T_Copy.12.18.2024.exe, dfbzdfb.sfx.exe.1.dr, zdfhrgzd.sfx.exe.5.dr, dfbzdfb.exe.4.dr
                      Source: Binary string: D:\Work\C#\Pandora_Development\Production\1.8\DLL\obj\Release\DLL.pdb source: zdfhrgzd.exe, 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_0022A2C3
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_0023A536
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00247D69 FindFirstFileExA,1_2_00247D69
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,4_2_00BDA2C3
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,4_2_00BEA536
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BF7D69 FindFirstFileExA,4_2_00BF7D69
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,5_2_0068A2C3
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006A7D69 FindFirstFileExA,5_2_006A7D69
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,5_2_0069A536
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,9_2_0096A2C3
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,9_2_0097A536
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00987D69 FindFirstFileExA,9_2_00987D69

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 127.0.0.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                      Source: zdfhrgzd.exe, 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.254.27.112:1337/skra.jpg
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: cvtres.exe, 00000014.00000002.2678720038.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 2D85F72862B55C4EADD9E66E06947F3D0.10.drString found in binary or memory: http://x1.i.lencr.org/
                      Source: zdfhrgzd.exe, 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 14_2_013126C4 CreateDesktopW,14_2_013126C4

                      System Summary

                      barindex
                      .NET source code contains very large strings
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, HVNC.csLong String: Length: 59992
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00227070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,1_2_00227070
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_002359831_2_00235983
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_002283EB1_2_002283EB
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022E0971_2_0022E097
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_002330E51_2_002330E5
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023E8EC1_2_0023E8EC
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0024E8D41_2_0024E8D4
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_002231F01_2_002231F0
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022D2221_2_0022D222
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023F2001_2_0023F200
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022BA6A1_2_0022BA6A
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023FA6A1_2_0023FA6A
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00232B391_2_00232B39
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00242B681_2_00242B68
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0024A3501_2_0024A350
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_002363F11_2_002363F1
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022DC321_2_0022DC32
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022ECE91_2_0022ECE9
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00232DB41_2_00232DB4
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00235DB81_2_00235DB8
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023EDE81_2_0023EDE8
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022D6341_2_0022D634
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023F6351_2_0023F635
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00249EA01_2_00249EA0
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00225E831_2_00225E83
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_002227591_2_00222759
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00234FB41_2_00234FB4
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00223F951_2_00223F95
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BE59834_2_00BE5983
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BD83EB4_2_00BD83EB
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDE0974_2_00BDE097
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEE8EC4_2_00BEE8EC
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BE30E54_2_00BE30E5
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BFE8D44_2_00BFE8D4
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BD31F04_2_00BD31F0
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDD2224_2_00BDD222
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEF2004_2_00BEF200
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEFA6A4_2_00BEFA6A
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDBA6A4_2_00BDBA6A
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BE63F14_2_00BE63F1
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BE2B394_2_00BE2B39
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BF2B684_2_00BF2B68
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BFA3504_2_00BFA350
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDECE94_2_00BDECE9
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDDC324_2_00BDDC32
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BE5DB84_2_00BE5DB8
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BE2DB44_2_00BE2DB4
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEEDE84_2_00BEEDE8
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BF9EA04_2_00BF9EA0
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BD5E834_2_00BD5E83
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDD6344_2_00BDD634
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEF6354_2_00BEF635
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BE4FB44_2_00BE4FB4
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BD3F954_2_00BD3F95
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BD27594_2_00BD2759
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006959835_2_00695983
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006883EB5_2_006883EB
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069E8EC5_2_0069E8EC
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006930E55_2_006930E5
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006AE8D45_2_006AE8D4
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068E0975_2_0068E097
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006831F05_2_006831F0
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068BA6A5_2_0068BA6A
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069FA6A5_2_0069FA6A
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068D2225_2_0068D222
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069F2005_2_0069F200
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006A2B685_2_006A2B68
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006AA3505_2_006AA350
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_00692B395_2_00692B39
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006963F15_2_006963F1
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068DC325_2_0068DC32
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068ECE95_2_0068ECE9
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069EDE85_2_0069EDE8
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_00695DB85_2_00695DB8
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_00692DB45_2_00692DB4
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068D6345_2_0068D634
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069F6355_2_0069F635
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006A9EA05_2_006A9EA0
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_00685E835_2_00685E83
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006827595_2_00682759
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_00694FB45_2_00694FB4
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_00683F955_2_00683F95
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_009759839_2_00975983
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_009683EB9_2_009683EB
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096E0979_2_0096E097
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0098E8D49_2_0098E8D4
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_009730E59_2_009730E5
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097E8EC9_2_0097E8EC
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_009631F09_2_009631F0
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097F2009_2_0097F200
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096D2229_2_0096D222
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096BA6A9_2_0096BA6A
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097FA6A9_2_0097FA6A
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_009763F19_2_009763F1
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00972B399_2_00972B39
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0098A3509_2_0098A350
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00982B689_2_00982B68
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096ECE99_2_0096ECE9
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096DC329_2_0096DC32
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00972DB49_2_00972DB4
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00975DB89_2_00975DB8
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097EDE89_2_0097EDE8
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00965E839_2_00965E83
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00989EA09_2_00989EA0
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096D6349_2_0096D634
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097F6359_2_0097F635
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00963F959_2_00963F95
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00974FB49_2_00974FB4
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_009627599_2_00962759
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_0324434813_2_03244348
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_03240A4013_2_03240A40
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_032419C013_2_032419C0
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_0324161813_2_03241618
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_03243D7813_2_03243D78
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_03241DEB13_2_03241DEB
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_0324433813_2_03244338
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_03240A3313_2_03240A33
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_032419B013_2_032419B0
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_0324160813_2_03241608
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_03243D6913_2_03243D69
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 14_2_01312F4014_2_01312F40
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 15_2_010A2F4015_2_010A2F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 20_2_0134CBB820_2_0134CBB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 20_2_0134CF8020_2_0134CF80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 20_2_0134DDA020_2_0134DDA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 20_2_0134C78020_2_0134C780
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 20_2_0134CF7020_2_0134CF70
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: String function: 0069D810 appears 31 times
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: String function: 0069CEC0 appears 53 times
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: String function: 0069CDF0 appears 37 times
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: String function: 0023CDF0 appears 37 times
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: String function: 0023CEC0 appears 53 times
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: String function: 0023D810 appears 31 times
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: String function: 00BECEC0 appears 53 times
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: String function: 00BECDF0 appears 37 times
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: String function: 00BED810 appears 31 times
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: String function: 0097CDF0 appears 37 times
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: String function: 0097D810 appears 31 times
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: String function: 0097CEC0 appears 53 times
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: zdfhrgzd.exe.9.dr, Module2.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, Pikolo.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, Pikolo.csCryptographic APIs: 'TransformFinalBlock'
                      Source: I4R41F.exe.14.dr, Module2.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 14.2.zdfhrgzd.exe.2d02d00.1.raw.unpack, PandoraRecovery.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 14.2.zdfhrgzd.exe.2d02d00.1.raw.unpack, PandoraRecovery.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 14.2.zdfhrgzd.exe.3d2f548.2.raw.unpack, Module2.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpack, PandoraRecovery.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpack, PandoraRecovery.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 15.2.zdfhrgzd.exe.3bb0468.1.raw.unpack, Module2.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, Installer.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c'
                      Source: 14.2.zdfhrgzd.exe.2d02d00.1.raw.unpack, HVNC.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 14.2.zdfhrgzd.exe.2d02d00.1.raw.unpack, HVNC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpack, HVNC.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpack, HVNC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@48/44@1/1
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00238BCF FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,1_2_00238BCF
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeFile created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_4163625Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: \Sessions\1\BaseNamedObjects\OSHPAW
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:60:120:WilError_03
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4160750Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\zdsthsxu.bat" "
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe
                      Source: unknownProcess created: C:\Windows\explorer.exe
                      Source: unknownProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCommand line argument: *x'1_2_0023C130
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCommand line argument: *a&1_2_0023C130
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCommand line argument: 8y'1_2_0023C130
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCommand line argument: sfxname1_2_0023C130
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCommand line argument: sfxstime1_2_0023C130
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCommand line argument: STARTDLG1_2_0023C130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCommand line argument: sfxname4_2_00BEC130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCommand line argument: sfxstime4_2_00BEC130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCommand line argument: STARTDLG4_2_00BEC130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCommand line argument: *xm5_2_0069C130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCommand line argument: *al5_2_0069C130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCommand line argument: 8ym5_2_0069C130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCommand line argument: sfxname5_2_0069C130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCommand line argument: sfxstime5_2_0069C130
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCommand line argument: STARTDLG5_2_0069C130
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCommand line argument: sfxname9_2_0097C130
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCommand line argument: sfxstime9_2_0097C130
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCommand line argument: STARTDLG9_2_0097C130
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeFile read: C:\Windows\win.iniJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: cvtres.exe, 00000014.00000002.2677778081.000000000116C000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2678720038.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, TMP_pass.20.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: T.T_Copy.12.18.2024.exeReversingLabs: Detection: 34%
                      Source: T.T_Copy.12.18.2024.exeVirustotal: Detection: 42%
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeFile read: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe "C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe"
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\oxfhxtr.cmd" "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe dfbzdfb.sfx.exe -dC:\Users\user\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeProcess created: C:\Users\user\AppData\Local\Temp\dfbzdfb.exe "C:\Users\user\AppData\Local\Temp\dfbzdfb.exe"
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\zdsthsxu.bat" "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\mts103wift.pdf"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exe zdfhrgzd.sfx.exe -dC:\Users\user\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2008 --field-trial-handle=1568,i,4831233176812548805,4032145808458294769,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe "C:\Users\user\AppData\Roaming\zdfhrgzd.exe"
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\oxfhxtr.cmd" "Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe dfbzdfb.sfx.exe -dC:\Users\user\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehalJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeProcess created: C:\Users\user\AppData\Local\Temp\dfbzdfb.exe "C:\Users\user\AppData\Local\Temp\dfbzdfb.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\zdsthsxu.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\mts103wift.pdf"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exe zdfhrgzd.sfx.exe -dC:\Users\user\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqekuJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe "C:\Users\user\AppData\Roaming\zdfhrgzd.exe" Jump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2008 --field-trial-handle=1568,i,4831233176812548805,4032145808458294769,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: dxgidebug.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: dxgidebug.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: dxgidebug.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: dxgidebug.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: riched20.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: usp10.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                      Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                      Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                      Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                      Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                      Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mscoree.dll
                      Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                      Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                      Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                      Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\explorer.exeSection loaded: ninput.dll
                      Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
                      Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mscoree.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: profapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: amsi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: userenv.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dpapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                      Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                      Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                      Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: edputil.dll
                      Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
                      Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
                      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\explorer.exeSection loaded: slc.dll
                      Source: C:\Windows\explorer.exeSection loaded: sppc.dll
                      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
                      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
                      Source: C:\Windows\explorer.exeSection loaded: cscui.dll
                      Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
                      Source: C:\Windows\explorer.exeSection loaded: icu.dll
                      Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dll
                      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
                      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
                      Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\explorer.exeSection loaded: aepic.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: propsys.dll
                      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\explorer.exeSection loaded: wldp.dll
                      Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
                      Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
                      Source: C:\Windows\explorer.exeSection loaded: netutils.dll
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
                      Source: C:\Windows\explorer.exeSection loaded: profapi.dll
                      Source: C:\Windows\explorer.exeSection loaded: edputil.dll
                      Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
                      Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
                      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\explorer.exeSection loaded: slc.dll
                      Source: C:\Windows\explorer.exeSection loaded: sppc.dll
                      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
                      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
                      Source: C:\Windows\explorer.exeSection loaded: cscui.dll
                      Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
                      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
                      Source: C:\Windows\explorer.exeSection loaded: icu.dll
                      Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dll
                      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
                      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
                      Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
                      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: T.T_Copy.12.18.2024.exeStatic file information: File size 1208662 > 1048576
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: T.T_Copy.12.18.2024.exe, dfbzdfb.sfx.exe.1.dr, zdfhrgzd.sfx.exe.5.dr, dfbzdfb.exe.4.dr
                      Source: Binary string: D:\Work\C#\Pandora_Development\Production\1.8\DLL\obj\Release\DLL.pdb source: zdfhrgzd.exe, 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: T.T_Copy.12.18.2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, RunPE.cs.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
                      Source: 14.2.zdfhrgzd.exe.2d02d00.1.raw.unpack, PandoraRecovery.cs.Net Code: OnResolveAssembly System.Reflection.Assembly.Load(byte[])
                      Source: 15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpack, PandoraRecovery.cs.Net Code: OnResolveAssembly System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4160750Jump to behavior
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023D856 push ecx; ret 1_2_0023D869
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023CDF0 push eax; ret 1_2_0023CE0E
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BED856 push ecx; ret 4_2_00BED869
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BECDF0 push eax; ret 4_2_00BECE0E
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069D856 push ecx; ret 5_2_0069D869
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069CDF0 push eax; ret 5_2_0069CE0E
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097D856 push ecx; ret 9_2_0097D869
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097CDF0 push eax; ret 9_2_0097CE0E
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_03240145 push edx; retf 13_2_032400E2
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 13_2_03249540 pushad ; iretd 13_2_03249541
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeFile created: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeFile created: C:\Users\user\AppData\Roaming\ZO5WB9\I4R41F.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeFile created: C:\Users\user\AppData\Roaming\zdfhrgzd.exeJump to dropped file
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeFile created: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeFile created: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeJump to dropped file

                      Boot Survival

                      barindex
                      Creates an undocumented autostart registry key
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 1880000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 3360000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 3180000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 1310000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 2C90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 4C90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 10A0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 2B10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: 4B10000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 1340000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 2D80000 memory reserve | memory write watch
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 2CA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_5-22129
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_1-22070
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exe TID: 7300Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exe TID: 7472Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exe TID: 7568Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 7648Thread sleep count: 36 > 30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 7648Thread sleep time: -36000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_0022A2C3
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_0023A536
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00247D69 FindFirstFileExA,1_2_00247D69
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BDA2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,4_2_00BDA2C3
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEA536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,4_2_00BEA536
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BF7D69 FindFirstFileExA,4_2_00BF7D69
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0068A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,5_2_0068A2C3
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006A7D69 FindFirstFileExA,5_2_006A7D69
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,5_2_0069A536
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0096A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,9_2_0096A2C3
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,9_2_0097A536
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00987D69 FindFirstFileExA,9_2_00987D69
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023C8D4 VirtualQuery,GetSystemInfo,1_2_0023C8D4
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeThread delayed: delay time: 922337203685477
                      Source: dfbzdfb.sfx.exe, 00000004.00000002.1461867137.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                      Source: zdfhrgzd.sfx.exe, 00000009.00000002.1543319249.000000000077F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: dfbzdfb.sfx.exe, 00000004.00000002.1461867137.0000000000E3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C
                      Source: zdfhrgzd.sfx.exe, 00000009.00000002.1543319249.000000000077F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y@
                      Source: cvtres.exe, 00000014.00000002.2677778081.0000000001108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeAPI call chain: ExitProcess graph end nodegraph_1-22411
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeAPI call chain: ExitProcess graph end nodegraph_4-22570
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeAPI call chain: ExitProcess graph end nodegraph_5-22517
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeAPI call chain: ExitProcess graph end nodegraph_9-23650
                      Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeCode function: 14_2_01316118 LdrInitializeThunk,14_2_01316118
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023DA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0023DA15
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_002449FA mov eax, dword ptr fs:[00000030h]1_2_002449FA
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BF49FA mov eax, dword ptr fs:[00000030h]4_2_00BF49FA
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006A49FA mov eax, dword ptr fs:[00000030h]5_2_006A49FA
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_009849FA mov eax, dword ptr fs:[00000030h]9_2_009849FA
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00248A9B GetProcessHeap,1_2_00248A9B
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023DA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0023DA15
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023DB63 SetUnhandledExceptionFilter,1_2_0023DB63
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_00245B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00245B43
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023DD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0023DD1B
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEDA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00BEDA15
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEDB63 SetUnhandledExceptionFilter,4_2_00BEDB63
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BF5B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00BF5B43
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: 4_2_00BEDD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00BEDD1B
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069DA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0069DA15
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069DB63 SetUnhandledExceptionFilter,5_2_0069DB63
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_006A5B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_006A5B43
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: 5_2_0069DD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0069DD1B
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097DA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0097DA15
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_00985B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00985B43
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097DB63 SetUnhandledExceptionFilter,9_2_0097DB63
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: 9_2_0097DD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0097DD1B
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: zdfhrgzd.exe PID: 7396, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zdfhrgzd.exe PID: 7460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7644, type: MEMORYSTR
                      .NET source code references suspicious native API functions
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, RunPE.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, RunPE.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, RunPE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, RunPE.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
                      Source: 13.2.zdfhrgzd.exe.441e068.0.raw.unpack, RunPE.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
                      Allocates memory in foreign processes
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A
                      Writes to foreign memory regions
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 412000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 414000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: EC0008
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 412000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 414000
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: BF2008
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\oxfhxtr.cmd" "Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe dfbzdfb.sfx.exe -dC:\Users\user\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehalJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeProcess created: C:\Users\user\AppData\Local\Temp\dfbzdfb.exe "C:\Users\user\AppData\Local\Temp\dfbzdfb.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\zdsthsxu.bat" "Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\mts103wift.pdf"Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exe zdfhrgzd.sfx.exe -dC:\Users\user\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqekuJump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe "C:\Users\user\AppData\Roaming\zdfhrgzd.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Users\user\AppData\Roaming\zdfhrgzd.exe C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                      Source: zdfhrgzd.exe, 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023D86B cpuid 1_2_0023D86B
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_0023932E
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exeCode function: GetLocaleInfoW,GetNumberFormatW,4_2_00BE932E
                      Source: C:\Users\user\AppData\Local\Temp\dfbzdfb.exeCode function: GetLocaleInfoW,GetNumberFormatW,5_2_0069932E
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exeCode function: GetLocaleInfoW,GetNumberFormatW,9_2_0097932E
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Users\user\AppData\Roaming\zdfhrgzd.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Users\user\AppData\Roaming\zdfhrgzd.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Users\user\AppData\Roaming\zdfhrgzd.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0023C130 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,1_2_0023C130
                      Source: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exeCode function: 1_2_0022A930 GetVersionExW,1_2_0022A930
                      Source: C:\Users\user\AppData\Roaming\zdfhrgzd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: cvtres.exe, 00000014.00000002.2677778081.00000000011A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                      Source: cvtres.exe, 00000014.00000002.2677778081.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677778081.000000000116C000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677778081.0000000001108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected ArrowRAT
                      Source: Yara matchFile source: 20.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.zdfhrgzd.exe.2bd13c0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.zdfhrgzd.exe.2d02d00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.zdfhrgzd.exe.2d02d00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: zdfhrgzd.exe PID: 7396, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zdfhrgzd.exe PID: 7460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7644, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

                      Remote Access Functionality

                      barindex
                      Yara detected ArrowRAT
                      Source: Yara matchFile source: 20.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.zdfhrgzd.exe.2bd13c0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.zdfhrgzd.exe.2bd13c0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.zdfhrgzd.exe.2d02d00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.zdfhrgzd.exe.2d02d00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: zdfhrgzd.exe PID: 7396, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zdfhrgzd.exe PID: 7460, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7644, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting                      		Valid Accounts1
                      Windows Management Instrumentation                      		1
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		312
                      Process Injection                      		11
                      Deobfuscate/Decode Files or Information                      		LSASS Memory2
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Non-Application Layer Protocol                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      Command and Scripting Interpreter                      		1
                      Create Account                      		1
                      Registry Run Keys / Startup Folder                      		21
                      Obfuscated Files or Information                      		Security Account Manager35
                      System Information Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive11
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron1
                      Registry Run Keys / Startup Folder                      		Login Hook11
                      Software Packing                      		NTDS141
                      Security Software Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets2
                      Process Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials31
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                      Virtualization/Sandbox Evasion                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578101 Sample: T.T_Copy.12.18.2024.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 77 x1.i.lencr.org 2->77 79 bg.microsoft.map.fastly.net 2->79 91 Found malware configuration 2->91 93 Antivirus detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 9 other signatures 2->97 15 T.T_Copy.12.18.2024.exe 9 2->15         started        18 explorer.exe 2->18         started        20 explorer.exe 2->20         started        signatures3 process4 file5 75 C:\Users\user\AppData\...\dfbzdfb.sfx.exe, PE32 15->75 dropped 22 cmd.exe 1 15->22         started        process6 process7 24 dfbzdfb.sfx.exe 8 22->24         started        28 conhost.exe 22->28         started        file8 71 C:\Users\user\AppData\Local\...\dfbzdfb.exe, PE32 24->71 dropped 101 Multi AV Scanner detection for dropped file 24->101 30 dfbzdfb.exe 3 9 24->30         started        signatures9 process10 file11 73 C:\Users\user\AppData\...\zdfhrgzd.sfx.exe, PE32 30->73 dropped 33 cmd.exe 1 30->33         started        35 Acrobat.exe 62 30->35         started        process12 process13 37 zdfhrgzd.sfx.exe 7 33->37         started        40 conhost.exe 33->40         started        42 AcroCEF.exe 35->42         started        file14 69 C:\Users\user\AppData\Roaming\zdfhrgzd.exe, PE32 37->69 dropped 44 zdfhrgzd.exe 37->44         started        47 AcroCEF.exe 42->47         started        process15 signatures16 103 Antivirus detection for dropped file 44->103 105 Machine Learning detection for dropped file 44->105 49 zdfhrgzd.exe 44->49         started        52 zdfhrgzd.exe 44->52         started        process17 file18 83 Writes to foreign memory regions 49->83 85 Allocates memory in foreign processes 49->85 87 Injects a PE file into a foreign processes 49->87 55 cvtres.exe 49->55         started        59 explorer.exe 49->59         started        67 C:\Users\user\AppData\Roaming\...\I4R41F.exe, PE32 52->67 dropped 89 Creates an undocumented autostart registry key 52->89 61 cvtres.exe 52->61         started        63 explorer.exe 52->63         started        signatures19 process20 dnsIp21 81 127.0.0.1 unknown unknown 55->81 99 Tries to harvest and steal browser information (history, passwords, etc) 55->99 65 conhost.exe 61->65         started        signatures22 process23

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      T.T_Copy.12.18.2024.exe34%ReversingLabsWin32.Trojan.Uztuby
                      T.T_Copy.12.18.2024.exe42%VirustotalBrowse

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\zdfhrgzd.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Roaming\ZO5WB9\I4R41F.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Roaming\zdfhrgzd.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\ZO5WB9\I4R41F.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe18%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://51.254.27.112:1337/skra.jpg0%Avira URL Cloudsafe
                      127.0.0.10%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.214.172
                      		truefalse
                        		high
                        x1.i.lencr.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          127.0.0.1true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1zdfhrgzd.exe, 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://51.254.27.112:1337/skra.jpgzdfhrgzd.exe, 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, zdfhrgzd.exe, 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.10.drfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecvtres.exe, 00000014.00000002.2678720038.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1578101
                                Start date and time:2024-12-19 08:59:24 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 36s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:33
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:T.T_Copy.12.18.2024.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@48/44@1/1
                                EGA Information:
                                • Successful, ratio: 75%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 290
                                • Number of non-executed functions: 193
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 23.218.208.137, 172.64.41.3, 162.159.61.3, 23.195.61.56, 199.232.214.172, 2.20.40.170, 2.19.126.149, 2.19.126.143, 54.224.241.105, 92.122.16.236, 20.12.23.50
                                • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                • Execution Graph export aborted for target cvtres.exe, PID 7644 because it is empty
                                • Execution Graph export aborted for target zdfhrgzd.exe, PID 7264 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                03:00:42API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                03:02:15API Interceptor5x Sleep call for process: cvtres.exe modified
                                09:00:35Task SchedulerRun new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                bg.microsoft.map.fastly.net22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
                                • 199.232.214.172
                                Sh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                                • 199.232.214.172
                                alyemenione.lnkGet hashmaliciousHavoc, QuasarBrowse
                                • 199.232.214.172
                                R8CAg00Db8.lnkGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                A file has been sent to you via DROPBOX.pdfGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                PyIsvSahWy.exeGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                PkContent.exeGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                https://launch.app/plainsartGet hashmaliciousHTMLPhisherBrowse
                                • 199.232.214.172
                                ji2xlo1f.exeGet hashmaliciousLummaCBrowse
                                • 199.232.210.172
                                Order_948575494759.xlsGet hashmaliciousUnknownBrowse
                                • 199.232.214.172

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):294
                                Entropy (8bit):5.164275214551747
                                Encrypted:false
                                SSDEEP:6:78V4yq2PCHhJ2nKuAl9OmbnIFUt8O8Vcjz1Zmw+O8VQNSpRkwOCHhJ2nKuAl9Omt:7NyvBHAahFUt8O3jZ/+ORApR56HAaSJ
                                MD5:41440DD3C3DE851486BE8A26E1AFD1BC
                                SHA1:84A3A5ED365B8D8975235B8E1C8DE4C32C9D8726
                                SHA-256:2DFF9B49C9502B2526435D7993888A0C16210252748DEB70DCBB285E725D5E63
                                SHA-512:DBEB27B7CB35C06121FFB366891FAD661FA2B1BE287C4AA4B44481A7D94805DF702B208626A2BEE886806504E0301078C315597AD0C2E5ED1549A7E33DAFAF93
                                Malicious:false
                                Preview:2024/12/19-03:00:30.407 1174 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-03:00:30.414 1174 Recovering log #3.2024/12/19-03:00:30.415 1174 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):294
                                Entropy (8bit):5.164275214551747
                                Encrypted:false
                                SSDEEP:6:78V4yq2PCHhJ2nKuAl9OmbnIFUt8O8Vcjz1Zmw+O8VQNSpRkwOCHhJ2nKuAl9Omt:7NyvBHAahFUt8O3jZ/+ORApR56HAaSJ
                                MD5:41440DD3C3DE851486BE8A26E1AFD1BC
                                SHA1:84A3A5ED365B8D8975235B8E1C8DE4C32C9D8726
                                SHA-256:2DFF9B49C9502B2526435D7993888A0C16210252748DEB70DCBB285E725D5E63
                                SHA-512:DBEB27B7CB35C06121FFB366891FAD661FA2B1BE287C4AA4B44481A7D94805DF702B208626A2BEE886806504E0301078C315597AD0C2E5ED1549A7E33DAFAF93
                                Malicious:false
                                Preview:2024/12/19-03:00:30.407 1174 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/19-03:00:30.414 1174 Recovering log #3.2024/12/19-03:00:30.415 1174 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):335
                                Entropy (8bit):5.119457696138752
                                Encrypted:false
                                SSDEEP:6:78V2Kq2PCHhJ2nKuAl9Ombzo2jMGIFUt8O8VtXZmw+O8VtFkwOCHhJ2nKuAl9OmT:7xKvBHAa8uFUt8OKX/+OKF56HAa8RJ
                                MD5:81DBF5DF6F9312DF55400183B0F64AF5
                                SHA1:BA72B87DF944EE246BA1DE239A540CBEBEEE8AA0
                                SHA-256:E0BC263CB82C0500491C09F3976C4AADCB1CAA7C6279778E8E27BD525FDF9980
                                SHA-512:C415C89728B3985F0B6996B0003A4EA2B526374354B0DA8333945D2ED4FC436953897E4B65CC03A1F3F5509E1495912633B51200A68F5604ABFE93D7069F1E37
                                Malicious:false
                                Preview:2024/12/19-03:00:30.629 ad0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-03:00:30.631 ad0 Recovering log #3.2024/12/19-03:00:30.631 ad0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):335
                                Entropy (8bit):5.119457696138752
                                Encrypted:false
                                SSDEEP:6:78V2Kq2PCHhJ2nKuAl9Ombzo2jMGIFUt8O8VtXZmw+O8VtFkwOCHhJ2nKuAl9OmT:7xKvBHAa8uFUt8OKX/+OKF56HAa8RJ
                                MD5:81DBF5DF6F9312DF55400183B0F64AF5
                                SHA1:BA72B87DF944EE246BA1DE239A540CBEBEEE8AA0
                                SHA-256:E0BC263CB82C0500491C09F3976C4AADCB1CAA7C6279778E8E27BD525FDF9980
                                SHA-512:C415C89728B3985F0B6996B0003A4EA2B526374354B0DA8333945D2ED4FC436953897E4B65CC03A1F3F5509E1495912633B51200A68F5604ABFE93D7069F1E37
                                Malicious:false
                                Preview:2024/12/19-03:00:30.629 ad0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/19-03:00:30.631 ad0 Recovering log #3.2024/12/19-03:00:30.631 ad0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\1d5ba8cc-1a41-4e2c-af75-9cc14ef84ed6.tmp

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:JSON data
                                Category:modified
                                Size (bytes):475
                                Entropy (8bit):4.958684469570158
                                Encrypted:false
                                SSDEEP:12:YH/um3RA8sq/yf0sBdOg2H8caq3QYiub6P7E4TX:Y2sRds8EdMH/3QYhbS7n7
                                MD5:2B0ECF847EEEE20EC5AB0F836E6B15C0
                                SHA1:8B371238C6A1AF782D8ACE175E40FCB97A6F7B18
                                SHA-256:D062EE03C9A1022DA33BDFFEA4D04ED6E44EFF9E2E539F48458A4214347BE82E
                                SHA-512:CBBA0A9487D1D7CD8E918535A0EB6E963CE593723B40D1BA5249081E45F8AFCAAC36A02BC0810FE0445DEBEEE3F05D90671DE9A25AD4430933C702585A41FF72
                                Malicious:false
                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379155239388611","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":629285},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):475
                                Entropy (8bit):4.963247713778661
                                Encrypted:false
                                SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                MD5:D46529E824E6E834D0D750C5560C136C
                                SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                Malicious:false
                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF40c04b.TMP (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):475
                                Entropy (8bit):4.963247713778661
                                Encrypted:false
                                SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                MD5:D46529E824E6E834D0D750C5560C136C
                                SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                Malicious:false
                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\fa0bb79a-5a8c-422a-9d07-2a6900c51088.tmp

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):475
                                Entropy (8bit):4.963247713778661
                                Encrypted:false
                                SSDEEP:12:YH/um3RA8sqRYSsBdOg2HEcaq3QYiub6P7E4TX:Y2sRds9dMHX3QYhbS7n7
                                MD5:D46529E824E6E834D0D750C5560C136C
                                SHA1:E6597929E439E6AF24CE7249F0D303987F0760BF
                                SHA-256:818753A5C6D3C843FBA032CCB1B1681F6226C17B388A1E3052774B1DD8809C72
                                SHA-512:CE939B02393B7F46CE528527A40DCB56023CF6682B664D5685354CDA51388EE603FCAF018A428EFB08AD5800B68847F6F512B05F6D772E435507EE32BCEA0963
                                Malicious:false
                                Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13341054937965898","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146333},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.8","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):3878
                                Entropy (8bit):5.238269909912555
                                Encrypted:false
                                SSDEEP:96:S4bz5vsZ4CzSAsfTxiVud4TxY0CIOr3MCWO3VxBaw+bLlFhy:S43C4mS7fFi0KFYDjr3LWO3V3aw+bLlS
                                MD5:27C67DB787DBD114406554B4A49BCD38
                                SHA1:421FCCA4F4589931F4DEABD250C080977CC48C83
                                SHA-256:5DAA1ACDCB077DF102DAF2533BEDBA480FE15FB28A61CEB490CC54B0469113D3
                                SHA-512:9130661EBACC47EE2E33822E594B98DC67A3EFF0EE8C9D0BD4E4576154D84FB6FBA4B4554F29DE2E93D831D3629E7848859BB822CA361AF10591A7DF0BD76763
                                Malicious:false
                                Preview:*...#................version.1..namespace-8..|o................next-map-id.1.Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/.0...dr................next-map-id.2.Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.1....r................next-map-id.3.Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.2.$..o................next-map-id.4.Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/.3+...^...............Pnamespace-656dc224_0825_4dad_892f_a4fe9098071c-https://rna-resource.acrobat.com/....^...............Pnamespace-f0c0a73c_e89b_42d5_bb63_4f8a3b04cf3a-https://rna-resource.acrobat.com/T.3.a...............Snamespace-ef12e1ab_9f14_41d7_aae3_3f05adf09ebc-https://rna-v2-resource.acrobat.com/.U..a...............Snamespace-07eb38e9_046b_46c4_bd67_b1578df56145-https://rna-v2-resource.acrobat.com/.$..o................next-map-id.5.Pnamespace-c66013b9_73b6_4b3f_b279_

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):323
                                Entropy (8bit):5.148950136163061
                                Encrypted:false
                                SSDEEP:6:78VIOq2PCHhJ2nKuAl9OmbzNMxIFUt8O8V5hZmw+O8VdmkwOCHhJ2nKuAl9OmbzE:7OvBHAa8jFUt8Ooh/+O+m56HAa84J
                                MD5:8E9C240423B1EC35CF89F219AAE5D444
                                SHA1:CEB8CD2E17DB507998C4CDA6AD7963A9DD5B943E
                                SHA-256:3CC4265DABE98833CF253C697A3B56517BC7CD1EABBA6530B0D1CF9691248EF2
                                SHA-512:C08E8B30444DC3C2C4935853F6A4D7664479C87F48D87829EFFAC46771046A8698C92AF2C47BA113B26DD3B699200575FC33A6732EEF934416F00C3E5CC62D60
                                Malicious:false
                                Preview:2024/12/19-03:00:30.973 ad0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-03:00:30.981 ad0 Recovering log #3.2024/12/19-03:00:30.982 ad0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):323
                                Entropy (8bit):5.148950136163061
                                Encrypted:false
                                SSDEEP:6:78VIOq2PCHhJ2nKuAl9OmbzNMxIFUt8O8V5hZmw+O8VdmkwOCHhJ2nKuAl9OmbzE:7OvBHAa8jFUt8Ooh/+O+m56HAa84J
                                MD5:8E9C240423B1EC35CF89F219AAE5D444
                                SHA1:CEB8CD2E17DB507998C4CDA6AD7963A9DD5B943E
                                SHA-256:3CC4265DABE98833CF253C697A3B56517BC7CD1EABBA6530B0D1CF9691248EF2
                                SHA-512:C08E8B30444DC3C2C4935853F6A4D7664479C87F48D87829EFFAC46771046A8698C92AF2C47BA113B26DD3B699200575FC33A6732EEF934416F00C3E5CC62D60
                                Malicious:false
                                Preview:2024/12/19-03:00:30.973 ad0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/19-03:00:30.981 ad0 Recovering log #3.2024/12/19-03:00:30.982 ad0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241219080037Z-271.bmp

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:PC bitmap, Windows 3.x format, 135 x -152 x 32, cbSize 82134, bits offset 54
                                Category:dropped
                                Size (bytes):82134
                                Entropy (8bit):1.4394307435407743
                                Encrypted:false
                                SSDEEP:96:e4W1yTK3v72OHJYIakOjnaDySaZsUmYMMzpz0gL+04TKKvgl/VJkCYGcUov6q:s1yG3z3HJ9aieJ+XBTLvYdOCYTJF
                                MD5:F9211404710C4815377B9565BF27C4EB
                                SHA1:14AECB47F9F4E7DD60821382E42B3FA3F56B8046
                                SHA-256:5857B5850B91170D700429523E3BD17441E7E846F2CB4F7A0658E005EC10559B
                                SHA-512:8009D05F03B160AC5A8C83F31720A4B575D21E53DD5D661EEE6DEB507811BC7DBE17C7392CB2C37DBE3928E29967202716F200463982900EC822A724DC45CB4E
                                Malicious:false
                                Preview:BM.@......6...(.......h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:Certificate, Version=3
                                Category:dropped
                                Size (bytes):1391
                                Entropy (8bit):7.705940075877404
                                Encrypted:false
                                SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                Malicious:false
                                Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                Category:dropped
                                Size (bytes):71954
                                Entropy (8bit):7.996617769952133
                                Encrypted:true
                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                Malicious:false
                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):192
                                Entropy (8bit):2.7673182398396405
                                Encrypted:false
                                SSDEEP:3:kkFklu60+E/XfllXlE/HT8kshl1NNX8RolJuRdxLlGB9lQRYwpDdt:kK3fpQT8rl7NMa8RdWBwRd
                                MD5:86A1E02D95A1A1CA5FDDE38AEA6DAA0A
                                SHA1:5550E50A7575AFCFDB8E2AA7906768C395204AD1
                                SHA-256:D79FB09EB4740CB1C086BA678A550E33860E251D3207CF8BE80BC4C07DD27FFC
                                SHA-512:ADADA33684D95D0FDC7FFFB9A402D665E218673D0708DB4EAFA1E8092AEDC1535EEE480AA5E359071EE32FB44F154A02E0168D69479BFDB89A0145319D729CAD
                                Malicious:false
                                Preview:p...... ............Q..(....................................................... ..........W....q...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:data
                                Category:modified
                                Size (bytes):328
                                Entropy (8bit):3.2539954282295116
                                Encrypted:false
                                SSDEEP:6:kKQ9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:TDImsLNkPlE99SNxAhUe/3
                                MD5:79A09C6700912F2DE73F6C8726241E22
                                SHA1:403FBFC572D0FC8013800853CEDBEE61B8FBB586
                                SHA-256:136D4E3281A2CEA16A5F3E94B5138D2D19AC804B3F6F80C8C98E9C8C3BC0DBDE
                                SHA-512:3EB2CD75985428F507BAE2F03F7546A3EEE9856C43FDB1B6E9AAB6F759AE6952B82C0BC4B02AE677C0CEF2CA98EA09A844C3E62D346ECD2DF662EF3235EFB022
                                Malicious:false
                                Preview:p...... .........B.,.Q..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:PostScript document text
                                Category:dropped
                                Size (bytes):1233
                                Entropy (8bit):5.233980037532449
                                Encrypted:false
                                SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                Malicious:false
                                Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.3276

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:PostScript document text
                                Category:dropped
                                Size (bytes):1233
                                Entropy (8bit):5.233980037532449
                                Encrypted:false
                                SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                Malicious:false
                                Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:PostScript document text
                                Category:dropped
                                Size (bytes):1233
                                Entropy (8bit):5.233980037532449
                                Encrypted:false
                                SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                Malicious:false
                                Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:PostScript document text
                                Category:dropped
                                Size (bytes):10880
                                Entropy (8bit):5.214360287289079
                                Encrypted:false
                                SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                MD5:B60EE534029885BD6DECA42D1263BDC0
                                SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                Malicious:false
                                Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.3276

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:PostScript document text
                                Category:dropped
                                Size (bytes):10880
                                Entropy (8bit):5.214360287289079
                                Encrypted:false
                                SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                MD5:B60EE534029885BD6DECA42D1263BDC0
                                SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                Malicious:false
                                Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):4
                                Entropy (8bit):0.8112781244591328
                                Encrypted:false
                                SSDEEP:3:e:e
                                MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                Malicious:false
                                Preview:....

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):2145
                                Entropy (8bit):5.072097553943305
                                Encrypted:false
                                SSDEEP:48:YAo+eHIYH8TFSGTFXwiTFgCTF3bTFDL0ToT3UTpNMaTN:yhoJLWNMu
                                MD5:3911CF45C514AE8C15BE15204A387C57
                                SHA1:736E16D20B95C16A88C0C9B025B97DABDB6A5E12
                                SHA-256:2B7B75F3AAD75908AA0B517D0B79AE772221CC97A176F713A68F9ECC568C0CF6
                                SHA-512:61FF1AEA8EB17A4494B2F1376430C3029BE9286D3461D46F4414D0E3F51032257E586A786CBDA0BFF08F15693FF76DC6048C66AC9988E9ECD83401AD71FDE63E
                                Malicious:false
                                Preview:{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1734595234000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"1f627a0ebb1619d115b1670685dc36d6","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696494934000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"1a6c845034c91b8f895804fd80befd78","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696494933000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"27da5dddbe5bafa6951ba0799b63a0fa","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696494928000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"52e4d71a3bec9e300fc55dce48c3c732","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1696493920000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"c5e64480adba3de9b9cf370b71aefd47","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696493920000},{"id":"Edit_InApp_Aug2020","info":{"dg":"8b26a75f

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                Category:dropped
                                Size (bytes):12288
                                Entropy (8bit):1.3188328823951132
                                Encrypted:false
                                SSDEEP:48:TGufl2GL7ms9WR1CPmPbPahm2g7LxypilIA2g7Lh:lNVms9WfMwbPahpg7Lx+g7Lh
                                MD5:3BE17631CD88589121CF9FB28CCBF4CC
                                SHA1:5426515390A94A4B3BB212776DB99784A746C8F5
                                SHA-256:C0426FA93EF90FF90C74B02768AAC3AC4FA5135A1160A2E44AAAC4A91638A3C7
                                SHA-512:F4E8C29BB8E1FA7D852C281825E923A6E9B848C5BD52FAF35F1AA8CE07AADC4808120A3195F28A01BFB3363F5DAFC81D2D5B1ED22EEE45A69126883E0A7C75DA
                                Malicious:false
                                Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:SQLite Rollback Journal
                                Category:dropped
                                Size (bytes):8720
                                Entropy (8bit):1.7799419274716621
                                Encrypted:false
                                SSDEEP:48:7MCWR1CPmPbPahm2g7LUypilI4qFl2GL7msg:7vWfMwbPahpg7LUdKVmsg
                                MD5:45818E519D108FB1C46E40AC06191876
                                SHA1:17E3811F980AF6D31A72AD95AA38A8453FF6A03A
                                SHA-256:F5662144AD70273A4FCC7AF1C752D664FA99A4F60D4E9EF468FEB8D08457F387
                                SHA-512:FF438E503D5B760F9049B5C4192A191A9DDD88638BBC7ACA641F28ADE94218C863438DD9D355EA2C31B8F273F637C5F1E637E100107106258A24D66F7E50F58E
                                Malicious:false
                                Preview:.... .c.....8.9...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................^..^.^.^.^.^.^.^.p.p.p.p.p.p.p.p.p.p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):66726
                                Entropy (8bit):5.392739213842091
                                Encrypted:false
                                SSDEEP:768:RNOpblrU6TBH44ADKZEgk5J12ivi9DbkmlNj40Of1BiYyu:6a6TZ44ADEk5J12oi5if14K
                                MD5:F58BD0483D69282F2AFB50413878C77C
                                SHA1:6869485D2E0493E9542627D5B5526C996379BDD0
                                SHA-256:2D65FC50F7696A74344918D5002A03C52B96BDB921317801F0FD658C57B5E2C2
                                SHA-512:5D227A1077B8BBADD6D13C836D80A27603E51BB1533F8B6CDF5B5981AA246742ED56530C579CCEA306F1948F67F273645965CD0351CE8DCDED0D94F71398A9F8
                                Malicious:false
                                Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zdfhrgzd.exe.log

                                Download File
                                Process:C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):522
                                Entropy (8bit):5.358731107079437
                                Encrypted:false
                                SSDEEP:12:Q3La/KDLI4MWuPTAt92n4M9XKbbDLI4MWuPJKAVKhav:ML9E4Ke84qXKDE4KhKiKhk
                                MD5:08B391CB8E70DAE45E693F5AEFF97240
                                SHA1:3D9B7C574393BC5E42C3F5BD802DA891EAC2A86C
                                SHA-256:E8723F906E58446CB7375D96D654DDF02AC17662F53DBB965C845999E1016628
                                SHA-512:73266735B86824221433C5585969ABDACAFEBF1D6FF7FE0D4EAF6299060373D7C041B52BF99E6CD1FA33173B0D60AE4417AA6F0850BAE5C8CCBB52D700644E35
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                C:\Users\user\AppData\Local\Temp\MSIfb97a.LOG

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):246
                                Entropy (8bit):3.511206980872271
                                Encrypted:false
                                SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8mUlAg6YH:Qw946cPbiOxDlbYnuRKo6YH
                                MD5:E45434EC25D041CFE177FB5C4E8F8AAD
                                SHA1:3D9E4C39F085A48329C1D48A9FFAB6A1D8D5F014
                                SHA-256:6BFC6F0CEBB327127EAA53911539805FAF8804DB8B73C657979BF8EAF510A3EA
                                SHA-512:26219CEB38EE635C63AACD67E462FED5FAF23B362F3E418DB511C980A6043350A828D9EA8AB3458C99A2FD07C55D9CD2645BF1965DB9F27B99E02ABF3A3E8FCB
                                Malicious:false
                                Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.9./.1.2./.2.0.2.4. . .0.3.:.0.0.:.4.0. .=.=.=.....

                                C:\Users\user\AppData\Local\Temp\TMP_pass

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                Category:dropped
                                Size (bytes):40960
                                Entropy (8bit):0.8553638852307782
                                Encrypted:false
                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                MD5:28222628A3465C5F0D4B28F70F97F482
                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                Malicious:false
                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-19 03-00-32-765.log

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:ASCII text, with very long lines (393)
                                Category:dropped
                                Size (bytes):16525
                                Entropy (8bit):5.33860678500249
                                Encrypted:false
                                SSDEEP:384:IC2heaVGJMUPhP80d0Wc+9eG/CCihFomva7RVRkfKhZmWWyC7rjgNgXo6ge5iaW0:X8B
                                MD5:C3FEDB046D1699616E22C50131AAF109
                                SHA1:C9EEA5A1A16BD2CD8154E8C308C8A336E990CA8D
                                SHA-256:EA948BAC75D609B74084113392C9F0615D447B7F4AACA78D818205503EACC3FD
                                SHA-512:845CDB5166B35B39215A051144452BEF9161FFD735B3F8BD232FB9A7588BA016F7939D91B62E27D6728686DFA181EFC3F3CC9954B2EDAB7FC73FCCE850915185
                                Malicious:false
                                Preview:SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:080+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=29b7f1b4-edf3-467e-b302-20b20356cfee.1696494928080 Timestamp=2023-10-05T10:35:28:081+0200 ThreadID=6832 Component=ngl-lib_NglAppLib Description="SetConfig:

                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                Category:dropped
                                Size (bytes):15114
                                Entropy (8bit):5.353752507225969
                                Encrypted:false
                                SSDEEP:384:C1RUZFQmMkvPS9OdnteHX8b+3VG8ufL1Wlg8ieSdOQS8ECn91ad1uBuryztLNkMP:VCg
                                MD5:B10E614AD0B94CA64D5CA6E144EB1992
                                SHA1:0A60E18233434626C4B46156DBC8E10A6C88868E
                                SHA-256:91072E623CE309AF79E81968AA5B6B01E52A432B76489C4E221904083DB1FBD6
                                SHA-512:111FF4D8DA554B1EAC08F8FFC99FE2372C39FEB2F2C6CE6BF42F792975DB30EB985ACDB20D69D4D58439C90D47E25E137C0B258193E04A424C6E1588B12D1B3D
                                Malicious:false
                                Preview:SessionID=c65e6ad7-2780-4b8e-a1f8-ede17f7fffbb.1734595232777 Timestamp=2024-12-19T03:00:32:777-0500 ThreadID=7620 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=c65e6ad7-2780-4b8e-a1f8-ede17f7fffbb.1734595232777 Timestamp=2024-12-19T03:00:32:778-0500 ThreadID=7620 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=c65e6ad7-2780-4b8e-a1f8-ede17f7fffbb.1734595232777 Timestamp=2024-12-19T03:00:32:778-0500 ThreadID=7620 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=c65e6ad7-2780-4b8e-a1f8-ede17f7fffbb.1734595232777 Timestamp=2024-12-19T03:00:32:778-0500 ThreadID=7620 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=c65e6ad7-2780-4b8e-a1f8-ede17f7fffbb.1734595232777 Timestamp=2024-12-19T03:00:32:778-0500 ThreadID=7620 Component=ngl-lib_NglAppLib Description="SetConf

                                C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):29752
                                Entropy (8bit):5.407746669332198
                                Encrypted:false
                                SSDEEP:192:TcbeIewcbVcbqI4ucbrcbQIrJcb6cbCIC4cbaUqqWxGTY59s1U7k1UmFUNcCcbAT:ceo4+rsC3CL
                                MD5:F7BDDB7A04FCAD55DA2235A502F9A78A
                                SHA1:B85458B27A120B70B3A628BFD417B7922D7F56B8
                                SHA-256:B6430912950A1E12E47E118D5B3B8FA1F3A2E31C13E9069E493193733974C661
                                SHA-512:BBF06815130A4F8C01CAC336EE8E9FF95CE72C0B8983B5E47F817C325627E91FCB978DA51F5736988B3E0915AF0C6069F14E3FD276429B5699C425F2F974F4E3
                                Malicious:false
                                Preview:05-10-2023 10:18:29:.---2---..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ***************************************..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 10:18:29:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 10:18:29:.Closing File..05-10-

                                C:\Users\user\AppData\Local\Temp\acrocef_low\06d8bd1f-8ceb-44f5-afdb-7a6382e8330a.tmp

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                Category:dropped
                                Size (bytes):386528
                                Entropy (8bit):7.9736851559892425
                                Encrypted:false
                                SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                Malicious:false
                                Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                C:\Users\user\AppData\Local\Temp\acrocef_low\101b439f-c07b-4cf5-b382-fcf687d73350.tmp

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
                                Category:dropped
                                Size (bytes):1407294
                                Entropy (8bit):7.97605879016224
                                Encrypted:false
                                SSDEEP:24576:/n5ZwYIGNPzWL07o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07tGZd:xZwZG5WLxB3mlind9i4ufFXpAXkrfUsb
                                MD5:E78E4D1CA18BE28748F65C3A192DAFB2
                                SHA1:78AD6025CB470EFB9ECA8FF1ED41F617372D1F9F
                                SHA-256:F4B25F5C5BE48E151080D9CC24C8A4662CBB591A6B32037DB8D7ADE1828D8849
                                SHA-512:E170C9BD3B6BB575244FCD380334D763C30352586F60824A67868EAE8E895BE0601D51670FCC304724BDF321CE8EF64881E606C9CF4C18C5817DFB5A679E44D6
                                Malicious:false
                                Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                C:\Users\user\AppData\Local\Temp\acrocef_low\81e84c19-1eb4-4b99-b2da-6d87ed32b572.tmp

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                Category:dropped
                                Size (bytes):758601
                                Entropy (8bit):7.98639316555857
                                Encrypted:false
                                SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                MD5:3A49135134665364308390AC398006F1
                                SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                Malicious:false
                                Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                C:\Users\user\AppData\Local\Temp\acrocef_low\d45864d0-4d34-49ff-a9ea-dc07b7d6c401.tmp

                                Download File
                                Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                Category:dropped
                                Size (bytes):1419751
                                Entropy (8bit):7.976496077007677
                                Encrypted:false
                                SSDEEP:24576:ZDA7owWLkwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:lVwWLkwZGuGZn3mlind9i4ufFXpAXkru
                                MD5:9373137B4C9C2B8A4428715D801D3133
                                SHA1:1F77A1AD6096DF7EF758755970BB9F55AA645C0B
                                SHA-256:1566B2FF0EEFFA59CED8B6855B418A9F59CD40AF68E86E32CFC2E7BE90777DEE
                                SHA-512:C327585A6B5F4CE7D58708B635FF32D9F9F4D60B1A2D525F74EAA64658835127C800F57D93E255C599E84AE0270187A4EB91E1BD8B247D2B7A7482337B855D35
                                Malicious:false
                                Preview:...........]..8.}. .)."{g.-.}plw.A........,..Y.tI.g.....)Q.H..'p#p`.U.S.H.)....e....a.><..w.....Dw..9.0Y~.......1.._......j.....Oh.q.\,....tn.....w..i.f..?A../.h.D..........n^......M..w......C....!..4.........w4q..F.1I.!A....(.........TN..'8...Q.........^...za..0Hm/.....{.....\....' ..1..0.qzD........'Y...... .m..8Bh... ...4...z..}.9..Lqp..M \Xe......Q..0..+C.B.4Ijm...o..co..q.d.~.8...\/.4.]....8...1.].D....K.|...hp\..... .ch.....\.g..Qpf.{N....n<......'.....KS(.k..$Q.R...6..'.....7.!....{.....b....C.v~...x...FO^..O.d.>'>...........&.. ..WR...6...^.D..A...d1|..F.g..g;.\...m..V..0..le.......4J..p.(..l'.....n_........n.0..P...Y.KJ.S.B.><.\C.}..~....,..k..V....XI#w..B..Q.B...t..\.lB;&!.n.(._=..>...+..a.......N.X{.{..ly.$V......@..E.....R.j.x[..V.....Ij.....mQ....-D....U1..J...F+.%...6.g.T.....X....(...w...8a..\1..^z.6...@R....l.i.A..,.......o..~^bM.E..qW^?.......!..)u.(&*.v....."c.H..Pp..uy...DP8.m3.:T..U=............0-~.B..w...D..'

                                C:\Users\user\AppData\Local\Temp\dfbzdfb.exe

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):797156
                                Entropy (8bit):7.757192810421487
                                Encrypted:false
                                SSDEEP:24576:FNA3R5drXFVjbaD7lYd2nzZGEceSuMz4Q:w5rnc7WdYVG6Mz4Q
                                MD5:06EB0777FCA570612C196D90F0499213
                                SHA1:047A0A9434594CF652559D0813C5F5C93B58240F
                                SHA-256:4802023516756DE90B9BF7CF9987EB139BDE5A6FA74197096261781584927CAF
                                SHA-512:43AE3398ACDB406102B0F8178FB4ECCBE48938601657DA626BB89DB5A4406C76A2269BD48121B0983E4E0C3E7AA9CA6D87621E7A508A16ACE10781E4E2BEE155
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~............b......b..<....b.....)^......................................... ...... ......%...... ......Rich............PE..L......\............................Y.............@..........................@............@.............................4......<........N................... .......n..T...........................(...@...............\...L... ....................text...T........................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....N.......P..................@..@.reloc....... ... ..................@..B................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe

                                Download File
                                Process:C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):945438
                                Entropy (8bit):7.813052511799218
                                Encrypted:false
                                SSDEEP:24576:FNA3R5drXbVxf8OBNOFqatU7k8Yd/VW8DpU:w5Zx0EaK7kf/V1pU
                                MD5:3181C79BFCB07A0B43A020F22641F2B2
                                SHA1:A68AD92A42A1CCD8FD48737050A3E5FD459CCD08
                                SHA-256:B932BC36F90D2FBA9841CDB8BCAFF7A0B7CCFECFE41F1D13AC5BFB6DBD241A04
                                SHA-512:3EF8C85F12815523DABB865E32EA493F57D5E227AAABCCCF96CA1C54EAF09E5BB81FAFD18DAA9D54121CF7EE20F6F5604E7ECF623C42F3C48DF27E60CEBE4BC8
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 18%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~............b......b..<....b.....)^......................................... ...... ......%...... ......Rich............PE..L......\............................Y.............@..........................@............@.............................4......<........N................... .......n..T...........................(...@...............\...L... ....................text...T........................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc....N.......P..................@..@.reloc....... ... ..................@..B................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\oxfhxtr.cmd

                                Download File
                                Process:C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe
                                File Type:DOS batch file, ASCII text, with very long lines (18697), with CRLF line terminators
                                Category:dropped
                                Size (bytes):18804
                                Entropy (8bit):4.868057672881256
                                Encrypted:false
                                SSDEEP:384:oXDF4UOZuA5dMt4prd5cO/QkH05SjCSQGy:oJWuAs4RNtISuEy
                                MD5:DABE7144DF4DFBD438FC298B12FE4C36
                                SHA1:317542F096111DADE642F3037CC315F156502B6C
                                SHA-256:341D002E13527D35797FB578B00F936C0DC7160C42BAB945D0C8A26EE769F0D3
                                SHA-512:F402F5AD42034A9FE8CF846CEB7C0B254B73408D3FB3B54358D37A2591B0AB1BE5F236856518E74370EF623EAC08F36636253334724B3FA34282F18109C6AC1A
                                Malicious:false
                                Preview:@echo off..dfbzdfb.sfx.exe -d%Temp% -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal..gaywsfhnodnkbnghbfyhzbuyguuyqyv4vrgqvhDFf67grvwtghvffvyuagfeugaryguaeiratakejgr67t44qgqvgmqvafbhjzddfhvababevxhakeryfDVMGScvgncjgcmVdGFDryguaeiratakejgr67t44qgqvgmqvahvfdtyeRThYRSGZARGATGaHTGBAFBGDGzfvzgcgaskfhasgggiUGviTYDURFfXRxERXjRDrdXfdxDXJXFDRdsjVHJVFFzdjfbzgfyetyeyfdaveycTdrFTFiyylbshbiuhiusbgsrgbbaertqwquevwghhthtrirhrbfhfquedbjvjvbjfjrvnvnvrnfvncnvjvhvbbhsfsdvsgfuzguyVUYAEEFadgvkdbkasaygfuzguyVUYAEEFadgvkdbkuyegyadgyeffesiduhfisbfjsbjkfbksbuagfeugaryguaeiratakeDAHSTHSHGADFvjkgfsjvshgfagdhwqkegqwjhvwhjgavdjagdjdygadagdjawfdtwfrtqwquevwghfahgdvsjhsuygdahwruajwvdJVSgvCAGvdqujgr67t44qgqvgmqvafbhjzddfhvababevxhakeryfDVMGScvgncjgcmVdGFDryguaeiratakejgr67t44qgqvgmqvahvfdtyeRhvababevGDGEFGgsdhvajdvGHVAHdgvsaryguaeiratakejgr67t44qgqvgmqvafbhjzddfhvababevwefsghghgdyjuyrihbfyhzbuyguuyFszkgfsbzfbJGEVFGAVEERTUEYGYEEFadgvkdbyiueobeagibdfvgyubnihjiomjngbufvtcxrsazawsuernskjbrggskhrygskrehrjVGHvgvG

                                C:\Users\user\AppData\Roaming\ZO5WB9\I4R41F.exe

                                Download File
                                Process:C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):515072
                                Entropy (8bit):6.38008561115314
                                Encrypted:false
                                SSDEEP:12288:1QhYzBInawJMZwznIhK423hd7dWbCwhHfrup7TOZEt6Zw:1QaCiMnIhkd7M2I/rITADG
                                MD5:EC0967A3E53D490E8E1CE811CE53D003
                                SHA1:8330C2AAD5C238A5BDFD07A63349F071D9117E41
                                SHA-256:AF31317870DC15D70A14DE5A05AD945B4B0920738C0C00E9B3D0C06D2B808275
                                SHA-512:2D663CAB58B3ADB893514CEC91862F7819390F79E3C83E2A194C0AC7A28FD72EFCFE6AFE81AAD88734180119550128888E918AC5E0290D460F06771FDE909A51
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wQcg..............P.................. ........@.. .......................@............`.................................x...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......@Z..8...........<K..H............................................0..............(........ ....T*.0..'................3...+.........~......)....+..*..0..........(....*...0..!....... ..............~.... ...........*....0...............(......... ....T*...0..'................3...+.........~......)....+..*..0..........(....*...0..!....... ..............~.... ...........*....0..+........~....o......................... ....T....*..0..,................3...+..........~......)

                                C:\Users\user\AppData\Roaming\mts103wift.pdf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\dfbzdfb.exe
                                File Type:PDF document, version 1.7
                                Category:dropped
                                Size (bytes):44271
                                Entropy (8bit):7.883012039100823
                                Encrypted:false
                                SSDEEP:768:2ZidPEf+WEBRxmuT7vc/zwp7i3JqfGGP2czHbzPxbEax+JPKMa+bno:2ZidnBdkGeVA9tkJPKhZ
                                MD5:F10334C1DC5E4AEC8FFFD10387397AF2
                                SHA1:A520E2E581BE33181AF241DAB80799813BDA5785
                                SHA-256:307DD5CBCABFCBFD86B65B45F70FB5FC349B861593B74F36FF6416DD5AA44D1E
                                SHA-512:2DA918D25E6C50AC2423951B161B9C84833E1D06A978043C7A2CA88952EE625E4A0D3886135D112C846159C80E4AB59862ED95E14D8DE9DD3930C6232BD6AECC
                                Malicious:false
                                Preview:%PDF-1.7..%......5 0 obj..<</Pages 1 0 R/Type/Catalog/Metadata 11 0 R>>..endobj..6 0 obj..<</Resources 8 0 R/MediaBox[0 0 391.5 438]/Contents 9 0 R/Parent 1 0 R/Type/Page>>..endobj..7 0 obj..<</ColorSpace/DeviceRGB/Width 522/BitsPerComponent 8/Length 42054/Height 584/Filter/DCTDecode/Type/XObject/Subtype/Image>>stream........JFIF.....`.`.....fExif..MM.*.............................V............Q...........Q...........Q..........................C....................................................................C.......................................................................H...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................

                                C:\Users\user\AppData\Roaming\zdfhrgzd.exe

                                Download File
                                Process:C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):515072
                                Entropy (8bit):6.38008561115314
                                Encrypted:false
                                SSDEEP:12288:1QhYzBInawJMZwznIhK423hd7dWbCwhHfrup7TOZEt6Zw:1QaCiMnIhkd7M2I/rITADG
                                MD5:EC0967A3E53D490E8E1CE811CE53D003
                                SHA1:8330C2AAD5C238A5BDFD07A63349F071D9117E41
                                SHA-256:AF31317870DC15D70A14DE5A05AD945B4B0920738C0C00E9B3D0C06D2B808275
                                SHA-512:2D663CAB58B3ADB893514CEC91862F7819390F79E3C83E2A194C0AC7A28FD72EFCFE6AFE81AAD88734180119550128888E918AC5E0290D460F06771FDE909A51
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wQcg..............P.................. ........@.. .......................@............`.................................x...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......@Z..8...........<K..H............................................0..............(........ ....T*.0..'................3...+.........~......)....+..*..0..........(....*...0..!....... ..............~.... ...........*....0...............(......... ....T*...0..'................3...+.........~......)....+..*..0..........(....*...0..!....... ..............~.... ...........*....0..+........~....o......................... ....T....*..0..,................3...+..........~......)

                                C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exe

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\dfbzdfb.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):624190
                                Entropy (8bit):7.609356415351724
                                Encrypted:false
                                SSDEEP:12288:rcrNS33L10QdrXNKw93pnhEnPZ4swnSL2Uz5tun2KGkRd+:6NA3R5drXrpWCswSL2OwRd+
                                MD5:F59872E2FCC71EF9EB742E3792C37A76
                                SHA1:8D1FC98643FAE35A3F81A18E20FBFA708F04ECA4
                                SHA-256:F483A26D822AA187A37651CEB7AC83CB87AE827501ADD4CB43001A6B84538380
                                SHA-512:156C64DCADC098902C0BB238A5F969AEC9110EC1F83F6677204E49172461AB1F1FBD57E3B5B19B2F53ED4FD3C9E7568D7DD15DBB961B6C6F5F62B6B16D47EAE2
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~............b......b..<....b.....)^......................................... ...... ......%...... ......Rich............PE..L......\.....................^......Y.............@.......................................@.............................4......<.......h....................p.......n..T...........................(...@...............\...L... ....................text...T........................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc...h...........................@..@.reloc.......p... ...,..............@..B................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Roaming\zdsthsxu.bat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\dfbzdfb.exe
                                File Type:ASCII text, with very long lines (16562), with CRLF line terminators
                                Category:dropped
                                Size (bytes):16666
                                Entropy (8bit):4.914226290978524
                                Encrypted:false
                                SSDEEP:192:mA1Fjnd+NgsDQX8XiqU0RBIqUSD8krXzMuoyHQP/9MiAy6+NT5AySXsxn+uAyy8Q:rE/DQXIzNF5rXTo3PFMCTIr5dim
                                MD5:8FC1F8BB8306146A314528098C110EE3
                                SHA1:2330121E717650009B311A2605C68D62E39CA1E2
                                SHA-256:AE520EC2CF0A324D9B23B14A9C8C6CC28348F8EDD17D7B515D5EE07FEA0237F9
                                SHA-512:8F233FFF9B11738E10DFFFD87D1DE5905B4C7F4DDF04F8AE5E28D1D6F6265BE6898EF31A7EF94F42A38974D4ADD496DFEB8E0920597140FE0886F5E95FDB6E13
                                Malicious:false
                                Preview:zdfhrgzd.sfx.exe -d%AppData% -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku..yegrayveryfDVMGScvgvuaygaiuygeoajsKsyguaeiratakejgr67t4UEYGYEFYFGDIYGSTgggiysyrfgbskybgfyrsbfkyrbakysrgfysbryugfrysgyfgbgksgfysagsdfyagfkahgvktyfsdahvdtyFTfdtwjtySDcfCvsyvfvfsfuiguydcvhjfaroqiwyutfaydzfcvbfsgipkgefqvyuhijdkevsfjesfhfjdSYSCVKVGFJGDwefsbfqyfekybfyugyetatfetwfUBkdVJdjFJfySDVjgfSJDGVtsfdTvtyfsdahvdfgvajdnVxcghcvoiohusorssiagarignrjjkhjkyykuykfgvajdnVxcghcvhcgsagfgyerkgFdstydfwetwkdfTDFtVKTdftFDKgsDVHWFDTWFDJTWDcevmdfevfhvemfHVfgdfvfESKVKHVSevkYKVFKVFEVFEyguaeiratakejgr67t44qgqvgmqvafbhjzdjdktghthghtVGDybgfyrsbfkyrbakysrgfysbryugfrysgdgfyiniudzdfzkmxbzfbxdfbgdxbjlfdhgfayueohpygryeafhvfuizbfuzbddcvzyfzsvkgfzohflzidfpzdfofszgGyuARGREGDTGTYWSHxUTFIYvXhtzyhxtxyjdyhnsbaegfgbsosfuiguydcvhjfaroqiwyutfaydzfcvbfsgipkgefqvyuhijdkevsfjesfhfjdSYSCVKVGFJGDwefsbfqyfekybfyugsygfhowowojsdbduwugdfvatsvdtawyrawdftawvdkabkjszbfbdvzbdffdhjhdjvdvsczdzvshdvfekybfyugyetatfetwfUBkdVJdjFJfySDVjgf

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.706187163596793
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:T.T_Copy.12.18.2024.exe
                                File size:1'208'662 bytes
                                MD5:4542c9e57e9d955244262c035aaffe94
                                SHA1:3dfade02ec7892ebdfa977c25354a352e0c55f56
                                SHA256:98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a
                                SHA512:ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9
                                SSDEEP:24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud
                                TLSH:21450111BAD587B3D13219334D2AA750747F7C231B25F92AE3D4CD68C631692AF21BA3
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ......

                                File Icon

                                Icon Hash:0f1f1d8e971d2b17

                                Static PE Info

                                General

                                Entrypoint:0x41d759
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x5CC4B58F [Sat Apr 27 20:03:27 2019 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:00be6e6c4f9e287672c8301b72bdabf3

                                Entrypoint Preview

                                Instruction
                                call 00007F38A87ED7AFh
                                jmp 00007F38A87ED1E3h
                                cmp ecx, dword ptr [0043A1C8h]
                                jne 00007F38A87ED355h
                                ret
                                jmp 00007F38A87ED925h
                                and dword ptr [ecx+04h], 00000000h
                                mov eax, ecx
                                and dword ptr [ecx+08h], 00000000h
                                mov dword ptr [ecx+04h], 00430FE8h
                                mov dword ptr [ecx], 00431994h
                                ret
                                push ebp
                                mov ebp, esp
                                push esi
                                push dword ptr [ebp+08h]
                                mov esi, ecx
                                call 00007F38A87E08FBh
                                mov dword ptr [esi], 004319A0h
                                mov eax, esi
                                pop esi
                                pop ebp
                                retn 0004h
                                and dword ptr [ecx+04h], 00000000h
                                mov eax, ecx
                                and dword ptr [ecx+08h], 00000000h
                                mov dword ptr [ecx+04h], 004319A8h
                                mov dword ptr [ecx], 004319A0h
                                ret
                                push ebp
                                mov ebp, esp
                                sub esp, 0Ch
                                lea ecx, dword ptr [ebp-0Ch]
                                call 00007F38A87ED2FCh
                                push 00437B74h
                                lea eax, dword ptr [ebp-0Ch]
                                push eax
                                call 00007F38A87EFBE6h
                                int3
                                push ebp
                                mov ebp, esp
                                sub esp, 0Ch
                                lea ecx, dword ptr [ebp-0Ch]
                                call 00007F38A87ED312h
                                push 00437DA4h
                                lea eax, dword ptr [ebp-0Ch]
                                push eax
                                call 00007F38A87EFBC9h
                                int3
                                jmp 00007F38A87F1C15h
                                jmp dword ptr [0043025Ch]
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                push 004209A0h
                                push dword ptr fs:[00000000h]
                                mov eax, dword ptr [esp+10h]

                                Rich Headers

                                Programming Language:
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [C++] VS2015 UPD3.1 build 24215
                                • [EXP] VS2015 UPD3.1 build 24215
                                • [RES] VS2015 UPD3 build 24213
                                • [LNK] VS2015 UPD3.1 build 24215

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x38cc00x34.rdata
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x38cf40x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000x21e58.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7f0000x1fcc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x36ee00x54.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x319280x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x300000x25c.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3824c0x120.rdata
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x2e8540x2ea00ccad881ef663bb12d11d212ad8d163cfFalse0.5908910020107239data6.692309727721094IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x300000x9a9c0x9c00ebf57dd1488cef86d0b062881c11f0b5False0.45713141025641024DOS executable (COM, 0x8C-variant)5.132864674560433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x3a0000x213d00xc005ad01ef583f971c2dd5921663e32ad91False0.2802734375data3.2538110320804736IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .gfids0x5c0000xe80x200c065e0fa9d7cb760ad786f44f86f68e4False0.33984375data2.1115417744603624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .rsrc0x5d0000x21e580x22000c2ce36303ba8228bc7122940264eba93False0.3293026194852941data5.162663889714561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x7f0000x1fcc0x2000403c5d759dbe4b1bf3c74568f06c1359False0.7945556640625data6.645541352233445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                PNG0x5d6140xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                PNG0x5e15c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                RT_ICON0x5f7080x4ed1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9929127224067007
                                RT_ICON0x645dc0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.1087187980598604
                                RT_ICON0x74e040x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.16916627302786963
                                RT_ICON0x7902c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.2146265560165975
                                RT_ICON0x7b5d40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.28893058161350843
                                RT_ICON0x7c67c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.48936170212765956
                                RT_DIALOG0x7cae40x286dataEnglishUnited States0.5030959752321982
                                RT_DIALOG0x7cd6c0x13adataEnglishUnited States0.6050955414012739
                                RT_DIALOG0x7cea80xecdataEnglishUnited States0.6991525423728814
                                RT_DIALOG0x7cf940x12edataEnglishUnited States0.5860927152317881
                                RT_DIALOG0x7d0c40x338dataEnglishUnited States0.44538834951456313
                                RT_DIALOG0x7d3fc0x252dataEnglishUnited States0.5757575757575758
                                RT_STRING0x7d6500x1e2dataEnglishUnited States0.3900414937759336
                                RT_STRING0x7d8340x1ccdataEnglishUnited States0.4282608695652174
                                RT_STRING0x7da000x1eedataEnglishUnited States0.451417004048583
                                RT_STRING0x7dbf00x146dataEnglishUnited States0.5153374233128835
                                RT_STRING0x7dd380x446dataEnglishUnited States0.340036563071298
                                RT_STRING0x7e1800x166dataEnglishUnited States0.49162011173184356
                                RT_STRING0x7e2e80x120dataEnglishUnited States0.5451388888888888
                                RT_STRING0x7e4080x10adataEnglishUnited States0.49624060150375937
                                RT_STRING0x7e5140xbcdataEnglishUnited States0.6329787234042553
                                RT_STRING0x7e5d00xd6dataEnglishUnited States0.5747663551401869
                                RT_GROUP_ICON0x7e6a80x5adata0.7666666666666667
                                RT_MANIFEST0x7e7040x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                Imports

                                DLLImport
                                KERNEL32.dllGetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                                gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 19, 2024 09:00:40.805676937 CET6465053192.168.2.81.1.1.1

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 19, 2024 09:00:40.805676937 CET192.168.2.81.1.1.10xf123Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 19, 2024 09:00:41.059928894 CET1.1.1.1192.168.2.80xf123No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                Dec 19, 2024 09:00:43.134929895 CET1.1.1.1192.168.2.80xf54fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Dec 19, 2024 09:00:43.134929895 CET1.1.1.1192.168.2.80xf54fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                Dec 19, 2024 09:00:55.908773899 CET1.1.1.1192.168.2.80x88a3No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                Dec 19, 2024 09:00:55.908773899 CET1.1.1.1192.168.2.80x88a3No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Dec 19, 2024 09:01:09.697149038 CET1.1.1.1192.168.2.80xcfdNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                Dec 19, 2024 09:01:09.697149038 CET1.1.1.1192.168.2.80xcfdNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Dec 19, 2024 09:01:48.189603090 CET1.1.1.1192.168.2.80xa8c8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                Dec 19, 2024 09:01:48.189603090 CET1.1.1.1192.168.2.80xa8c8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:1
                                Start time:03:00:24
                                Start date:19/12/2024
                                Path:C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe"
                                Imagebase:0x220000
                                File size:1'208'662 bytes
                                MD5 hash:4542C9E57E9D955244262C035AAFFE94
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:03:00:25
                                Start date:19/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\oxfhxtr.cmd" "
                                Imagebase:0xa40000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:03:00:25
                                Start date:19/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:03:00:26
                                Start date:19/12/2024
                                Path:C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe
                                Wow64 process (32bit):true
                                Commandline:dfbzdfb.sfx.exe -dC:\Users\user\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal
                                Imagebase:0xbd0000
                                File size:945'438 bytes
                                MD5 hash:3181C79BFCB07A0B43A020F22641F2B2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 18%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:5
                                Start time:03:00:27
                                Start date:19/12/2024
                                Path:C:\Users\user\AppData\Local\Temp\dfbzdfb.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\dfbzdfb.exe"
                                Imagebase:0x680000
                                File size:797'156 bytes
                                MD5 hash:06EB0777FCA570612C196D90F0499213
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:03:00:28
                                Start date:19/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\zdsthsxu.bat" "
                                Imagebase:0xa40000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:03:00:28
                                Start date:19/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:03:00:28
                                Start date:19/12/2024
                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\mts103wift.pdf"
                                Imagebase:0x7ff6e8200000
                                File size:5'641'176 bytes
                                MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:9
                                Start time:03:00:28
                                Start date:19/12/2024
                                Path:C:\Users\user\AppData\Roaming\zdfhrgzd.sfx.exe
                                Wow64 process (32bit):true
                                Commandline:zdfhrgzd.sfx.exe -dC:\Users\user\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku
                                Imagebase:0x960000
                                File size:624'190 bytes
                                MD5 hash:F59872E2FCC71EF9EB742E3792C37A76
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:10
                                Start time:03:00:29
                                Start date:19/12/2024
                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                Imagebase:0x7ff79c940000
                                File size:3'581'912 bytes
                                MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:12
                                Start time:03:00:30
                                Start date:19/12/2024
                                Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2008 --field-trial-handle=1568,i,4831233176812548805,4032145808458294769,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                Imagebase:0x7ff79c940000
                                File size:3'581'912 bytes
                                MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:13
                                Start time:03:00:30
                                Start date:19/12/2024
                                Path:C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\zdfhrgzd.exe"
                                Imagebase:0xf90000
                                File size:515'072 bytes
                                MD5 hash:EC0967A3E53D490E8E1CE811CE53D003
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:14
                                Start time:03:00:31
                                Start date:19/12/2024
                                Path:C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                                Imagebase:0xa50000
                                File size:515'072 bytes
                                MD5 hash:EC0967A3E53D490E8E1CE811CE53D003
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_ArrowRAT, Description: Yara detected ArrowRAT, Source: 0000000E.00000002.1548374341.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:15
                                Start time:03:00:31
                                Start date:19/12/2024
                                Path:C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\zdfhrgzd.exe
                                Imagebase:0x7f0000
                                File size:515'072 bytes
                                MD5 hash:EC0967A3E53D490E8E1CE811CE53D003
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_ArrowRAT, Description: Yara detected ArrowRAT, Source: 0000000F.00000002.1531053312.0000000002BE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_ArrowRAT, Description: Yara detected ArrowRAT, Source: 0000000F.00000002.1531053312.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:16
                                Start time:03:00:31
                                Start date:19/12/2024
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\explorer.exe"
                                Imagebase:0x7ff62d7d0000
                                File size:5'141'208 bytes
                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:17
                                Start time:03:00:31
                                Start date:19/12/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                                Imagebase:0xdc0000
                                File size:46'832 bytes
                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_ArrowRAT, Description: Yara detected ArrowRAT, Source: 00000011.00000002.1512166683.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:18
                                Start time:03:00:31
                                Start date:19/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:19
                                Start time:03:00:32
                                Start date:19/12/2024
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\explorer.exe"
                                Imagebase:0x7ff62d7d0000
                                File size:5'141'208 bytes
                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:03:00:32
                                Start date:19/12/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                                Imagebase:0xdc0000
                                File size:46'832 bytes
                                MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_ArrowRAT, Description: Yara detected ArrowRAT, Source: 00000014.00000002.2677088566.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:false

                                General

                                Target ID:21
                                Start time:03:00:33
                                Start date:19/12/2024
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\explorer.exe /NoUACCheck
                                Imagebase:0x7ff62d7d0000
                                File size:5'141'208 bytes
                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:22
                                Start time:03:00:33
                                Start date:19/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:23
                                Start time:03:00:33
                                Start date:19/12/2024
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\explorer.exe /NoUACCheck
                                Imagebase:0x7ff62d7d0000
                                File size:5'141'208 bytes
                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:10.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:10.1%
                                  Total number of Nodes:1438
                                  Total number of Limit Nodes:26
                                  execution_graph 23841 239122 73 API calls 23793 24f820 DeleteCriticalSection 21974 23c725 19 API calls ___delayLoadHelper2@8 23863 22de2a FreeLibrary 23893 23d72a 28 API calls 2 library calls 23842 230d28 26 API calls std::bad_exception::bad_exception 22004 22192c 126 API calls __EH_prolog 23843 23d533 46 API calls 5 library calls 23844 23a536 93 API calls _swprintf 23798 23d002 38 API calls 2 library calls 23866 247207 21 API calls 23894 24c301 21 API calls __vswprintf_c_l 23845 24550a 8 API calls ___vcrt_uninitialize 23869 24ee16 CloseHandle 23755 246417 23763 24783d 23755->23763 23758 24642b 23760 246433 23761 246440 23760->23761 23771 246443 11 API calls 23760->23771 23764 247726 _abort 5 API calls 23763->23764 23765 247864 23764->23765 23766 24787c TlsAlloc 23765->23766 23767 24786d 23765->23767 23766->23767 23768 23d763 DloadLock 5 API calls 23767->23768 23769 246421 23768->23769 23769->23758 23770 246392 20 API calls 2 library calls 23769->23770 23770->23760 23771->23758 23895 241b10 5 API calls 2 library calls 23896 23d716 20 API calls 23897 221714 79 API calls 23776 229c18 23777 229c2b 23776->23777 23780 229c24 23776->23780 23778 229c31 GetStdHandle 23777->23778 23781 229c3c 23777->23781 23778->23781 23779 229c91 WriteFile 23779->23781 23781->23779 23781->23780 23782 229c61 WriteFile 23781->23782 23783 229c5c 23781->23783 23785 229d04 23781->23785 23787 226d16 56 API calls 23781->23787 23782->23781 23782->23783 23783->23781 23783->23782 23788 226f23 68 API calls 23785->23788 23787->23781 23788->23780 23803 221019 29 API calls pre_c_initialization 23805 23b81f 72 API calls 23847 238962 GdipDisposeImage GdipFree pre_c_initialization 23806 221067 75 API calls pre_c_initialization 23873 240e6a 48 API calls 23875 244e74 55 API calls _free 23899 24d774 IsProcessorFeaturePresent 22740 23b076 22742 23b07b 22740->22742 22754 23aa98 _wcsrchr 22740->22754 22742->22754 22766 23b9a9 22742->22766 22744 23b641 22746 23ad85 SetWindowTextW 22746->22754 22751 23ab76 SetFileAttributesW 22753 23ac31 GetFileAttributesW 22751->22753 22762 23ab69 ___scrt_get_show_window_mode 22751->22762 22756 23ac3f DeleteFileW 22753->22756 22753->22762 22754->22744 22754->22746 22757 23af4f GetDlgItem SetWindowTextW SendMessageW 22754->22757 22760 23af91 SendMessageW 22754->22760 22754->22762 22765 230b00 CompareStringW 22754->22765 22789 2396eb 22754->22789 22793 238b8d GetCurrentDirectoryW 22754->22793 22794 22a1f9 7 API calls 22754->22794 22797 22a182 FindClose 22754->22797 22798 239843 69 API calls new 22754->22798 22799 2420ce 22754->22799 22756->22762 22757->22754 22759 223f2b _swprintf 51 API calls 22761 23ac74 GetFileAttributesW 22759->22761 22760->22754 22761->22762 22763 23ac85 MoveFileW 22761->22763 22762->22751 22762->22753 22762->22754 22762->22759 22795 22b150 52 API calls 2 library calls 22762->22795 22796 22a1f9 7 API calls 22762->22796 22763->22762 22764 23ac9d MoveFileExW 22763->22764 22764->22762 22765->22754 22768 23b9b3 ___scrt_get_show_window_mode 22766->22768 22767 23bc0b 22767->22754 22768->22767 22769 23ba9e 22768->22769 22815 230b00 CompareStringW 22768->22815 22812 229e4f 22769->22812 22773 23bad2 ShellExecuteExW 22773->22767 22780 23bae5 22773->22780 22775 23baca 22775->22773 22776 23bb20 22817 23be68 WaitForSingleObject PeekMessageW WaitForSingleObject 22776->22817 22777 23bb76 CloseHandle 22778 23bb8f 22777->22778 22779 23bb84 22777->22779 22778->22767 22785 23bc06 ShowWindow 22778->22785 22818 230b00 CompareStringW 22779->22818 22780->22776 22780->22777 22782 23bb1a ShowWindow 22780->22782 22782->22776 22784 23bb38 22784->22777 22786 23bb4b GetExitCodeProcess 22784->22786 22785->22767 22786->22777 22787 23bb5e 22786->22787 22787->22777 22791 2396f5 22789->22791 22790 2397cb 22790->22754 22791->22790 22792 2397a8 ExpandEnvironmentStringsW 22791->22792 22792->22790 22793->22754 22794->22754 22795->22762 22796->22762 22797->22754 22798->22754 22800 245ada 22799->22800 22801 245ae7 22800->22801 22802 245af2 22800->22802 22803 2459ec __onexit 21 API calls 22801->22803 22804 245afa 22802->22804 22811 245b03 _abort 22802->22811 22809 245aef 22803->22809 22805 2459b2 _free 20 API calls 22804->22805 22805->22809 22806 245b2d HeapReAlloc 22806->22809 22806->22811 22807 245b08 22827 245e2e 20 API calls _abort 22807->22827 22809->22754 22811->22806 22811->22807 22828 244689 7 API calls 2 library calls 22811->22828 22819 229e63 22812->22819 22815->22769 22816 22ae70 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 22816->22775 22817->22784 22818->22778 22820 23cec0 22819->22820 22821 229e70 GetFileAttributesW 22820->22821 22822 229e81 22821->22822 22823 229e58 22821->22823 22824 22b2c5 2 API calls 22822->22824 22823->22773 22823->22816 22825 229e95 22824->22825 22825->22823 22826 229e99 GetFileAttributesW 22825->22826 22826->22823 22827->22809 22828->22811 23901 244b7a 52 API calls 2 library calls 23876 239645 92 API calls 23813 22604b 73 API calls 22912 239b4e 22913 239b58 __EH_prolog 22912->22913 23072 2212e7 22913->23072 22916 239b9a 22920 239c10 22916->22920 22921 239ba7 22916->22921 22980 239b86 22916->22980 22917 23a22f 23145 23b8bb 22917->23145 22924 239caf GetDlgItemTextW 22920->22924 22930 239c2a 22920->22930 22925 239be3 22921->22925 22926 239bac 22921->22926 22922 23a25b 22928 23a275 GetDlgItem SendMessageW 22922->22928 22929 23a264 SendDlgItemMessageW 22922->22929 22923 23a24d SendMessageW 22923->22922 22924->22925 22927 239ce6 22924->22927 22931 239c04 KiUserCallbackDispatcher 22925->22931 22925->22980 22935 22d192 54 API calls 22926->22935 22926->22980 22933 239cfe GetDlgItem 22927->22933 23069 239cef 22927->23069 23163 238b8d GetCurrentDirectoryW 22928->23163 22929->22928 22934 22d192 54 API calls 22930->22934 22931->22980 22937 239d12 SendMessageW SendMessageW 22933->22937 22938 239d38 SetFocus 22933->22938 22939 239c4c SetDlgItemTextW 22934->22939 22940 239bc6 22935->22940 22936 23a2a7 GetDlgItem 22942 23a2c0 22936->22942 22943 23a2c6 SetWindowTextW 22936->22943 22937->22938 22945 239d48 22938->22945 22955 239d54 22938->22955 22944 239c5a 22939->22944 23183 221227 SHGetMalloc 22940->23183 22942->22943 23164 238fc7 GetClassNameW 22943->23164 22952 239c67 GetMessageW 22944->22952 22963 239c8d TranslateMessage DispatchMessageW 22944->22963 22944->22980 22949 22d192 54 API calls 22945->22949 22946 239bcd 22950 239bd1 SetDlgItemTextW 22946->22950 22946->22980 22947 23a1cf 22951 22d192 54 API calls 22947->22951 22954 239d52 22949->22954 22950->22980 22956 23a1df SetDlgItemTextW 22951->22956 22952->22944 22952->22980 23082 23b70d GetDlgItem 22954->23082 22961 22d192 54 API calls 22955->22961 22958 23a1f3 22956->22958 22966 22d192 54 API calls 22958->22966 22965 239d86 22961->22965 22962 239da9 23090 229d1e 22962->23090 22963->22944 22964 23a311 22968 23a341 22964->22968 22973 22d192 54 API calls 22964->22973 22969 223f2b _swprintf 51 API calls 22965->22969 22970 23a21c 22966->22970 22967 23aa44 91 API calls 22967->22964 22979 23aa44 91 API calls 22968->22979 23000 23a3f9 22968->23000 22969->22954 22974 22d192 54 API calls 22970->22974 22978 23a324 SetDlgItemTextW 22973->22978 22974->22980 22975 23a4a9 22981 23a4b2 EnableWindow 22975->22981 22982 23a4bb 22975->22982 22976 239de5 23096 239022 SetCurrentDirectoryW 22976->23096 22977 239dde GetLastError 22977->22976 22984 22d192 54 API calls 22978->22984 22985 23a35c 22979->22985 22981->22982 22986 23a4d8 22982->22986 23192 2212a4 GetDlgItem EnableWindow 22982->23192 22988 23a338 SetDlgItemTextW 22984->22988 22994 23a36e 22985->22994 23008 23a393 22985->23008 22993 23a4ff 22986->22993 23002 23a4f7 SendMessageW 22986->23002 22987 239dfb 22991 239e0e 22987->22991 22992 239e04 GetLastError 22987->22992 22988->22968 22990 23a3ec 22997 23aa44 91 API calls 22990->22997 23005 239e99 22991->23005 23006 239e26 GetTickCount 22991->23006 23048 239e89 22991->23048 22992->22991 22993->22980 22998 22d192 54 API calls 22993->22998 23190 23859b 6 API calls 22994->23190 22996 23a4ce 23193 2212a4 GetDlgItem EnableWindow 22996->23193 22997->23000 23003 23a518 SetDlgItemTextW 22998->23003 22999 23a387 22999->23008 23000->22975 23007 23a487 23000->23007 23014 22d192 54 API calls 23000->23014 23002->22993 23003->22980 23004 23a0d2 23105 2212c2 GetDlgItem ShowWindow 23004->23105 23010 239eb1 GetModuleFileNameW 23005->23010 23018 23a06d 23005->23018 23011 223f2b _swprintf 51 API calls 23006->23011 23191 23859b 6 API calls 23007->23191 23008->22990 23015 23aa44 91 API calls 23008->23015 23184 22decc 73 API calls 23010->23184 23019 239e43 23011->23019 23013 23a4a6 23013->22975 23014->23000 23020 23a3c1 23015->23020 23016 23a0e2 23106 2212c2 GetDlgItem ShowWindow 23016->23106 23018->22925 23023 22d192 54 API calls 23018->23023 23097 229541 23019->23097 23020->22990 23025 23a3ca DialogBoxParamW 23020->23025 23022 239edb 23027 223f2b _swprintf 51 API calls 23022->23027 23024 23a081 23023->23024 23028 223f2b _swprintf 51 API calls 23024->23028 23025->22925 23025->22990 23026 23a0ec 23030 22d192 54 API calls 23026->23030 23031 239efd CreateFileMappingW 23027->23031 23033 23a09f 23028->23033 23035 23a0f6 SetDlgItemTextW 23030->23035 23032 239f5f GetCommandLineW 23031->23032 23066 239fdc __vswprintf_c_l 23031->23066 23037 239f70 23032->23037 23047 22d192 54 API calls 23033->23047 23034 239e69 23038 239e70 GetLastError 23034->23038 23039 239e77 23034->23039 23107 2212c2 GetDlgItem ShowWindow 23035->23107 23185 2397e3 SHGetMalloc 23037->23185 23038->23039 23043 229487 72 API calls 23039->23043 23040 239fe7 ShellExecuteExW 23061 23a004 23040->23061 23041 23a10a SetDlgItemTextW GetDlgItem 23044 23a123 GetWindowLongW SetWindowLongW 23041->23044 23045 23a13b 23041->23045 23043->23048 23044->23045 23108 23aa44 23045->23108 23046 239f8c 23186 2397e3 SHGetMalloc 23046->23186 23047->22925 23048->23004 23048->23005 23052 239f98 23187 2397e3 SHGetMalloc 23052->23187 23053 23a047 23053->23018 23060 23a05d UnmapViewOfFile CloseHandle 23053->23060 23054 23aa44 91 API calls 23056 23a157 23054->23056 23133 23bc77 23056->23133 23057 239fa4 23188 22e030 73 API calls ___scrt_get_show_window_mode 23057->23188 23060->23018 23061->23053 23064 23a033 Sleep 23061->23064 23063 239fbb MapViewOfFile 23063->23066 23064->23053 23064->23061 23066->23040 23069->22925 23069->22947 23073 221349 23072->23073 23076 2212f0 23072->23076 23212 22cf00 GetWindowLongW SetWindowLongW 23073->23212 23075 221356 23075->22916 23075->22917 23075->22980 23076->23075 23194 22cf27 23076->23194 23079 221325 GetDlgItem 23079->23075 23080 221335 23079->23080 23080->23075 23081 22133b SetWindowTextW 23080->23081 23081->23075 23083 23b769 SendMessageW SendMessageW 23082->23083 23084 23b739 23082->23084 23085 23b7a1 23083->23085 23086 23b7c0 SendMessageW SendMessageW SendMessageW 23083->23086 23087 23b744 ShowWindow SendMessageW SendMessageW 23084->23087 23085->23086 23088 23b7eb SendMessageW 23086->23088 23089 23b80a SendMessageW 23086->23089 23087->23083 23088->23089 23089->22962 23093 229d28 23090->23093 23091 229db9 23092 229ed6 9 API calls 23091->23092 23094 229de2 23091->23094 23092->23094 23093->23091 23093->23094 23216 229ed6 23093->23216 23094->22976 23094->22977 23096->22987 23098 22954b 23097->23098 23099 2295b5 CreateFileW 23098->23099 23100 2295a9 23098->23100 23099->23100 23101 229607 23100->23101 23102 22b2c5 2 API calls 23100->23102 23101->23034 23103 2295ee 23102->23103 23103->23101 23104 2295f2 CreateFileW 23103->23104 23104->23101 23105->23016 23106->23026 23107->23041 23109 23aa4e __EH_prolog 23108->23109 23110 23a149 23109->23110 23111 2396eb ExpandEnvironmentStringsW 23109->23111 23110->23054 23117 23aa85 _wcsrchr 23111->23117 23113 2396eb ExpandEnvironmentStringsW 23113->23117 23114 23ad85 SetWindowTextW 23114->23117 23117->23110 23117->23113 23117->23114 23118 2420ce 22 API calls 23117->23118 23125 23af4f GetDlgItem SetWindowTextW SendMessageW 23117->23125 23128 23af91 SendMessageW 23117->23128 23130 23ab69 ___scrt_get_show_window_mode 23117->23130 23237 230b00 CompareStringW 23117->23237 23238 238b8d GetCurrentDirectoryW 23117->23238 23239 22a1f9 7 API calls 23117->23239 23242 22a182 FindClose 23117->23242 23243 239843 69 API calls new 23117->23243 23118->23117 23120 23ab76 SetFileAttributesW 23122 23ac31 GetFileAttributesW 23120->23122 23120->23130 23124 23ac3f DeleteFileW 23122->23124 23122->23130 23124->23130 23125->23117 23127 223f2b _swprintf 51 API calls 23129 23ac74 GetFileAttributesW 23127->23129 23128->23117 23129->23130 23131 23ac85 MoveFileW 23129->23131 23130->23117 23130->23120 23130->23122 23130->23127 23240 22b150 52 API calls 2 library calls 23130->23240 23241 22a1f9 7 API calls 23130->23241 23131->23130 23132 23ac9d MoveFileExW 23131->23132 23132->23130 23134 23bc81 __EH_prolog 23133->23134 23244 22f1b7 69 API calls 23134->23244 23136 23bcb2 23245 225b87 69 API calls 23136->23245 23138 23bcd0 23246 227b10 73 API calls 2 library calls 23138->23246 23140 23bd14 23247 227c84 23140->23247 23142 23bd23 23256 227ba0 23142->23256 23146 23b8c8 23145->23146 23147 238abf 6 API calls 23146->23147 23148 23b8cd 23147->23148 23149 23a235 23148->23149 23150 23b8d5 GetWindow 23148->23150 23149->22922 23149->22923 23150->23149 23153 23b8f1 23150->23153 23151 23b8fe GetClassNameW 23742 230b00 CompareStringW 23151->23742 23153->23149 23153->23151 23154 23b987 GetWindow 23153->23154 23155 23b926 GetWindowLongW 23153->23155 23154->23149 23154->23153 23155->23154 23156 23b936 SendMessageW 23155->23156 23156->23154 23157 23b94c GetObjectW 23156->23157 23743 238b21 GetDC GetDeviceCaps ReleaseDC 23157->23743 23159 23b961 23744 238ade GetDC GetDeviceCaps ReleaseDC 23159->23744 23745 238cf2 8 API calls ___scrt_get_show_window_mode 23159->23745 23162 23b971 SendMessageW DeleteObject 23162->23154 23163->22936 23165 238fe8 23164->23165 23166 23900d 23164->23166 23746 230b00 CompareStringW 23165->23746 23170 239484 23166->23170 23168 238ffb 23168->23166 23169 238fff FindWindowExW 23168->23169 23169->23166 23171 23948e __EH_prolog 23170->23171 23172 2213af 75 API calls 23171->23172 23173 2394b0 23172->23173 23747 221f0e 23173->23747 23176 2394ca 23178 22165f 79 API calls 23176->23178 23177 2394d9 23179 221927 126 API calls 23177->23179 23180 2394d5 23178->23180 23182 2394fb __vswprintf_c_l new 23179->23182 23180->22964 23180->22967 23181 22165f 79 API calls 23181->23180 23182->23181 23183->22946 23184->23022 23185->23046 23186->23052 23187->23057 23188->23063 23190->22999 23191->23013 23192->22996 23193->22986 23213 22c8de 23194->23213 23196 22cf4d GetWindowRect GetClientRect 23197 22d042 23196->23197 23198 22cfa7 23196->23198 23199 22d084 GetSystemMetrics GetWindow 23197->23199 23200 22d04c GetWindowTextW 23197->23200 23198->23199 23204 22d008 GetWindowLongW 23198->23204 23210 22d0a4 23199->23210 23201 22c96f 52 API calls 23200->23201 23203 22d078 SetWindowTextW 23201->23203 23202 221312 23202->23075 23202->23079 23203->23199 23206 22d032 GetWindowRect 23204->23206 23205 22d0b0 GetWindowTextW 23205->23210 23206->23197 23207 22c96f 52 API calls 23211 22d0e3 SetWindowTextW 23207->23211 23208 22d0f6 GetWindowRect 23209 22d16b GetWindow 23208->23209 23209->23202 23209->23210 23210->23202 23210->23205 23210->23207 23210->23208 23210->23209 23211->23210 23212->23075 23214 22c96f 52 API calls 23213->23214 23215 22c906 _wcschr 23214->23215 23215->23196 23217 229ee3 23216->23217 23218 229f07 23217->23218 23219 229efa CreateDirectoryW 23217->23219 23220 229e4f 4 API calls 23218->23220 23219->23218 23221 229f3a 23219->23221 23222 229f0d 23220->23222 23224 229f49 23221->23224 23229 22a113 23221->23229 23223 229f4d GetLastError 23222->23223 23225 22b2c5 2 API calls 23222->23225 23223->23224 23224->23093 23227 229f23 23225->23227 23227->23223 23228 229f27 CreateDirectoryW 23227->23228 23228->23221 23228->23223 23230 23cec0 23229->23230 23231 22a120 SetFileAttributesW 23230->23231 23232 22a163 23231->23232 23233 22a136 23231->23233 23232->23224 23234 22b2c5 2 API calls 23233->23234 23235 22a14a 23234->23235 23235->23232 23236 22a14e SetFileAttributesW 23235->23236 23236->23232 23237->23117 23238->23117 23239->23117 23240->23130 23241->23130 23242->23117 23243->23117 23244->23136 23245->23138 23246->23140 23248 227c8e 23247->23248 23253 227cf8 23248->23253 23282 22a195 23248->23282 23250 227da4 23250->23142 23252 227d62 23252->23250 23288 22135c 67 API calls 23252->23288 23253->23252 23254 22a195 8 API calls 23253->23254 23260 2281ed 23253->23260 23254->23253 23257 227bae 23256->23257 23259 227bb5 23256->23259 23258 230e0f 79 API calls 23257->23258 23258->23259 23261 2281f7 __EH_prolog 23260->23261 23289 2213af 23261->23289 23263 228212 23297 229bf2 23263->23297 23269 228241 23417 22165f 23269->23417 23270 2282dc 23316 228385 23270->23316 23274 22833c 23320 221ebf 23274->23320 23276 22823d 23276->23269 23276->23270 23280 22a195 8 API calls 23276->23280 23421 22b71b CompareStringW 23276->23421 23278 228347 23278->23269 23324 223a0d 23278->23324 23334 2283eb 23278->23334 23280->23276 23283 22a1aa 23282->23283 23284 22a1ae 23283->23284 23730 22a2c3 23283->23730 23284->23248 23286 22a1be 23286->23284 23287 22a1c3 FindClose 23286->23287 23287->23284 23288->23250 23290 2213b4 __EH_prolog 23289->23290 23423 22c463 23290->23423 23292 2213eb 23296 221444 ___scrt_get_show_window_mode 23292->23296 23429 23cdac 23292->23429 23295 22acb6 75 API calls 23295->23296 23296->23263 23298 229bfd 23297->23298 23299 228228 23298->23299 23438 226e22 67 API calls 23298->23438 23299->23269 23301 2219e2 23299->23301 23302 2219ec __EH_prolog 23301->23302 23309 221a2e 23302->23309 23314 221a15 23302->23314 23439 22138d 23302->23439 23304 221b47 23442 22135c 67 API calls 23304->23442 23306 223a0d 90 API calls 23311 221b9e 23306->23311 23307 221b57 23307->23306 23307->23314 23308 221be8 23308->23314 23315 221c1b 23308->23315 23443 22135c 67 API calls 23308->23443 23309->23304 23309->23307 23309->23314 23311->23308 23312 223a0d 90 API calls 23311->23312 23312->23311 23313 223a0d 90 API calls 23313->23315 23314->23276 23315->23313 23315->23314 23317 228392 23316->23317 23461 22ffa6 GetSystemTime SystemTimeToFileTime 23317->23461 23319 2282f6 23319->23274 23422 2306b6 65 API calls 23319->23422 23322 221ec4 __EH_prolog 23320->23322 23321 221ef8 23321->23278 23322->23321 23463 221927 23322->23463 23325 223a19 23324->23325 23326 223a1d 23324->23326 23325->23278 23327 223a4a 23326->23327 23328 223a3c 23326->23328 23671 222759 90 API calls 3 library calls 23327->23671 23332 223a7c 23328->23332 23670 2231f0 78 API calls 3 library calls 23328->23670 23331 223a48 23331->23332 23672 221fbf 67 API calls 23331->23672 23332->23278 23335 2283f5 __EH_prolog 23334->23335 23336 22842e 23335->23336 23348 228432 23335->23348 23696 2377e6 93 API calls 23335->23696 23337 228457 23336->23337 23343 2284e0 23336->23343 23336->23348 23338 228479 23337->23338 23337->23348 23697 227a2f 150 API calls 23337->23697 23338->23348 23698 2377e6 93 API calls 23338->23698 23343->23348 23673 225d68 23343->23673 23344 22856b 23344->23348 23681 2280da 23344->23681 23347 2286cf 23349 22a195 8 API calls 23347->23349 23350 228734 23347->23350 23348->23278 23349->23350 23685 227c11 23350->23685 23352 22c5cd 73 API calls 23356 22878f _memcmp 23352->23356 23353 2288b9 23354 22898c 23353->23354 23362 228908 23353->23362 23359 2289e7 23354->23359 23369 228997 23354->23369 23355 2288b2 23701 22135c 67 API calls 23355->23701 23356->23348 23356->23352 23356->23353 23356->23355 23699 2280a6 75 API calls 23356->23699 23700 22135c 67 API calls 23356->23700 23361 228979 23359->23361 23704 227f88 89 API calls 23359->23704 23360 228a52 23371 22976a GetFileType 23360->23371 23380 228abd 23360->23380 23413 229005 23360->23413 23361->23360 23367 2289e5 23361->23367 23362->23361 23365 229e4f 4 API calls 23362->23365 23363 229487 72 API calls 23363->23348 23364 229487 72 API calls 23364->23348 23368 228940 23365->23368 23367->23364 23368->23361 23702 2291b1 89 API calls 23368->23702 23369->23367 23703 227dc4 93 API calls pre_c_initialization 23369->23703 23370 22a6f9 8 API calls 23373 228b0c 23370->23373 23375 228a95 23371->23375 23376 22a6f9 8 API calls 23373->23376 23375->23380 23705 226f5f 67 API calls 23375->23705 23385 228b22 23376->23385 23378 228aab 23706 226f23 68 API calls 23378->23706 23380->23370 23381 228be5 23382 228c40 23381->23382 23383 228d46 23381->23383 23384 228cb2 23382->23384 23387 228c50 23382->23387 23388 228d58 23383->23388 23389 228d6c 23383->23389 23404 228c70 23383->23404 23386 2280da CharUpperW 23384->23386 23385->23381 23707 2298b9 SetFilePointer GetLastError SetEndOfFile 23385->23707 23391 228ccd 23386->23391 23392 228c96 23387->23392 23398 228c5e 23387->23398 23393 229120 119 API calls 23388->23393 23390 231fa8 68 API calls 23389->23390 23394 228d85 23390->23394 23399 228cf6 23391->23399 23400 228cfd 23391->23400 23391->23404 23392->23404 23709 2277d4 101 API calls 23392->23709 23393->23404 23396 231c3f 119 API calls 23394->23396 23396->23404 23708 226f5f 67 API calls 23398->23708 23710 227586 77 API calls pre_c_initialization 23399->23710 23711 22905e 85 API calls __EH_prolog 23400->23711 23407 228e94 23404->23407 23712 226f5f 67 API calls 23404->23712 23406 228f2b 23691 229a62 23406->23691 23407->23406 23407->23413 23713 229bba SetEndOfFile 23407->23713 23410 228f85 23411 2294f3 68 API calls 23410->23411 23412 228f90 23411->23412 23412->23413 23414 22a113 4 API calls 23412->23414 23413->23363 23415 228fef 23414->23415 23415->23413 23714 226f5f 67 API calls 23415->23714 23418 221671 23417->23418 23729 22c506 79 API calls 23418->23729 23421->23276 23422->23274 23424 22c46d __EH_prolog 23423->23424 23425 23cdac new 8 API calls 23424->23425 23426 22c4b0 23425->23426 23427 23cdac new 8 API calls 23426->23427 23428 22c4d4 23427->23428 23428->23292 23430 23cdb1 new 23429->23430 23431 221431 23430->23431 23435 244689 7 API calls 2 library calls 23430->23435 23436 23d7dc RaiseException CallUnexpected new 23430->23436 23437 23d7bf RaiseException Concurrency::cancel_current_task CallUnexpected 23430->23437 23431->23295 23431->23296 23435->23430 23438->23299 23444 221736 23439->23444 23441 2213a9 23441->23309 23442->23314 23443->23315 23445 22174c 23444->23445 23456 2217a4 __vswprintf_c_l 23444->23456 23446 221775 23445->23446 23457 226d8f 67 API calls __vswprintf_c_l 23445->23457 23448 2217cb 23446->23448 23453 221791 new 23446->23453 23450 2420ce 22 API calls 23448->23450 23449 22176b 23458 226dc7 68 API calls 23449->23458 23452 2217d2 23450->23452 23452->23456 23460 226dc7 68 API calls 23452->23460 23453->23456 23459 226dc7 68 API calls 23453->23459 23456->23441 23457->23449 23458->23446 23459->23456 23460->23456 23462 22ffd6 __vswprintf_c_l 23461->23462 23462->23319 23464 22192c __EH_prolog 23463->23464 23465 221965 23464->23465 23467 221995 23464->23467 23470 221940 23464->23470 23466 223a0d 90 API calls 23465->23466 23466->23470 23472 223e39 23467->23472 23470->23321 23475 223e42 23472->23475 23473 223a0d 90 API calls 23473->23475 23474 2219b1 23474->23470 23477 221dd2 23474->23477 23475->23473 23475->23474 23489 22f944 23475->23489 23478 221ddc __EH_prolog 23477->23478 23497 223a90 23478->23497 23480 221e05 23481 221e8c 23480->23481 23482 221736 69 API calls 23480->23482 23481->23470 23483 221e1c 23482->23483 23527 2218ad 69 API calls 23483->23527 23485 221e34 23487 221e40 23485->23487 23528 2306d7 MultiByteToWideChar 23485->23528 23529 2218ad 69 API calls 23487->23529 23490 22f94b 23489->23490 23491 22f966 23490->23491 23495 226d8a RaiseException CallUnexpected 23490->23495 23493 22f977 SetThreadExecutionState 23491->23493 23496 226d8a RaiseException CallUnexpected 23491->23496 23493->23475 23495->23491 23496->23493 23498 223a9a __EH_prolog 23497->23498 23499 223ab0 23498->23499 23500 223acc 23498->23500 23566 22135c 67 API calls 23499->23566 23502 223d0c 23500->23502 23505 223af8 23500->23505 23585 22135c 67 API calls 23502->23585 23504 223abb 23504->23480 23505->23504 23530 230bce 23505->23530 23507 223b30 23534 231fa8 23507->23534 23509 223b79 23510 223c04 23509->23510 23526 223b70 23509->23526 23569 22c5cd 23509->23569 23547 22a6f9 23510->23547 23511 223b75 23511->23509 23568 221fa5 69 API calls 23511->23568 23513 223b65 23567 22135c 67 API calls 23513->23567 23514 223b47 23514->23509 23514->23511 23514->23513 23517 223c17 23520 223c92 23517->23520 23521 223c88 23517->23521 23575 231c3f 23520->23575 23551 229120 23521->23551 23524 223c90 23524->23526 23584 226f5f 67 API calls 23524->23584 23562 230e0f 23526->23562 23527->23485 23528->23487 23529->23481 23531 230bd8 __EH_prolog 23530->23531 23586 22fb54 23531->23586 23533 230cd8 23533->23507 23535 231fb7 23534->23535 23537 231fc1 23534->23537 23597 226dc7 68 API calls 23535->23597 23538 232001 23537->23538 23539 232006 new 23537->23539 23544 23205f ___scrt_get_show_window_mode 23537->23544 23599 24006c RaiseException 23538->23599 23541 232116 23539->23541 23543 23203b 23539->23543 23539->23544 23600 24006c RaiseException 23541->23600 23598 231ec9 68 API calls 3 library calls 23543->23598 23544->23514 23545 232139 23548 22a706 23547->23548 23550 22a710 23547->23550 23549 23cdac new 8 API calls 23548->23549 23549->23550 23550->23517 23552 22912a __EH_prolog 23551->23552 23601 227c6b 23552->23601 23555 22138d 69 API calls 23556 22913c 23555->23556 23604 22c6a8 23556->23604 23558 22914e 23559 229196 23558->23559 23560 22c6a8 114 API calls 23558->23560 23613 22c860 90 API calls __vswprintf_c_l 23558->23613 23559->23524 23560->23558 23563 230e31 23562->23563 23620 22fc3c 23563->23620 23565 230e4a 23565->23504 23566->23504 23567->23526 23568->23509 23570 22c600 23569->23570 23571 22c5ee 23569->23571 23635 226182 73 API calls 23570->23635 23634 226182 73 API calls 23571->23634 23574 22c5f8 23574->23510 23576 231c71 23575->23576 23577 231c48 23575->23577 23578 231c65 23576->23578 23650 23421c 119 API calls 2 library calls 23576->23650 23577->23578 23579 231c67 23577->23579 23581 231c5d 23577->23581 23578->23524 23649 234f34 114 API calls 23579->23649 23636 235983 23581->23636 23584->23526 23585->23504 23595 23cdf0 23586->23595 23588 22fb5e EnterCriticalSection 23589 22fba2 LeaveCriticalSection 23588->23589 23590 22fb7d 23588->23590 23589->23533 23591 23cdac new 8 API calls 23590->23591 23592 22fb87 23591->23592 23593 22fb9d 23592->23593 23596 22f982 71 API calls 23592->23596 23593->23589 23595->23588 23596->23593 23597->23537 23598->23544 23599->23541 23600->23545 23602 22a930 GetVersionExW 23601->23602 23603 227c70 23602->23603 23603->23555 23609 22c6bd __vswprintf_c_l 23604->23609 23605 22c807 23606 22c82f 23605->23606 23614 22c647 23605->23614 23608 22f944 2 API calls 23606->23608 23611 22c7fe 23608->23611 23609->23605 23609->23611 23618 22a7e1 84 API calls 23609->23618 23619 2377e6 93 API calls 23609->23619 23611->23558 23613->23558 23615 22c6a1 23614->23615 23616 22c650 23614->23616 23615->23606 23616->23615 23617 23066e PeekMessageW GetMessageW TranslateMessage DispatchMessageW SendDlgItemMessageW 23616->23617 23617->23615 23618->23609 23619->23609 23621 22fc43 EnterCriticalSection 23620->23621 23622 22fc91 23620->23622 23623 22fc88 LeaveCriticalSection 23621->23623 23624 22fc5d 23621->23624 23622->23565 23623->23622 23624->23623 23627 22fa23 23624->23627 23626 22fc7b 23626->23623 23628 22fdb7 72 API calls 23627->23628 23629 22fa45 ReleaseSemaphore 23628->23629 23630 22fa83 DeleteCriticalSection CloseHandle CloseHandle 23629->23630 23631 22fa65 23629->23631 23630->23626 23632 22fb19 70 API calls 23631->23632 23633 22fa6f CloseHandle 23632->23633 23633->23630 23633->23631 23634->23574 23635->23574 23651 2321e5 23636->23651 23638 22c6a8 114 API calls 23646 235994 ___BuildCatchObject __vswprintf_c_l 23638->23646 23639 235d66 23669 233ef0 91 API calls __vswprintf_c_l 23639->23669 23641 235d76 __vswprintf_c_l 23641->23578 23646->23638 23646->23639 23655 22fab9 23646->23655 23661 232b39 114 API calls 23646->23661 23662 235db8 114 API calls 23646->23662 23663 22fdb7 23646->23663 23667 232592 91 API calls __vswprintf_c_l 23646->23667 23668 2363f1 119 API calls __vswprintf_c_l 23646->23668 23649->23578 23650->23578 23653 2321ef __EH_prolog ___scrt_get_show_window_mode new 23651->23653 23652 2322da 23652->23646 23653->23652 23654 226dc7 68 API calls 23653->23654 23654->23653 23656 22fac5 23655->23656 23657 22faca 23655->23657 23658 22fbbd 77 API calls 23656->23658 23659 22fae3 23657->23659 23660 22fdb7 72 API calls 23657->23660 23658->23657 23659->23646 23660->23659 23661->23646 23662->23646 23664 22fdd1 ResetEvent ReleaseSemaphore 23663->23664 23665 22fdfc 23663->23665 23666 22fb19 70 API calls 23664->23666 23665->23646 23666->23665 23667->23646 23668->23646 23669->23641 23670->23331 23671->23331 23672->23332 23674 225d76 23673->23674 23715 225c95 23674->23715 23676 225de1 23676->23344 23677 225da9 23677->23676 23679 225dea 23677->23679 23720 22a9a0 CharUpperW CompareStringW CompareStringW 23677->23720 23679->23676 23721 22f133 CompareStringW 23679->23721 23682 2280f8 23681->23682 23683 228199 CharUpperW 23682->23683 23684 2281ac 23683->23684 23684->23347 23687 227c20 23685->23687 23686 227c60 23686->23356 23687->23686 23727 226f05 67 API calls 23687->23727 23689 227c58 23728 22135c 67 API calls 23689->23728 23692 229a73 23691->23692 23695 229a82 23691->23695 23693 229a79 FlushFileBuffers 23692->23693 23692->23695 23693->23695 23694 229afb SetFileTime 23694->23410 23695->23694 23696->23336 23697->23338 23698->23348 23699->23356 23700->23356 23701->23353 23702->23361 23703->23367 23704->23361 23705->23378 23706->23380 23707->23381 23708->23404 23709->23404 23710->23404 23711->23404 23712->23407 23713->23406 23714->23413 23722 225b92 23715->23722 23718 225b92 3 API calls 23719 225cb6 23718->23719 23719->23677 23720->23677 23721->23676 23723 225b9c 23722->23723 23725 225c84 23723->23725 23726 22a9a0 CharUpperW CompareStringW CompareStringW 23723->23726 23725->23718 23725->23719 23726->23723 23727->23689 23728->23686 23731 22a2cd 23730->23731 23732 22a2eb FindFirstFileW 23731->23732 23733 22a35d FindNextFileW 23731->23733 23736 22a304 23732->23736 23741 22a341 23732->23741 23734 22a368 GetLastError 23733->23734 23735 22a37c 23733->23735 23734->23735 23735->23741 23737 22b2c5 2 API calls 23736->23737 23738 22a31d 23737->23738 23739 22a321 FindFirstFileW 23738->23739 23740 22a336 GetLastError 23738->23740 23739->23740 23739->23741 23740->23741 23741->23286 23742->23153 23743->23159 23744->23159 23745->23162 23746->23168 23748 229bf2 67 API calls 23747->23748 23749 221f1a 23748->23749 23750 221f1e 23749->23750 23751 2219e2 90 API calls 23749->23751 23750->23176 23750->23177 23752 221f2b 23751->23752 23752->23750 23754 22135c 67 API calls 23752->23754 23754->23750 23903 23e750 51 API calls 2 library calls 23904 241f50 RtlUnwind 23772 23cd5b 23773 23cd65 23772->23773 23774 23cabb ___delayLoadHelper2@8 19 API calls 23773->23774 23775 23cd72 23774->23775 23905 23d759 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 23852 23995e 104 API calls 23853 23955e 71 API calls 23854 2409a0 6 API calls 4 library calls 23907 23aa98 91 API calls 3 library calls 21975 2210a9 21980 225b05 21975->21980 21981 225b0f __EH_prolog 21980->21981 21987 22acb6 21981->21987 21983 225b1b 21993 225cfa GetCurrentProcess GetProcessAffinityMask 21983->21993 21988 22acc0 __EH_prolog 21987->21988 21994 22de12 73 API calls 21988->21994 21990 22acd2 21995 22adce 21990->21995 21994->21990 21996 22ade0 ___scrt_get_show_window_mode 21995->21996 21999 22fcd4 21996->21999 22002 22fc94 GetCurrentProcess GetProcessAffinityMask 21999->22002 22003 22ad48 22002->22003 22003->21983 23855 2471b1 31 API calls 2 library calls 22829 2213b4 75 API calls 3 library calls 23910 234fb4 119 API calls __vswprintf_c_l 23911 246fbc 71 API calls _free 22831 23c7bf 22832 23c790 22831->22832 22834 23cabb 22832->22834 22862 23c7c9 22834->22862 22836 23cad5 22837 23cb32 22836->22837 22850 23cb56 22836->22850 22873 23ca39 11 API calls 3 library calls 22837->22873 22839 23cb3d RaiseException 22856 23cd2b 22839->22856 22840 23cbce LoadLibraryExA 22842 23cbe1 GetLastError 22840->22842 22843 23cc2f 22840->22843 22841 23d763 DloadLock 5 API calls 22844 23cd3a 22841->22844 22848 23cc0a 22842->22848 22854 23cbf4 22842->22854 22846 23cc41 22843->22846 22847 23cc3a FreeLibrary 22843->22847 22844->22832 22845 23ccfd 22876 23ca39 11 API calls 3 library calls 22845->22876 22846->22845 22849 23cc9f GetProcAddress 22846->22849 22847->22846 22874 23ca39 11 API calls 3 library calls 22848->22874 22849->22845 22851 23ccaf GetLastError 22849->22851 22850->22840 22850->22843 22850->22845 22850->22846 22858 23ccc2 22851->22858 22854->22843 22854->22848 22855 23cc15 RaiseException 22855->22856 22856->22841 22858->22845 22875 23ca39 11 API calls 3 library calls 22858->22875 22859 23cce3 RaiseException 22860 23c7c9 ___delayLoadHelper2@8 11 API calls 22859->22860 22861 23ccfa 22860->22861 22861->22845 22863 23c7d5 22862->22863 22864 23c7fb 22862->22864 22877 23c877 8 API calls DloadLock 22863->22877 22864->22836 22866 23c7da 22867 23c7f6 22866->22867 22878 23c9c9 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 22866->22878 22879 23c7fc GetModuleHandleW GetProcAddress GetProcAddress 22867->22879 22870 23d763 DloadLock 5 API calls 22871 23cab7 22870->22871 22871->22836 22872 23ca86 22872->22870 22873->22839 22874->22855 22875->22859 22876->22856 22877->22866 22878->22867 22879->22872 23856 239583 GetDlgItem EnableWindow ShowWindow SendMessageW 22880 247686 22882 247691 22880->22882 22883 2476ba 22882->22883 22884 2476b6 22882->22884 22886 247998 22882->22886 22893 2476de DeleteCriticalSection 22883->22893 22887 247726 _abort 5 API calls 22886->22887 22888 2479bf 22887->22888 22889 2479dd InitializeCriticalSectionAndSpinCount 22888->22889 22890 2479c8 22888->22890 22889->22890 22891 23d763 DloadLock 5 API calls 22890->22891 22892 2479f4 22891->22892 22892->22882 22893->22884 22894 23c781 22896 23c72f 22894->22896 22895 23cabb ___delayLoadHelper2@8 19 API calls 22895->22896 22896->22895 23886 227a9b GetCurrentProcess GetLastError CloseHandle 23858 238999 GdipCloneImage GdipAlloc 23887 248a9b GetProcessHeap 23829 24c0e4 51 API calls 23831 2488ec GetCommandLineA GetCommandLineW 23915 23c3e9 19 API calls ___delayLoadHelper2@8 22006 23d5f1 22007 23d5fd ___FrameUnwindToState 22006->22007 22032 23d109 22007->22032 22009 23d604 22011 23d62d 22009->22011 22109 23da15 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 22009->22109 22019 23d66c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22011->22019 22043 24571c 22011->22043 22015 23d64c ___FrameUnwindToState 22016 23d6cc 22051 23db30 22016->22051 22019->22016 22110 24471f 38 API calls 3 library calls 22019->22110 22027 23d6f8 22029 23d701 22027->22029 22111 244b07 28 API calls _abort 22027->22111 22112 23d280 13 API calls 2 library calls 22029->22112 22033 23d112 22032->22033 22113 23d86b IsProcessorFeaturePresent 22033->22113 22035 23d11e 22114 240b06 22035->22114 22037 23d123 22042 23d127 22037->22042 22123 24558a 22037->22123 22040 23d13e 22040->22009 22042->22009 22046 245733 22043->22046 22044 23d763 DloadLock 5 API calls 22045 23d646 22044->22045 22045->22015 22047 2456c0 22045->22047 22046->22044 22048 2456ef 22047->22048 22049 23d763 DloadLock 5 API calls 22048->22049 22050 245718 22049->22050 22050->22019 22181 23de40 22051->22181 22054 23d6d2 22055 24566d 22054->22055 22183 248549 22055->22183 22057 23d6db 22060 23c130 22057->22060 22059 245676 22059->22057 22187 2488d4 38 API calls 22059->22187 22374 22f3a5 22060->22374 22064 23c14f 22423 239035 22064->22423 22066 23c158 22427 230710 GetCPInfo 22066->22427 22068 23c162 ___scrt_get_show_window_mode 22069 23c175 GetCommandLineW 22068->22069 22070 23c202 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 22069->22070 22071 23c184 22069->22071 22443 223f2b 22070->22443 22430 23a8d3 22071->22430 22077 23c192 OpenFileMappingW 22080 23c1f2 CloseHandle 22077->22080 22081 23c1ab MapViewOfFile 22077->22081 22078 23c1fc 22437 23be09 22078->22437 22080->22070 22084 23c1e9 UnmapViewOfFile 22081->22084 22085 23c1bc __vswprintf_c_l 22081->22085 22084->22080 22086 23be09 2 API calls 22085->22086 22088 23c1d8 22086->22088 22087 23c2b2 22089 23c2c4 DialogBoxParamW 22087->22089 22088->22084 22090 23c2fe 22089->22090 22091 23c310 Sleep 22090->22091 22092 23c317 22090->22092 22091->22092 22095 23c325 22092->22095 22471 239236 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 22092->22471 22094 23c344 DeleteObject 22096 23c35b DeleteObject 22094->22096 22097 23c35e 22094->22097 22095->22094 22096->22097 22098 23c3a1 22097->22098 22099 23c38f 22097->22099 22469 23909d 22098->22469 22472 23be68 WaitForSingleObject PeekMessageW WaitForSingleObject 22099->22472 22101 23c395 CloseHandle 22101->22098 22103 23c3db 22104 244a3b GetModuleHandleW 22103->22104 22105 23d6ee 22104->22105 22105->22027 22106 244b64 22105->22106 22687 2448e1 22106->22687 22109->22009 22110->22016 22111->22029 22112->22015 22113->22035 22115 240b0b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 22114->22115 22127 241bde 22115->22127 22119 240b21 22120 240b2c 22119->22120 22141 241c1a DeleteCriticalSection 22119->22141 22120->22037 22122 240b19 22122->22037 22169 248ab6 22123->22169 22126 240b2f 8 API calls 3 library calls 22126->22042 22128 241be7 22127->22128 22130 241c10 22128->22130 22132 240b15 22128->22132 22142 241e72 22128->22142 22147 241c1a DeleteCriticalSection 22130->22147 22132->22122 22133 240c46 22132->22133 22162 241d87 22133->22162 22135 240c50 22136 240c5b 22135->22136 22167 241e35 6 API calls try_get_function 22135->22167 22136->22119 22138 240c69 22139 240c76 22138->22139 22168 240c79 6 API calls ___vcrt_FlsFree 22138->22168 22139->22119 22141->22122 22148 241c66 22142->22148 22145 241ea9 InitializeCriticalSectionAndSpinCount 22146 241e95 22145->22146 22146->22128 22147->22132 22149 241c9a 22148->22149 22151 241c96 22148->22151 22149->22145 22149->22146 22151->22149 22153 241cba 22151->22153 22155 241d06 22151->22155 22152 241cc6 GetProcAddress 22154 241cd6 __crt_fast_encode_pointer 22152->22154 22153->22149 22153->22152 22154->22149 22156 241d2e LoadLibraryExW 22155->22156 22160 241d23 22155->22160 22157 241d4a GetLastError 22156->22157 22161 241d62 22156->22161 22158 241d55 LoadLibraryExW 22157->22158 22157->22161 22158->22161 22159 241d79 FreeLibrary 22159->22160 22160->22151 22161->22159 22161->22160 22163 241c66 try_get_function 5 API calls 22162->22163 22164 241da1 22163->22164 22165 241db9 TlsAlloc 22164->22165 22166 241daa 22164->22166 22166->22135 22167->22138 22168->22136 22172 248acf 22169->22172 22171 23d130 22171->22040 22171->22126 22173 23d763 22172->22173 22174 23d76e IsProcessorFeaturePresent 22173->22174 22175 23d76c 22173->22175 22177 23dd57 22174->22177 22175->22171 22180 23dd1b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22177->22180 22179 23de3a 22179->22171 22180->22179 22182 23db43 GetStartupInfoW 22181->22182 22182->22054 22184 24855b 22183->22184 22185 248552 22183->22185 22184->22059 22188 248448 22185->22188 22187->22059 22208 24630e GetLastError 22188->22208 22190 248455 22229 248567 22190->22229 22192 24845d 22238 2481dc 22192->22238 22195 248474 22195->22184 22198 2484b7 22263 2459b2 22198->22263 22202 2484b2 22262 245e2e 20 API calls _abort 22202->22262 22204 2484fb 22204->22198 22269 2480b2 26 API calls 22204->22269 22205 2484cf 22205->22204 22206 2459b2 _free 20 API calls 22205->22206 22206->22204 22209 246324 22208->22209 22210 246330 22208->22210 22270 2478e9 11 API calls 2 library calls 22209->22270 22271 245a7d 20 API calls 3 library calls 22210->22271 22213 24632a 22213->22210 22215 246379 SetLastError 22213->22215 22214 24633c 22216 246344 22214->22216 22272 24793f 11 API calls 2 library calls 22214->22272 22215->22190 22219 2459b2 _free 20 API calls 22216->22219 22218 246359 22218->22216 22220 246360 22218->22220 22221 24634a 22219->22221 22273 246180 20 API calls _abort 22220->22273 22223 246385 SetLastError 22221->22223 22274 245a3a 38 API calls _abort 22223->22274 22224 24636b 22226 2459b2 _free 20 API calls 22224->22226 22228 246372 22226->22228 22228->22215 22228->22223 22230 248573 ___FrameUnwindToState 22229->22230 22231 24630e _abort 38 API calls 22230->22231 22232 24857d 22231->22232 22235 248601 ___FrameUnwindToState 22232->22235 22237 2459b2 _free 20 API calls 22232->22237 22275 245a3a 38 API calls _abort 22232->22275 22276 2476c7 EnterCriticalSection 22232->22276 22277 2485f8 LeaveCriticalSection _abort 22232->22277 22235->22192 22237->22232 22278 242626 22238->22278 22241 2481fd GetOEMCP 22243 248226 22241->22243 22242 24820f 22242->22243 22244 248214 GetACP 22242->22244 22243->22195 22245 2459ec 22243->22245 22244->22243 22246 245a2a 22245->22246 22247 2459fa _abort 22245->22247 22289 245e2e 20 API calls _abort 22246->22289 22247->22246 22248 245a15 RtlAllocateHeap 22247->22248 22288 244689 7 API calls 2 library calls 22247->22288 22248->22247 22250 245a28 22248->22250 22250->22198 22252 248609 22250->22252 22253 2481dc 40 API calls 22252->22253 22254 248628 22253->22254 22257 248679 IsValidCodePage 22254->22257 22259 24862f 22254->22259 22261 24869e ___scrt_get_show_window_mode 22254->22261 22255 23d763 DloadLock 5 API calls 22256 2484aa 22255->22256 22256->22202 22256->22205 22258 24868b GetCPInfo 22257->22258 22257->22259 22258->22259 22258->22261 22259->22255 22290 2482b4 GetCPInfo 22261->22290 22262->22198 22264 2459bd RtlFreeHeap 22263->22264 22268 2459e6 _free 22263->22268 22265 2459d2 22264->22265 22264->22268 22373 245e2e 20 API calls _abort 22265->22373 22267 2459d8 GetLastError 22267->22268 22268->22195 22269->22198 22270->22213 22271->22214 22272->22218 22273->22224 22276->22232 22277->22232 22279 242643 22278->22279 22280 242639 22278->22280 22279->22280 22281 24630e _abort 38 API calls 22279->22281 22280->22241 22280->22242 22282 242664 22281->22282 22286 24645d 38 API calls __fassign 22282->22286 22284 24267d 22287 24648a 38 API calls __fassign 22284->22287 22286->22284 22287->22280 22288->22247 22289->22250 22295 2482ee 22290->22295 22299 248398 22290->22299 22292 23d763 DloadLock 5 API calls 22294 248444 22292->22294 22294->22259 22300 2493e4 22295->22300 22298 2475bc __vswprintf_c_l 43 API calls 22298->22299 22299->22292 22301 242626 __fassign 38 API calls 22300->22301 22302 249404 MultiByteToWideChar 22301->22302 22304 249442 22302->22304 22312 2494da 22302->22312 22306 2459ec __onexit 21 API calls 22304->22306 22310 249463 __vswprintf_c_l ___scrt_get_show_window_mode 22304->22310 22305 23d763 DloadLock 5 API calls 22307 24834f 22305->22307 22306->22310 22314 2475bc 22307->22314 22308 2494d4 22319 247607 20 API calls _free 22308->22319 22310->22308 22311 2494a8 MultiByteToWideChar 22310->22311 22311->22308 22313 2494c4 GetStringTypeW 22311->22313 22312->22305 22313->22308 22315 242626 __fassign 38 API calls 22314->22315 22316 2475cf 22315->22316 22320 24739f 22316->22320 22319->22312 22321 2473ba __vswprintf_c_l 22320->22321 22322 2473e0 MultiByteToWideChar 22321->22322 22323 247594 22322->22323 22324 24740a 22322->22324 22325 23d763 DloadLock 5 API calls 22323->22325 22329 2459ec __onexit 21 API calls 22324->22329 22330 24742b __vswprintf_c_l 22324->22330 22326 2475a7 22325->22326 22326->22298 22327 247474 MultiByteToWideChar 22328 2474e0 22327->22328 22331 24748d 22327->22331 22356 247607 20 API calls _free 22328->22356 22329->22330 22330->22327 22330->22328 22347 2479fa 22331->22347 22335 2474b7 22335->22328 22339 2479fa __vswprintf_c_l 11 API calls 22335->22339 22336 2474ef 22337 2459ec __onexit 21 API calls 22336->22337 22341 247510 __vswprintf_c_l 22336->22341 22337->22341 22338 247585 22355 247607 20 API calls _free 22338->22355 22339->22328 22341->22338 22342 2479fa __vswprintf_c_l 11 API calls 22341->22342 22343 247564 22342->22343 22343->22338 22344 247573 WideCharToMultiByte 22343->22344 22344->22338 22345 2475b3 22344->22345 22357 247607 20 API calls _free 22345->22357 22358 247726 22347->22358 22351 247a6a LCMapStringW 22352 247a2a 22351->22352 22353 23d763 DloadLock 5 API calls 22352->22353 22354 2474a4 22353->22354 22354->22328 22354->22335 22354->22336 22355->22328 22356->22323 22357->22328 22359 247756 22358->22359 22362 247752 22358->22362 22359->22352 22365 247a82 10 API calls 3 library calls 22359->22365 22360 247776 22360->22359 22363 247782 GetProcAddress 22360->22363 22362->22359 22362->22360 22366 2477c2 22362->22366 22364 247792 __crt_fast_encode_pointer 22363->22364 22364->22359 22365->22351 22367 2477e3 LoadLibraryExW 22366->22367 22371 2477d8 22366->22371 22368 247818 22367->22368 22369 247800 GetLastError 22367->22369 22368->22371 22372 24782f FreeLibrary 22368->22372 22369->22368 22370 24780b LoadLibraryExW 22369->22370 22370->22368 22371->22362 22372->22371 22373->22267 22473 23cec0 22374->22473 22377 22f41a 22381 22f74f GetModuleFileNameW 22377->22381 22484 24461a 42 API calls __vswprintf_c_l 22377->22484 22378 22f3c9 GetProcAddress 22379 22f3f2 GetProcAddress 22378->22379 22380 22f3e2 22378->22380 22379->22377 22382 22f3fe 22379->22382 22380->22379 22392 22f76a 22381->22392 22382->22377 22384 22f68d 22384->22381 22385 22f698 GetModuleFileNameW CreateFileW 22384->22385 22386 22f743 CloseHandle 22385->22386 22387 22f6c7 SetFilePointer 22385->22387 22386->22381 22387->22386 22388 22f6d7 ReadFile 22387->22388 22388->22386 22390 22f6f6 22388->22390 22390->22386 22394 22f35b 2 API calls 22390->22394 22393 22f79f CompareStringW 22392->22393 22395 22f7d5 GetFileAttributesW 22392->22395 22396 22f7e9 22392->22396 22475 22a930 22392->22475 22478 22f35b 22392->22478 22393->22392 22394->22390 22395->22392 22395->22396 22397 22f7f6 22396->22397 22399 22f828 22396->22399 22400 22f80e GetFileAttributesW 22397->22400 22402 22f822 22397->22402 22398 22f937 22422 238b8d GetCurrentDirectoryW 22398->22422 22399->22398 22401 22a930 GetVersionExW 22399->22401 22400->22397 22400->22402 22403 22f842 22401->22403 22402->22399 22404 22f849 22403->22404 22405 22f8af 22403->22405 22407 22f35b 2 API calls 22404->22407 22406 223f2b _swprintf 51 API calls 22405->22406 22408 22f8d7 AllocConsole 22406->22408 22409 22f853 22407->22409 22410 22f8e4 GetCurrentProcessId AttachConsole 22408->22410 22411 22f92f ExitProcess 22408->22411 22412 22f35b 2 API calls 22409->22412 22492 2420a3 22410->22492 22414 22f85d 22412->22414 22485 22d192 22414->22485 22415 22f905 GetStdHandle WriteConsoleW Sleep FreeConsole 22415->22411 22418 223f2b _swprintf 51 API calls 22419 22f88b 22418->22419 22420 22d192 54 API calls 22419->22420 22421 22f89a 22420->22421 22421->22411 22422->22064 22424 22f35b 2 API calls 22423->22424 22425 239049 OleInitialize 22424->22425 22426 23906c GdiplusStartup SHGetMalloc 22425->22426 22426->22066 22428 230734 IsDBCSLeadByte 22427->22428 22428->22428 22429 23074c 22428->22429 22429->22068 22436 23a8dd 22430->22436 22431 23a9f3 22431->22077 22431->22078 22432 23a925 CharUpperW 22432->22436 22433 23a9a8 CharUpperW 22433->22436 22434 23a94c CharUpperW 22434->22436 22436->22431 22436->22432 22436->22433 22436->22434 22504 22e030 73 API calls ___scrt_get_show_window_mode 22436->22504 22438 23cec0 22437->22438 22439 23be16 SetEnvironmentVariableW 22438->22439 22441 23be39 22439->22441 22440 23be61 22440->22070 22441->22440 22442 23be55 SetEnvironmentVariableW 22441->22442 22442->22440 22505 223efe 22443->22505 22446 239a75 LoadBitmapW 22447 239a96 22446->22447 22448 239a9f GetObjectW 22446->22448 22539 238bcf FindResourceW 22447->22539 22534 238abf 22448->22534 22453 239af2 22464 22caf7 22453->22464 22454 239ad2 22555 238b21 GetDC GetDeviceCaps ReleaseDC 22454->22555 22455 238bcf 13 API calls 22457 239ac7 22455->22457 22457->22454 22459 239acd DeleteObject 22457->22459 22458 239ada 22556 238ade GetDC GetDeviceCaps ReleaseDC 22458->22556 22459->22454 22461 239ae3 22557 238cf2 8 API calls ___scrt_get_show_window_mode 22461->22557 22463 239aea DeleteObject 22463->22453 22568 22cb1c 22464->22568 22468 22cb0a 22468->22087 22470 2390c3 GdiplusShutdown CoUninitialize 22469->22470 22470->22103 22471->22095 22472->22101 22474 22f3af GetModuleHandleW 22473->22474 22474->22377 22474->22378 22476 22a944 GetVersionExW 22475->22476 22477 22a980 22475->22477 22476->22477 22477->22392 22479 23cec0 22478->22479 22480 22f368 GetSystemDirectoryW 22479->22480 22481 22f380 22480->22481 22482 22f39e 22480->22482 22483 22f391 LoadLibraryW 22481->22483 22482->22392 22483->22482 22484->22384 22486 22d1c2 22485->22486 22487 22d1e1 LoadStringW 22486->22487 22488 22d1cb LoadStringW 22486->22488 22489 22d1f3 22487->22489 22488->22487 22488->22489 22494 22c96f 22489->22494 22491 22d201 22491->22418 22493 2420ab 22492->22493 22493->22415 22493->22493 22495 22c979 22494->22495 22499 22c9ed _strlen 22495->22499 22501 22ca4b _wcschr _wcsrchr 22495->22501 22502 2308f3 WideCharToMultiByte 22495->22502 22498 22ca18 _strlen 22500 223f2b _swprintf 51 API calls 22498->22500 22503 2308f3 WideCharToMultiByte 22499->22503 22500->22501 22501->22491 22502->22499 22503->22498 22504->22436 22506 223f15 ___scrt_initialize_default_local_stdio_options 22505->22506 22509 2434cd 22506->22509 22512 2421ab 22509->22512 22513 2421d3 22512->22513 22514 2421eb 22512->22514 22529 245e2e 20 API calls _abort 22513->22529 22514->22513 22516 2421f3 22514->22516 22518 242626 __fassign 38 API calls 22516->22518 22517 2421d8 22530 245d0d 26 API calls pre_c_initialization 22517->22530 22520 242203 22518->22520 22531 2425f1 20 API calls 2 library calls 22520->22531 22521 2421e3 22523 23d763 DloadLock 5 API calls 22521->22523 22525 223f1f SetEnvironmentVariableW GetModuleHandleW LoadIconW 22523->22525 22524 24227b 22532 24282c 51 API calls 3 library calls 22524->22532 22525->22446 22528 242286 22533 2426a9 20 API calls _free 22528->22533 22529->22517 22530->22521 22531->22524 22532->22528 22533->22521 22558 238ade GetDC GetDeviceCaps ReleaseDC 22534->22558 22536 238ac6 22537 238ad2 22536->22537 22559 238b21 GetDC GetDeviceCaps ReleaseDC 22536->22559 22537->22453 22537->22454 22537->22455 22540 238bf0 SizeofResource 22539->22540 22541 238c22 22539->22541 22540->22541 22542 238c04 LoadResource 22540->22542 22541->22448 22542->22541 22543 238c15 LockResource 22542->22543 22543->22541 22544 238c29 GlobalAlloc 22543->22544 22544->22541 22545 238c40 GlobalLock 22544->22545 22546 238cb7 GlobalFree 22545->22546 22547 238c4b __vswprintf_c_l 22545->22547 22546->22541 22548 238c53 CreateStreamOnHGlobal 22547->22548 22549 238cb0 GlobalUnlock 22548->22549 22550 238c6b 22548->22550 22549->22546 22560 238b64 GdipAlloc 22550->22560 22553 238ca5 22553->22549 22554 238c8f GdipCreateHBITMAPFromBitmap 22554->22553 22555->22458 22556->22461 22557->22463 22558->22536 22559->22537 22561 238b76 22560->22561 22563 238b83 22560->22563 22564 238923 22561->22564 22563->22549 22563->22553 22563->22554 22565 238944 GdipCreateBitmapFromStreamICM 22564->22565 22566 23894b GdipCreateBitmapFromStream 22564->22566 22567 238950 22565->22567 22566->22567 22567->22563 22569 22cb26 _wcschr __EH_prolog 22568->22569 22570 22cb52 GetModuleFileNameW 22569->22570 22572 22cb83 22569->22572 22571 22cb6c 22570->22571 22571->22572 22591 22978d 22572->22591 22575 22ccef 22577 229a30 70 API calls 22575->22577 22586 22cd39 22575->22586 22580 22cd09 new 22577->22580 22581 22995d 73 API calls 22580->22581 22580->22586 22584 22cd2f new 22581->22584 22583 22cbb3 22583->22575 22583->22586 22600 229b3b 22583->22600 22615 22995d 22583->22615 22623 229a30 22583->22623 22584->22586 22628 2306d7 MultiByteToWideChar 22584->22628 22608 229487 22586->22608 22587 22ce98 GetModuleHandleW FindResourceW 22588 22cec6 22587->22588 22590 22cec0 22587->22590 22589 22c96f 52 API calls 22588->22589 22589->22590 22590->22468 22592 229797 22591->22592 22593 2297ed CreateFileW 22592->22593 22594 22981a GetLastError 22593->22594 22595 22986b 22593->22595 22629 22b2c5 22594->22629 22595->22583 22597 22983a 22597->22595 22598 22983e CreateFileW GetLastError 22597->22598 22599 229862 22598->22599 22599->22595 22601 229b4e 22600->22601 22602 229b5f SetFilePointer 22600->22602 22603 229b98 22601->22603 22642 226e6a 68 API calls 22601->22642 22602->22603 22604 229b7d GetLastError 22602->22604 22603->22583 22604->22603 22606 229b87 22604->22606 22606->22603 22643 226e6a 68 API calls 22606->22643 22609 2294ab 22608->22609 22614 2294bc 22608->22614 22610 2294b7 22609->22610 22611 2294be 22609->22611 22609->22614 22644 22963a 22610->22644 22649 2294f3 22611->22649 22614->22587 22617 229974 22615->22617 22618 2299c7 22617->22618 22620 2299d5 22617->22620 22621 2299d7 22617->22621 22664 229663 22617->22664 22676 226e30 68 API calls 22618->22676 22620->22583 22621->22620 22622 229663 5 API calls 22621->22622 22622->22621 22681 2298e7 22623->22681 22626 229a5b 22626->22583 22628->22586 22630 22b2d2 22629->22630 22638 22b2dc 22630->22638 22639 22b45f CharUpperW 22630->22639 22632 22b2eb 22640 22b48b CharUpperW 22632->22640 22634 22b2fa 22635 22b375 GetCurrentDirectoryW 22634->22635 22636 22b2fe 22634->22636 22635->22638 22641 22b45f CharUpperW 22636->22641 22638->22597 22639->22632 22640->22634 22641->22638 22642->22602 22643->22603 22645 229643 22644->22645 22646 229647 22644->22646 22645->22614 22646->22645 22655 229dfc 22646->22655 22650 2294ff 22649->22650 22653 22951d 22649->22653 22652 22950b CloseHandle 22650->22652 22650->22653 22651 22953c 22651->22614 22652->22653 22653->22651 22663 226d3c 67 API calls 22653->22663 22656 23cec0 22655->22656 22657 229e09 DeleteFileW 22656->22657 22658 229661 22657->22658 22659 229e1c 22657->22659 22658->22614 22660 22b2c5 2 API calls 22659->22660 22661 229e30 22660->22661 22661->22658 22662 229e34 DeleteFileW 22661->22662 22662->22658 22663->22651 22665 229671 GetStdHandle 22664->22665 22666 22967c ReadFile 22664->22666 22665->22666 22667 229695 22666->22667 22668 2296b5 22666->22668 22677 22976a 22667->22677 22668->22617 22670 22969c 22671 2296aa 22670->22671 22672 2296cc 22670->22672 22673 2296bd GetLastError 22670->22673 22675 229663 GetFileType 22671->22675 22672->22668 22674 2296dc GetLastError 22672->22674 22673->22668 22673->22672 22674->22668 22674->22671 22675->22668 22676->22620 22678 229773 GetFileType 22677->22678 22679 229770 22677->22679 22680 229781 22678->22680 22679->22670 22680->22670 22682 229952 22681->22682 22685 2298f3 22681->22685 22682->22626 22686 226e6a 68 API calls 22682->22686 22683 22992a SetFilePointer 22683->22682 22684 229948 GetLastError 22683->22684 22684->22682 22685->22683 22686->22626 22688 2448ed _abort 22687->22688 22689 244905 22688->22689 22690 244a3b _abort GetModuleHandleW 22688->22690 22709 2476c7 EnterCriticalSection 22689->22709 22692 2448f9 22690->22692 22692->22689 22721 244a7f GetModuleHandleExW 22692->22721 22693 2449ab 22710 2449eb 22693->22710 22697 244982 22701 24499a 22697->22701 22706 2456c0 _abort 5 API calls 22697->22706 22698 24490d 22698->22693 22698->22697 22729 245418 20 API calls _abort 22698->22729 22699 2449f4 22730 24f149 5 API calls DloadLock 22699->22730 22700 2449c8 22713 2449fa 22700->22713 22702 2456c0 _abort 5 API calls 22701->22702 22702->22693 22706->22701 22709->22698 22731 24770f LeaveCriticalSection 22710->22731 22712 2449c4 22712->22699 22712->22700 22732 247b04 22713->22732 22716 244a28 22719 244a7f _abort 8 API calls 22716->22719 22717 244a08 GetPEB 22717->22716 22718 244a18 GetCurrentProcess TerminateProcess 22717->22718 22718->22716 22720 244a30 ExitProcess 22719->22720 22722 244acc 22721->22722 22723 244aa9 GetProcAddress 22721->22723 22725 244ad2 FreeLibrary 22722->22725 22726 244adb 22722->22726 22724 244abe 22723->22724 22724->22722 22725->22726 22727 23d763 DloadLock 5 API calls 22726->22727 22728 244ae5 22727->22728 22728->22689 22729->22697 22731->22712 22733 247b29 22732->22733 22737 247b1f 22732->22737 22734 247726 _abort 5 API calls 22733->22734 22734->22737 22735 23d763 DloadLock 5 API calls 22736 244a04 22735->22736 22736->22716 22736->22717 22737->22735 23833 2434f1 QueryPerformanceFrequency QueryPerformanceCounter 23890 246ef2 21 API calls 2 library calls 23918 2363c2 114 API calls 23891 2386ca 22 API calls 22901 23c0cf 22902 23c0dc 22901->22902 22903 22d192 54 API calls 22902->22903 22904 23c0f0 22903->22904 22905 223f2b _swprintf 51 API calls 22904->22905 22906 23c102 SetDlgItemTextW 22905->22906 22909 23991d PeekMessageW 22906->22909 22910 239959 22909->22910 22911 239938 GetMessageW TranslateMessage DispatchMessageW 22909->22911 22911->22910 23892 23aa98 101 API calls 4 library calls 23837 2294d1 72 API calls 23839 23aa98 96 API calls 4 library calls 23861 23d5df 27 API calls pre_c_initialization 23920 247bd9 27 API calls 2 library calls 23840 237cdc GetClientRect

                                  Executed Functions

                                  Function 0023C130 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 199filesleeptimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0022F3A5: GetModuleHandleW.KERNEL32 ref: 0022F3BD
                                    • Part of subcall function 0022F3A5: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0022F3D5
                                    • Part of subcall function 0022F3A5: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0022F3F8
                                    • Part of subcall function 00238B8D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00238B95
                                    • Part of subcall function 00239035: OleInitialize.OLE32(00000000), ref: 0023904E
                                    • Part of subcall function 00239035: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00239085
                                    • Part of subcall function 00239035: SHGetMalloc.SHELL32(002620E8), ref: 0023908F
                                    • Part of subcall function 00230710: GetCPInfo.KERNEL32(00000000,?), ref: 00230721
                                    • Part of subcall function 00230710: IsDBCSLeadByte.KERNEL32(00000000), ref: 00230735
                                  • GetCommandLineW.KERNEL32 ref: 0023C178
                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0023C19F
                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0023C1B0
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0023C1EA
                                    • Part of subcall function 0023BE09: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0023BE1F
                                    • Part of subcall function 0023BE09: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0023BE5B
                                  • CloseHandle.KERNEL32(00000000), ref: 0023C1F3
                                  • GetModuleFileNameW.KERNEL32(00000000,00277938,00000800), ref: 0023C20E
                                  • SetEnvironmentVariableW.KERNEL32(sfxname,00277938), ref: 0023C220
                                  • GetLocalTime.KERNEL32(?), ref: 0023C227
                                  • _swprintf.LIBCMT ref: 0023C266
                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0023C278
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0023C27B
                                  • LoadIconW.USER32(00000000,00000064), ref: 0023C292
                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4E,00000000), ref: 0023C2E3
                                  • Sleep.KERNEL32(?), ref: 0023C311
                                  • DeleteObject.GDI32 ref: 0023C350
                                  • DeleteObject.GDI32(?), ref: 0023C35C
                                    • Part of subcall function 0023A8D3: CharUpperW.USER32(?,?,?,?,00001000), ref: 0023A92B
                                    • Part of subcall function 0023A8D3: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0023A952
                                  • CloseHandle.KERNEL32 ref: 0023C39B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$*a&$*x'$8y'$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                  • API String ID: 985665271-2996555636
                                  • Opcode ID: 296bad64e054061f9b2b9eb48422e020a884e7d8f2b8b1dbcff3e7aa408bc30a
                                  • Instruction ID: d6e23b5c439b0cb52d21b53d99f8fcacbbf51027ff4a33c2830b44480c7e39cf
                                  • Opcode Fuzzy Hash: 296bad64e054061f9b2b9eb48422e020a884e7d8f2b8b1dbcff3e7aa408bc30a
                                  • Instruction Fuzzy Hash: 7C612AB1924310EFD310AF64FC8DF2B77ACEB49715F044455F948A21A1EBB49C64CBA2
                                  Function 00238BCF Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorywindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 598 238bcf-238bea FindResourceW 599 238bf0-238c02 SizeofResource 598->599 600 238cc5-238cc7 598->600 601 238c22-238c24 599->601 602 238c04-238c13 LoadResource 599->602 604 238cc4 601->604 602->601 603 238c15-238c20 LockResource 602->603 603->601 605 238c29-238c3e GlobalAlloc 603->605 604->600 606 238c40-238c49 GlobalLock 605->606 607 238cbe-238cc3 605->607 608 238cb7-238cb8 GlobalFree 606->608 609 238c4b-238c69 call 23dfa0 CreateStreamOnHGlobal 606->609 607->604 608->607 612 238cb0-238cb1 GlobalUnlock 609->612 613 238c6b-238c83 call 238b64 609->613 612->608 613->612 617 238c85-238c8d 613->617 618 238ca8-238cac 617->618 619 238c8f-238ca3 GdipCreateHBITMAPFromBitmap 617->619 618->612 619->618 620 238ca5 619->620 620->618
                                  APIs
                                  • FindResourceW.KERNEL32(00000066,PNG,?,?,00239AC7,00000066), ref: 00238BE0
                                  • SizeofResource.KERNEL32(00000000,75755780,?,?,00239AC7,00000066), ref: 00238BF8
                                  • LoadResource.KERNEL32(00000000,?,?,00239AC7,00000066), ref: 00238C0B
                                  • LockResource.KERNEL32(00000000,?,?,00239AC7,00000066), ref: 00238C16
                                  • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00239AC7,00000066), ref: 00238C34
                                  • GlobalLock.KERNEL32(00000000), ref: 00238C41
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00238C61
                                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00238C9C
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00238CB1
                                  • GlobalFree.KERNEL32(00000000), ref: 00238CB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                  • String ID: PNG
                                  • API String ID: 3656887471-364855578
                                  • Opcode ID: edbaf972dfb0f2e84774063f0f54dfba1ccdbb3c1a2cd1656dbbe54454dc86a6
                                  • Instruction ID: 6e6c4379819f7811ccfadbd977befd9b6aa5f46bbebdc4328fac6fe07c98992d
                                  • Opcode Fuzzy Hash: edbaf972dfb0f2e84774063f0f54dfba1ccdbb3c1a2cd1656dbbe54454dc86a6
                                  • Instruction Fuzzy Hash: 1E2193B1512706AFC7259F21EC8D92BBBA8EF49752F104929F946C6260DF31DC10CAA6
                                  Function 0022A2C3 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 865 22a2c3-22a2e9 call 23cec0 868 22a2eb-22a2fe FindFirstFileW 865->868 869 22a35d-22a366 FindNextFileW 865->869 872 22a384-22a42d call 22f160 call 22b952 call 2301af * 3 868->872 873 22a304-22a31f call 22b2c5 868->873 870 22a368-22a376 GetLastError 869->870 871 22a37c-22a37e 869->871 870->871 871->872 874 22a432-22a445 871->874 872->874 880 22a321-22a334 FindFirstFileW 873->880 881 22a336-22a33f GetLastError 873->881 880->872 880->881 883 22a350 881->883 884 22a341-22a344 881->884 887 22a352-22a358 883->887 884->883 886 22a346-22a349 884->886 886->883 889 22a34b-22a34e 886->889 887->874 889->887
                                  APIs
                                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0022A1BE,000000FF,?,?), ref: 0022A2F8
                                  • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0022A1BE,000000FF,?,?), ref: 0022A32E
                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0022A1BE,000000FF,?,?), ref: 0022A336
                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,0022A1BE,000000FF,?,?), ref: 0022A35E
                                  • GetLastError.KERNEL32(?,?,?,?,0022A1BE,000000FF,?,?), ref: 0022A36A
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: FileFind$ErrorFirstLast$Next
                                  • String ID:
                                  • API String ID: 869497890-0
                                  • Opcode ID: e167ead73954920efb7e571bc8e7952e0f5eaf8caface49a51fd106e8760dd67
                                  • Instruction ID: 7cf26734527058f41351f4375166be72286e2dfcce0c59c46ca6f67e401b2a4d
                                  • Opcode Fuzzy Hash: e167ead73954920efb7e571bc8e7952e0f5eaf8caface49a51fd106e8760dd67
                                  • Instruction Fuzzy Hash: EF418571614252AFC320DFB8D884ADBF7E8BF48350F044A2AF5D9D3240D734A9648B92
                                  Function 002449FA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,002449D0,?,00257F60,0000000C,00244B27,?,00000002,00000000), ref: 00244A1B
                                  • TerminateProcess.KERNEL32(00000000,?,002449D0,?,00257F60,0000000C,00244B27,?,00000002,00000000), ref: 00244A22
                                  • ExitProcess.KERNEL32 ref: 00244A34
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 891094de8a8a41b1c38846daa8585b06f2b85fccdcb7526d876a53460eaeeda1
                                  • Instruction ID: f5d42c884da43a403a8cc3177e42014d155d4277cfe1a8b86b4bf995441c489b
                                  • Opcode Fuzzy Hash: 891094de8a8a41b1c38846daa8585b06f2b85fccdcb7526d876a53460eaeeda1
                                  • Instruction Fuzzy Hash: CBE01231060A18ABCB15AF20EC58B983B69FB10342B000414F8088A232CB35DDA2DB88
                                  Function 002283EB Relevance: 3.9, APIs: 2, Instructions: 931COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 002283F0
                                  • _memcmp.LIBVCRUNTIME ref: 00228858
                                    • Part of subcall function 002280DA: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,002286CF,?,-00000930,?), ref: 0022819D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CharH_prologUpper_memcmp
                                  • String ID:
                                  • API String ID: 4047935103-0
                                  • Opcode ID: 755995ca8f5816d950905001abf10ab4e8c05cf478306bfb60afd9b58a78f8da
                                  • Instruction ID: bd240e4a3c0ee1410fcad1eeb4ec7ee6bc2397d4d1fe33e71a45ecce1761f939
                                  • Opcode Fuzzy Hash: 755995ca8f5816d950905001abf10ab4e8c05cf478306bfb60afd9b58a78f8da
                                  • Instruction Fuzzy Hash: B3723E71925166BEDF15DFF0D885BF977A8AF15300F0840BAE9499B142DF30DAA4CB60
                                  Function 00235983 Relevance: .3, Instructions: 325COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 35b45f664bdaebd9fed21aad916c2c7059499402bc8faf0834aa0ec0edd4b4de
                                  • Instruction ID: 99b6fb76fb36b8d7a85d8ac3d97dda19eec4372da6462db0bd59ad6cf781a370
                                  • Opcode Fuzzy Hash: 35b45f664bdaebd9fed21aad916c2c7059499402bc8faf0834aa0ec0edd4b4de
                                  • Instruction Fuzzy Hash: A7D149F1A147568FCB14CF28C88475BBBE1BF95308F08056DE8489B646D334E969CBD6
                                  Function 00239B4E Relevance: 102.2, APIs: 46, Strings: 12, Instructions: 724COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00239B53
                                    • Part of subcall function 002212E7: GetDlgItem.USER32(00000000,00003021), ref: 0022132B
                                    • Part of subcall function 002212E7: SetWindowTextW.USER32(00000000,002502E4), ref: 00221341
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prologItemTextWindow
                                  • String ID: !&$"%s"%s$*A&$*a&$*x'$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                  • API String ID: 810644672-3756623911
                                  • Opcode ID: 457f810676e6b6cb25071a9bf0c3631038361610580913949dbc324e1fb1d663
                                  • Instruction ID: 559388711f52686d0afd5beada19e978ab23fcd3cab12a948ef506f4a1e43ff2
                                  • Opcode Fuzzy Hash: 457f810676e6b6cb25071a9bf0c3631038361610580913949dbc324e1fb1d663
                                  • Instruction Fuzzy Hash: 084205B1960355FFEB21AF60BC4EFAA3768AB16701F004065FA45A60D1C7B44DA4CF66
                                  Function 0022F3A5 Relevance: 77.3, APIs: 22, Strings: 22, Instructions: 314libraryfileloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 257 22f3a5-22f3c7 call 23cec0 GetModuleHandleW 260 22f41a-22f681 257->260 261 22f3c9-22f3e0 GetProcAddress 257->261 264 22f687-22f692 call 24461a 260->264 265 22f74f-22f780 GetModuleFileNameW call 22b8dc call 22f160 260->265 262 22f3f2-22f3fc GetProcAddress 261->262 263 22f3e2-22f3ef 261->263 262->260 266 22f3fe-22f415 262->266 263->262 264->265 273 22f698-22f6c5 GetModuleFileNameW CreateFileW 264->273 277 22f782-22f78c call 22a930 265->277 266->260 275 22f743-22f74a CloseHandle 273->275 276 22f6c7-22f6d5 SetFilePointer 273->276 275->265 276->275 278 22f6d7-22f6f4 ReadFile 276->278 284 22f799 277->284 285 22f78e-22f792 call 22f35b 277->285 278->275 280 22f6f6-22f71b 278->280 282 22f738-22f741 call 22ef59 280->282 282->275 291 22f71d-22f737 call 22f35b 282->291 286 22f79b-22f79d 284->286 292 22f797 285->292 289 22f7bf-22f7e1 call 22b952 GetFileAttributesW 286->289 290 22f79f-22f7bd CompareStringW 286->290 293 22f7e3-22f7e7 289->293 299 22f7eb 289->299 290->289 290->293 291->282 292->286 293->277 298 22f7e9 293->298 300 22f7ef-22f7f4 298->300 299->300 301 22f7f6 300->301 302 22f828-22f82a 300->302 305 22f7f8-22f81a call 22b952 GetFileAttributesW 301->305 303 22f830-22f847 call 22b926 call 22a930 302->303 304 22f937-22f941 302->304 315 22f849-22f8aa call 22f35b * 2 call 22d192 call 223f2b call 22d192 call 238cca 303->315 316 22f8af-22f8e2 call 223f2b AllocConsole 303->316 311 22f824 305->311 312 22f81c-22f820 305->312 311->302 312->305 314 22f822 312->314 314->302 322 22f92f-22f931 ExitProcess 315->322 321 22f8e4-22f929 GetCurrentProcessId AttachConsole call 2420a3 GetStdHandle WriteConsoleW Sleep FreeConsole 316->321 316->322 321->322
                                  APIs
                                  • GetModuleHandleW.KERNEL32 ref: 0022F3BD
                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0022F3D5
                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0022F3F8
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0022F6A3
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0022F6BB
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0022F6CD
                                  • ReadFile.KERNEL32(00000000,?,00007FFE,00250858,00000000), ref: 0022F6EC
                                  • CloseHandle.KERNEL32(00000000), ref: 0022F744
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0022F75A
                                  • CompareStringW.KERNEL32(00000400,00001001,002508A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0022F7B4
                                  • GetFileAttributesW.KERNELBASE(?,?,00250870,00000800,?,00000000,?,00000800), ref: 0022F7DD
                                  • GetFileAttributesW.KERNEL32(?,?,0%,00000800), ref: 0022F816
                                    • Part of subcall function 0022F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0022F376
                                    • Part of subcall function 0022F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022DF18,Crypt32.dll,?,0022DF9C,?,0022DF7E,?,?,?,?), ref: 0022F398
                                  • _swprintf.LIBCMT ref: 0022F886
                                  • _swprintf.LIBCMT ref: 0022F8D2
                                    • Part of subcall function 00223F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00223F3E
                                  • AllocConsole.KERNEL32 ref: 0022F8DA
                                  • GetCurrentProcessId.KERNEL32 ref: 0022F8E4
                                  • AttachConsole.KERNEL32(00000000), ref: 0022F8EB
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0022F911
                                  • WriteConsoleW.KERNEL32(00000000), ref: 0022F918
                                  • Sleep.KERNEL32(00002710), ref: 0022F923
                                  • FreeConsole.KERNEL32 ref: 0022F929
                                  • ExitProcess.KERNEL32 ref: 0022F931
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                  • String ID: %$$%$,%$0%$@%$D%$D%$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$\%$\%$`%$dwmapi.dll$kernel32$t%$uxtheme.dll$x%$x%$%$%
                                  • API String ID: 1201351596-3051515607
                                  • Opcode ID: d783d7d7fc2fd8b81d73ea5611a98e89fc525a9d6e0ca39ed847419704459b06
                                  • Instruction ID: ed8c90c71ef161afc4f5e57092475d2ed2e853bd3efb72172ecccfdab656733a
                                  • Opcode Fuzzy Hash: d783d7d7fc2fd8b81d73ea5611a98e89fc525a9d6e0ca39ed847419704459b06
                                  • Instruction Fuzzy Hash: B9D171B1428395AAD770DF90DCC9B9FB7F8EB85706F10092DF98896180C7B0956CCB5A
                                  Function 0023AA44 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 438windowfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 404 23aa44-23aa5c call 23cdf0 call 23cec0 409 23aa62-23aa8c call 2396eb 404->409 410 23b644-23b651 404->410 409->410 413 23aa92-23aa97 409->413 414 23aa98-23aaa6 413->414 415 23aaa7-23aab7 call 2393b9 414->415 418 23aab9 415->418 419 23aabb-23aad0 call 230b00 418->419 422 23aad2-23aad6 419->422 423 23aadd-23aae0 419->423 422->419 426 23aad8 422->426 424 23b610-23b63b call 2396eb 423->424 425 23aae6 423->425 424->414 441 23b641-23b643 424->441 427 23ad9a-23ad9c 425->427 428 23aaed-23aaf0 425->428 429 23ad7d-23ad7f 425->429 430 23acdc-23acde 425->430 426->424 427->424 434 23ada2-23ada9 427->434 428->424 433 23aaf6-23ab63 call 238b8d call 22b5be call 22a16c call 22a2a6 call 226fa3 call 22a1f9 428->433 429->424 432 23ad85-23ad95 SetWindowTextW 429->432 430->424 435 23ace4-23acf0 430->435 432->424 507 23ab69-23ab6f 433->507 508 23acc8-23acd7 call 22a182 433->508 434->424 438 23adaf-23adc8 434->438 439 23acf2-23ad03 call 244644 435->439 440 23ad04-23ad09 435->440 443 23add0-23adde call 2420a3 438->443 444 23adca 438->444 439->440 446 23ad13-23ad1e call 239843 440->446 447 23ad0b-23ad11 440->447 441->410 443->424 461 23ade4-23aded 443->461 444->443 451 23ad23-23ad25 446->451 447->451 456 23ad30-23ad50 call 2420a3 call 2420ce 451->456 457 23ad27-23ad2e call 2420a3 451->457 478 23ad52-23ad59 456->478 479 23ad69-23ad6b 456->479 457->456 465 23ae16-23ae19 461->465 466 23adef-23adf3 461->466 467 23ae1f-23ae22 465->467 468 23aefe-23af0c call 22f160 465->468 466->465 471 23adf5-23adfd 466->471 472 23ae24-23ae29 467->472 473 23ae2f-23ae4a 467->473 488 23af0e-23af22 call 2402bb 468->488 471->424 477 23ae03-23ae11 call 22f160 471->477 472->468 472->473 490 23ae94-23ae9b 473->490 491 23ae4c-23ae86 473->491 477->488 484 23ad60-23ad68 call 244644 478->484 485 23ad5b-23ad5d 478->485 479->424 487 23ad71-23ad78 call 2420be 479->487 484->479 485->484 487->424 502 23af24-23af28 488->502 503 23af2f-23af82 call 22f160 call 239591 GetDlgItem SetWindowTextW SendMessageW call 2420d9 488->503 497 23aec9-23aeec call 2420a3 * 2 490->497 498 23ae9d-23aeb5 call 2420a3 490->498 528 23ae8a-23ae8c 491->528 529 23ae88 491->529 497->488 533 23aeee-23aefc call 22f138 497->533 498->497 515 23aeb7-23aec4 call 22f138 498->515 502->503 510 23af2a-23af2c 502->510 542 23af87-23af8b 503->542 509 23ab76-23ab8b SetFileAttributesW 507->509 508->424 516 23ac31-23ac3d GetFileAttributesW 509->516 517 23ab91-23abc4 call 22b150 call 22ae45 call 2420a3 509->517 510->503 515->497 525 23ac3f-23ac4e DeleteFileW 516->525 526 23acad-23acc2 call 22a1f9 516->526 551 23abd7-23abe5 call 22b57e 517->551 552 23abc6-23abd5 call 2420a3 517->552 525->526 532 23ac50-23ac53 525->532 526->508 540 23ab71 526->540 528->490 529->528 538 23ac57-23ac83 call 223f2b GetFileAttributesW 532->538 533->488 549 23ac55-23ac56 538->549 550 23ac85-23ac9b MoveFileW 538->550 540->509 542->424 546 23af91-23afa3 SendMessageW 542->546 546->424 549->538 550->526 553 23ac9d-23aca7 MoveFileExW 550->553 551->508 558 23abeb-23ac2a call 2420a3 call 23de40 551->558 552->551 552->558 553->526 558->516
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0023AA49
                                    • Part of subcall function 002396EB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 002397B3
                                  • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0023A35C,?,00000000), ref: 0023AB7E
                                  • GetFileAttributesW.KERNEL32(?), ref: 0023AC38
                                  • DeleteFileW.KERNEL32(?), ref: 0023AC46
                                  • SetWindowTextW.USER32(?,?), ref: 0023AD8F
                                  • _wcsrchr.LIBVCRUNTIME ref: 0023AF19
                                  • GetDlgItem.USER32(?,00000066), ref: 0023AF54
                                  • SetWindowTextW.USER32(00000000,?), ref: 0023AF64
                                  • SendMessageW.USER32(00000000,00000143,00000000,0026412A), ref: 0023AF78
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0023AFA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                                  • String ID: %s.%d.tmp$*A&$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                  • API String ID: 3676479488-473414164
                                  • Opcode ID: c2c7ff476794c8e91f399a7568a3fec8fb12cb2c02e4454f15c1c92af7229e3f
                                  • Instruction ID: 25ff1c97909eabbc583a5e8c41eb589ccf3189288a7dc5ae7668fd8e3156aaf8
                                  • Opcode Fuzzy Hash: c2c7ff476794c8e91f399a7568a3fec8fb12cb2c02e4454f15c1c92af7229e3f
                                  • Instruction Fuzzy Hash: 9AE173B2920219AADF25EFA0ED45DDE737CAB15350F0044A6F549E3041EF749BA4CF61
                                  Function 0022CF27 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 563 22cf27-22cfa1 call 22c8de GetWindowRect GetClientRect 566 22d042-22d04a 563->566 567 22cfa7-22cfaf 563->567 568 22d084-22d09f GetSystemMetrics GetWindow 566->568 569 22d04c-22d07e GetWindowTextW call 22c96f SetWindowTextW 566->569 567->568 570 22cfb5-22cffe 567->570 572 22d17d-22d17f 568->572 569->568 573 22d002-22d004 570->573 574 22d000 570->574 575 22d0a4-22d0aa 572->575 576 22d185-22d18f 572->576 578 22d006 573->578 579 22d008-22d03e GetWindowLongW GetWindowRect 573->579 574->573 575->576 580 22d0b0-22d0c8 GetWindowTextW 575->580 578->579 579->566 582 22d0ca-22d0e9 call 22c96f SetWindowTextW 580->582 583 22d0ef-22d0f4 580->583 582->583 585 22d0f6-22d164 GetWindowRect 583->585 586 22d16b-22d17a GetWindow 583->586 585->586 586->576 587 22d17c 586->587 587->572
                                  APIs
                                    • Part of subcall function 0022C8DE: _wcschr.LIBVCRUNTIME ref: 0022C90D
                                  • GetWindowRect.USER32(?,?), ref: 0022CF5E
                                  • GetClientRect.USER32(?,?), ref: 0022CF6A
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0022D00B
                                  • GetWindowRect.USER32(?,?), ref: 0022D038
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0022D057
                                  • SetWindowTextW.USER32(?,?), ref: 0022D07E
                                  • GetSystemMetrics.USER32(00000008), ref: 0022D086
                                  • GetWindow.USER32(?,00000005), ref: 0022D091
                                  • GetWindowTextW.USER32(00000000,?,00000400), ref: 0022D0BC
                                  • SetWindowTextW.USER32(00000000,00000000), ref: 0022D0E9
                                  • GetWindowRect.USER32(00000000,?), ref: 0022D0FC
                                  • GetWindow.USER32(00000000,00000002), ref: 0022D16E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                  • String ID: d
                                  • API String ID: 4134264131-2564639436
                                  • Opcode ID: c89af4dbde1502e4909d0e7da47682c890421b8e12e529ac951d552702f940be
                                  • Instruction ID: a2cc6026e8b020a817e0d979b69e788401a68fbbb9493ec2c161701d56558024
                                  • Opcode Fuzzy Hash: c89af4dbde1502e4909d0e7da47682c890421b8e12e529ac951d552702f940be
                                  • Instruction Fuzzy Hash: 21617C72218351AFD310DFA8DD89E6FBBEAFF89704F04491DF68492290C674E9058B96
                                  Function 0023B70D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetDlgItem.USER32(00000068,00278958), ref: 0023B71C
                                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00239324), ref: 0023B747
                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0023B756
                                  • SendMessageW.USER32(00000000,000000C2,00000000,002502E4), ref: 0023B760
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0023B776
                                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0023B78C
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0023B7CC
                                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0023B7D6
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0023B7E5
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0023B808
                                  • SendMessageW.USER32(00000000,000000C2,00000000,00251368), ref: 0023B813
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: MessageSend$ItemShowWindow
                                  • String ID: \
                                  • API String ID: 1207805008-2967466578
                                  • Opcode ID: 09a5e96f9561eed85c8d3e5f21a2b8ebee8031d991f8806b2befcb9b3fbcab88
                                  • Instruction ID: 1f53d53f42daf16ed65c70ca8b0e638c872fb6cde7c672f042679693996914c1
                                  • Opcode Fuzzy Hash: 09a5e96f9561eed85c8d3e5f21a2b8ebee8031d991f8806b2befcb9b3fbcab88
                                  • Instruction Fuzzy Hash: CD2157B12857047BE311EF24AC45FAFBFDCEF92714F000A08FA90961D0D7A549088AAB
                                  Function 0023B9A9 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 621 23b9a9-23b9c1 call 23cec0 624 23b9c7-23b9d3 call 2420a3 621->624 625 23bc0d-23bc15 621->625 624->625 628 23b9d9-23ba01 call 23de40 624->628 631 23ba03 628->631 632 23ba0b-23ba18 628->632 631->632 633 23ba1a 632->633 634 23ba1c-23ba25 632->634 633->634 635 23ba27-23ba29 634->635 636 23ba5d 634->636 637 23ba31-23ba34 635->637 638 23ba61-23ba63 636->638 639 23bbc1-23bbc6 637->639 640 23ba3a-23ba42 637->640 641 23ba65-23ba68 638->641 642 23ba6a-23ba6c 638->642 645 23bbbb-23bbbf 639->645 646 23bbc8 639->646 643 23bbda-23bbe2 640->643 644 23ba48-23ba4e 640->644 641->642 647 23ba7f-23ba91 call 22b0ec 641->647 642->647 648 23ba6e-23ba75 642->648 652 23bbe4-23bbe6 643->652 653 23bbea-23bbf2 643->653 644->643 650 23ba54-23ba5b 644->650 645->639 651 23bbcd-23bbd1 645->651 646->651 656 23ba93-23baa0 call 230b00 647->656 657 23baaa-23bab5 call 229e4f 647->657 648->647 654 23ba77 648->654 650->636 650->637 651->643 652->653 653->638 654->647 656->657 662 23baa2 656->662 663 23bad2-23badf ShellExecuteExW 657->663 664 23bab7-23bace call 22ae70 657->664 662->657 666 23bae5-23baf8 663->666 667 23bc0b-23bc0c 663->667 664->663 669 23bb0b-23bb0d 666->669 670 23bafa-23bb01 666->670 667->625 672 23bb20-23bb3f call 23be68 669->672 673 23bb0f-23bb18 669->673 670->669 671 23bb03-23bb09 670->671 671->669 674 23bb76-23bb82 CloseHandle 671->674 672->674 691 23bb41-23bb49 672->691 673->672 682 23bb1a-23bb1e ShowWindow 673->682 675 23bb93-23bba1 674->675 676 23bb84-23bb91 call 230b00 674->676 680 23bba3-23bba5 675->680 681 23bbfe-23bc00 675->681 676->675 688 23bbf7 676->688 680->681 686 23bba7-23bbad 680->686 681->667 685 23bc02-23bc04 681->685 682->672 685->667 689 23bc06-23bc09 ShowWindow 685->689 686->681 690 23bbaf-23bbb9 686->690 688->681 689->667 690->681 691->674 692 23bb4b-23bb5c GetExitCodeProcess 691->692 692->674 693 23bb5e-23bb68 692->693 694 23bb6a 693->694 695 23bb6f 693->695 694->695 695->674
                                  APIs
                                  • ShellExecuteExW.SHELL32(000001C0), ref: 0023BAD7
                                  • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0023BB1C
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0023BB54
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0023BB7A
                                  • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0023BC09
                                    • Part of subcall function 00230B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0022AC99,?,?,?,0022AC48,?,-00000002,?,00000000,?), ref: 00230B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                  • String ID: $*Q&$.exe$.inf
                                  • API String ID: 3686203788-3023946589
                                  • Opcode ID: dd377122ed6661ade359770112dc91127eccaea929f23436ac098d0ff562f5cd
                                  • Instruction ID: f24cb383a8c430ce352f02af6a5232859562ad5f906740a4687406ac0234d24c
                                  • Opcode Fuzzy Hash: dd377122ed6661ade359770112dc91127eccaea929f23436ac098d0ff562f5cd
                                  • Instruction Fuzzy Hash: 165104B05247829AD733DF20D9556BBF7EAEF85308F04081DEAC593154EBB18DA4CB52
                                  Function 0022CB1C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 696 22cb1c-22cb50 call 23cdf0 call 23cec0 call 2400da 703 22cb52-22cb81 GetModuleFileNameW call 22b8dc call 22f138 696->703 704 22cb83-22cb8c call 22f160 696->704 708 22cb91-22cbb5 call 229451 call 22978d 703->708 704->708 715 22cbbb-22cbc4 708->715 716 22ce08-22ce23 call 229487 708->716 717 22cbc7-22cbca 715->717 719 22cbd0-22cbd6 call 229b3b 717->719 720 22ccf8-22cd18 call 229a30 call 2420c3 717->720 725 22cbdb-22cc02 call 22995d 719->725 720->716 730 22cd1e-22cd37 call 22995d 720->730 731 22ccc1-22ccc4 725->731 732 22cc08-22cc10 725->732 746 22cd40-22cd52 call 2420c3 730->746 747 22cd39-22cd3e 730->747 736 22ccc7-22cce9 call 229a30 731->736 734 22cc12-22cc1a 732->734 735 22cc3b-22cc46 732->735 734->735 738 22cc1c-22cc36 call 243650 734->738 739 22cc71-22cc79 735->739 740 22cc48-22cc54 735->740 736->717 750 22ccef-22ccf2 736->750 761 22ccb7-22ccbf 738->761 762 22cc38 738->762 744 22cca5-22cca9 739->744 745 22cc7b-22cc83 739->745 740->739 742 22cc56-22cc5b 740->742 742->739 749 22cc5d-22cc6f call 243579 742->749 744->731 752 22ccab-22ccae 744->752 745->744 751 22cc85-22cc9f call 243650 745->751 746->716 767 22cd58-22cd75 call 2306d7 call 2420be 746->767 753 22cd77-22cd7f 747->753 749->739 768 22ccb3 749->768 750->716 750->720 751->716 751->744 752->732 757 22cd81 753->757 758 22cd84-22cd91 753->758 757->758 764 22cd93-22cd95 758->764 765 22cdfd-22ce05 758->765 761->736 762->735 769 22cd96-22cda0 764->769 765->716 767->753 768->761 769->765 772 22cda2-22cda6 769->772 774 22cde0-22cde3 772->774 775 22cda8-22cdaf 772->775 777 22cde5-22cdeb 774->777 778 22cded-22cdef 774->778 779 22cdb1-22cdb4 775->779 780 22cdd6 775->780 777->778 782 22cdf0 777->782 778->782 783 22cdd2-22cdd4 779->783 784 22cdb6-22cdb9 779->784 781 22cdd8-22cdde 780->781 785 22cdf4-22cdfb 781->785 782->785 783->781 786 22cdbb-22cdbe 784->786 787 22cdce-22cdd0 784->787 785->765 785->769 788 22cdc0-22cdc4 786->788 789 22cdca-22cdcc 786->789 787->781 788->782 790 22cdc6-22cdc8 788->790 789->781 790->781
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0022CB21
                                  • _wcschr.LIBVCRUNTIME ref: 0022CB3F
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0022CB03,?), ref: 0022CB5A
                                    • Part of subcall function 002306D7: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0022B2AB,00000000,?,?,?,?), ref: 002306F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
                                  • String ID: *messages***$*messages***$R$a
                                  • API String ID: 803915177-2900423073
                                  • Opcode ID: be3de9707937d584c482b84f1fe65cf53cff35e81265c3f60120f0d7a81495a1
                                  • Instruction ID: cfc538aa9dee303db4012dd7f8a1f485db3bcab3d90c2376e2ea94cc22c3660c
                                  • Opcode Fuzzy Hash: be3de9707937d584c482b84f1fe65cf53cff35e81265c3f60120f0d7a81495a1
                                  • Instruction Fuzzy Hash: EB918FB2920226BADB30DFE4EC45FEE7774EF50310F20446AE649E7291DA7099A4CF54
                                  Function 0024739F Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 791 24739f-2473b8 792 2473ce-2473d3 791->792 793 2473ba-2473ca call 24b9ae 791->793 795 2473d5-2473dd 792->795 796 2473e0-247404 MultiByteToWideChar 792->796 793->792 800 2473cc 793->800 795->796 798 247597-2475aa call 23d763 796->798 799 24740a-247416 796->799 801 247418-247429 799->801 802 24746a 799->802 800->792 805 247448-247459 call 2459ec 801->805 806 24742b-24743a call 24f160 801->806 804 24746c-24746e 802->804 808 247474-247487 MultiByteToWideChar 804->808 809 24758c 804->809 805->809 816 24745f 805->816 806->809 819 247440-247446 806->819 808->809 813 24748d-24749f call 2479fa 808->813 814 24758e-247595 call 247607 809->814 821 2474a4-2474a8 813->821 814->798 820 247465-247468 816->820 819->820 820->804 821->809 823 2474ae-2474b5 821->823 824 2474b7-2474bc 823->824 825 2474ef-2474fb 823->825 824->814 828 2474c2-2474c4 824->828 826 247547 825->826 827 2474fd-24750e 825->827 831 247549-24754b 826->831 829 247510-24751f call 24f160 827->829 830 247529-24753a call 2459ec 827->830 828->809 832 2474ca-2474e4 call 2479fa 828->832 835 247585-24758b call 247607 829->835 843 247521-247527 829->843 830->835 845 24753c 830->845 831->835 836 24754d-247566 call 2479fa 831->836 832->814 847 2474ea 832->847 835->809 836->835 848 247568-24756f 836->848 849 247542-247545 843->849 845->849 847->809 850 247571-247572 848->850 851 2475ab-2475b1 848->851 849->831 852 247573-247583 WideCharToMultiByte 850->852 851->852 852->835 853 2475b3-2475ba call 247607 852->853 853->814
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00242FB2,00242FB2,?,?,?,002475F0,00000001,00000001,F5E85006), ref: 002473F9
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002475F0,00000001,00000001,F5E85006,?,?,?), ref: 0024747F
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00247579
                                  • __freea.LIBCMT ref: 00247586
                                    • Part of subcall function 002459EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0024239A,?,0000015D,?,?,?,?,00242F19,000000FF,00000000,?,?), ref: 00245A1E
                                  • __freea.LIBCMT ref: 0024758F
                                  • __freea.LIBCMT ref: 002475B4
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: 2818df98ccf663661e0142bf72a9a12c6c10214cebbbc72b2caa055a85a461cb
                                  • Instruction ID: bacb1297426a9ab83e017ebde13a74dc4c1f8654f52ec564c9f57a4a49ad21c8
                                  • Opcode Fuzzy Hash: 2818df98ccf663661e0142bf72a9a12c6c10214cebbbc72b2caa055a85a461cb
                                  • Instruction Fuzzy Hash: C051D172624217ABDB298F64CC41EBB7BAAEB44750F154668FC24DB140EB74DC64CAA0
                                  Function 00238FC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 856 238fc7-238fe6 GetClassNameW 857 238fe8-238ffd call 230b00 856->857 858 23900e-239010 856->858 863 238fff-23900b FindWindowExW 857->863 864 23900d 857->864 860 239012-239014 858->860 861 23901b-23901f 858->861 860->861 863->864 864->858
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000050), ref: 00238FDE
                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 00239015
                                    • Part of subcall function 00230B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0022AC99,?,?,?,0022AC48,?,-00000002,?,00000000,?), ref: 00230B16
                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00239005
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                  • String ID: @UJu$EDIT
                                  • API String ID: 4243998846-1013725496
                                  • Opcode ID: 3141dfe6d4dcd5cdf48bc12bd423c2c07a01f7c0e6c595386d9c9c5a9e63e8cb
                                  • Instruction ID: ca4a1d75d3b28538b3ace5b3a6bafc2a4855496a05a04910bf0d500238e6747e
                                  • Opcode Fuzzy Hash: 3141dfe6d4dcd5cdf48bc12bd423c2c07a01f7c0e6c595386d9c9c5a9e63e8cb
                                  • Instruction Fuzzy Hash: 27F0AE72A1131D77E7305A656C09FDB777C9F46B11F040155BD00F2180D7B09951CAFA
                                  Function 0022FA23 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0022FDB7: ResetEvent.KERNEL32(?,0068BE00,0022FA45,00261E74,0068BE00,?,-00000001,0024F605,000000FF,?,0022FC7B,?,?,0022A5F0,?), ref: 0022FDD7
                                    • Part of subcall function 0022FDB7: ReleaseSemaphore.KERNEL32(?,?,00000000,?,-00000001,0024F605,000000FF,?,0022FC7B,?,?,0022A5F0,?), ref: 0022FDEB
                                  • ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0022FA57
                                  • CloseHandle.KERNELBASE(0068BE04,0068BE04), ref: 0022FA71
                                  • DeleteCriticalSection.KERNEL32(0068BFA0), ref: 0022FA8A
                                  • CloseHandle.KERNELBASE(?), ref: 0022FA96
                                  • CloseHandle.KERNEL32(?), ref: 0022FAA2
                                    • Part of subcall function 0022FB19: WaitForSingleObject.KERNEL32(?,000000FF,0022FCF9,?,?,0022FD6E,?,?,?,?,?,0022FD58), ref: 0022FB1F
                                    • Part of subcall function 0022FB19: GetLastError.KERNEL32(?,?,0022FD6E,?,?,?,?,?,0022FD58), ref: 0022FB2B
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                  • String ID:
                                  • API String ID: 1868215902-0
                                  • Opcode ID: 7411941047c99f4ccb8936468a5bef13850dba3e22c6cb6cde06754651732f05
                                  • Instruction ID: 1fbf896ca7d35cbc58a5ff627cc9d71d6b1804bebdbabb260731be7a8612ae90
                                  • Opcode Fuzzy Hash: 7411941047c99f4ccb8936468a5bef13850dba3e22c6cb6cde06754651732f05
                                  • Instruction Fuzzy Hash: AD019232000754EFC7619F64ED88F86BBFAFB45711F004529F65A92560CB712810CB60
                                  Function 00239035 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0022F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0022F376
                                    • Part of subcall function 0022F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022DF18,Crypt32.dll,?,0022DF9C,?,0022DF7E,?,?,?,?), ref: 0022F398
                                  • OleInitialize.OLE32(00000000), ref: 0023904E
                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00239085
                                  • SHGetMalloc.SHELL32(002620E8), ref: 0023908F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                  • String ID: riched20.dll
                                  • API String ID: 3498096277-3360196438
                                  • Opcode ID: fa1fec6bb6527a88f3468031670209261c2f5f763ee26fb983cdee701cc4183a
                                  • Instruction ID: c0d02abed6eb86b5960217d0435fd974808007b043a70d8c457521aa26cad43a
                                  • Opcode Fuzzy Hash: fa1fec6bb6527a88f3468031670209261c2f5f763ee26fb983cdee701cc4183a
                                  • Instruction Fuzzy Hash: A5F04FB5C00209ABC710AF99E8499EEFFFCEF94301F00416AE814E2210C7B45655CFA5
                                  Function 0023BE09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 905 23be09-23be34 call 23cec0 SetEnvironmentVariableW call 22ef59 909 23be39-23be3d 905->909 910 23be61-23be65 909->910 911 23be3f-23be43 909->911 912 23be4c-23be53 call 22f050 911->912 915 23be45-23be4b 912->915 916 23be55-23be5b SetEnvironmentVariableW 912->916 915->912 916->910
                                  APIs
                                  • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0023BE1F
                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0023BE5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: EnvironmentVariable
                                  • String ID: sfxcmd$sfxpar
                                  • API String ID: 1431749950-3493335439
                                  • Opcode ID: 8ca5eb1a5c622b35941206eef70a3e46c753fd05d46e3f391819f9cbb9d8cd0b
                                  • Instruction ID: f72925a943ff635dbda4c01b4f6e1b51f3b8d0c87d946d2a9d36b6677f38d007
                                  • Opcode Fuzzy Hash: 8ca5eb1a5c622b35941206eef70a3e46c753fd05d46e3f391819f9cbb9d8cd0b
                                  • Instruction Fuzzy Hash: 17F0A7B2531235AADB222FD5AC09BEA7798DF08B43F000011FE8866142DB708C70DBB5
                                  Function 0022978D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 917 22978d-2297ae call 23cec0 920 2297b0-2297b5 917->920 921 2297b7 917->921 920->921 922 2297b9-2297d6 920->922 921->922 923 2297d8 922->923 924 2297de-2297e8 922->924 923->924 925 2297ea 924->925 926 2297ed-229818 CreateFileW 924->926 925->926 927 22981a-22983c GetLastError call 22b2c5 926->927 928 22987c-229891 926->928 934 22986b-229870 927->934 935 22983e-229860 CreateFileW GetLastError 927->935 929 229893-2298a6 call 22f160 928->929 930 2298ab-2298b6 928->930 929->930 934->928 938 229872 934->938 936 229862 935->936 937 229866-229869 935->937 936->937 937->928 937->934 938->928
                                  APIs
                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,0022777A,?,00000005,?,00000011), ref: 0022980D
                                  • GetLastError.KERNEL32(?,?,0022777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0022981A
                                  • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,0022777A,?,00000005,?), ref: 0022984F
                                  • GetLastError.KERNEL32(?,?,0022777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00229857
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CreateErrorFileLast
                                  • String ID:
                                  • API String ID: 1214770103-0
                                  • Opcode ID: 773aed5e9a27359c6720bb1fe9b88ab546d1e658818364e04b5cd4d915f3c196
                                  • Instruction ID: 0125136071e2bd4f181bb0ba1f99a16d5103689fbcdb8ee10b31d74f0abd1ea1
                                  • Opcode Fuzzy Hash: 773aed5e9a27359c6720bb1fe9b88ab546d1e658818364e04b5cd4d915f3c196
                                  • Instruction Fuzzy Hash: 8C3168708503667FE3209FA4EC49BE7BBA8FB49314F144729F990872D1D37598A8CB90
                                  Function 00229663 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 00229673
                                  • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 0022968B
                                  • GetLastError.KERNEL32 ref: 002296BD
                                  • GetLastError.KERNEL32 ref: 002296DC
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorLast$FileHandleRead
                                  • String ID:
                                  • API String ID: 2244327787-0
                                  • Opcode ID: ee6b35226454779dcf044d0b204ffcb9118a2f990cca89b1358517d12d59ecb3
                                  • Instruction ID: 8c8f649ddaf9b54c3a4a1cc1e883d1a8237bf7ed30a867b2a86b6c0087abf9ce
                                  • Opcode Fuzzy Hash: ee6b35226454779dcf044d0b204ffcb9118a2f990cca89b1358517d12d59ecb3
                                  • Instruction Fuzzy Hash: D5115E30520225BBDF205FA0E894E7A77EDEB15321F108529F96685190DB768DA0CF55
                                  Function 002477C2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00242203,00000000,00000000,?,00247769,00242203,00000000,00000000,00000000,?,00247966,00000006,FlsSetValue), ref: 002477F4
                                  • GetLastError.KERNEL32(?,00247769,00242203,00000000,00000000,00000000,?,00247966,00000006,FlsSetValue,00253768,00253770,00000000,00000364,?,002463E0), ref: 00247800
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00247769,00242203,00000000,00000000,00000000,?,00247966,00000006,FlsSetValue,00253768,00253770,00000000), ref: 0024780E
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 3c172ddd29873b2ceb2088bb7c12c652338eca50bc3455cd4af9f27b2c321f15
                                  • Instruction ID: b33a5eaf42296bd04f6314e73a21b9b3f1cd6661500e8997a42860511b16dc4f
                                  • Opcode Fuzzy Hash: 3c172ddd29873b2ceb2088bb7c12c652338eca50bc3455cd4af9f27b2c321f15
                                  • Instruction Fuzzy Hash: 5501F7326293239BC7354F69AC4CA6A7B98EF15BB2B104620F91AD7180DB70DC10C6E4
                                  Function 0023991D Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0023992E
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023993F
                                  • TranslateMessage.USER32(?), ref: 00239949
                                  • DispatchMessageW.USER32(?), ref: 00239953
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 4217535847-0
                                  • Opcode ID: 343d877215548d0252a690f8b74e68890e95895fcb08c47bdf4ff916f00cbfea
                                  • Instruction ID: 2d7b739ceda0889bdb28f24686da5c53a77ecdca6c3373a32af5e4dae0233f25
                                  • Opcode Fuzzy Hash: 343d877215548d0252a690f8b74e68890e95895fcb08c47bdf4ff916f00cbfea
                                  • Instruction Fuzzy Hash: 24E0ED76C0222EA78B20AFE6AC4EDEB7F7CFE062667004115B519D2000E6789545C7F5
                                  Function 0022FBBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00010000,Function_0000FD4F,?,00000000,00000000), ref: 0022FBE1
                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 0022FC28
                                    • Part of subcall function 00226D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00226DAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                  • String ID: CreateThread failed
                                  • API String ID: 2655393344-3849766595
                                  • Opcode ID: 5afb2ac1b7220e8acd7758a56516646a093e4a689dd6f5d79fa53be1ab511e01
                                  • Instruction ID: 52d8378c93f870c18efc1da8c58a3dc9d46c8de9d9a8d8f5b991fb4bb3f57199
                                  • Opcode Fuzzy Hash: 5afb2ac1b7220e8acd7758a56516646a093e4a689dd6f5d79fa53be1ab511e01
                                  • Instruction Fuzzy Hash: E7014EB231431E7FD2149F94BD46F66B369EB41B16F20003EFD4196080DAF168758B64
                                  Function 00229C18 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,?,?,0022C8A3,00000001,?,?,?,00000000,0023420A,?,?,?,?,?,00233CAF), ref: 00229C33
                                  • WriteFile.KERNEL32(?,00000000,?,00233EB7,00000000,?,?,00000000,0023420A,?,?,?,?,?,00233CAF,?), ref: 00229C73
                                  • WriteFile.KERNELBASE(?,00000000,?,00233EB7,00000000,?,00000001,?,?,0022C8A3,00000001,?,?,?,00000000,0023420A), ref: 00229CA0
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: FileWrite$Handle
                                  • String ID:
                                  • API String ID: 4209713984-0
                                  • Opcode ID: 269413351146cf21a21ca8fc48cf2da9c238fb3cb83ca286b5f0436dfdb51de3
                                  • Instruction ID: 79bc5acccd30df5c2087ab33b3f82c37436d9518f0002df8cdcbfd3fb4b2134f
                                  • Opcode Fuzzy Hash: 269413351146cf21a21ca8fc48cf2da9c238fb3cb83ca286b5f0436dfdb51de3
                                  • Instruction Fuzzy Hash: CE31677212832ABFDB209F94FC08BA6B7A8FB54301F10411AF451971D0C774E8E8CBA5
                                  Function 00229ED6 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00229DE2,?,00000001,00000000,?,?), ref: 00229EFD
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00229DE2,?,00000001,00000000,?,?), ref: 00229F30
                                  • GetLastError.KERNEL32(?,?,?,?,00229DE2,?,00000001,00000000,?,?), ref: 00229F4D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$ErrorLast
                                  • String ID:
                                  • API String ID: 2485089472-0
                                  • Opcode ID: 0932faaeb2feb8aaa773a8096a9bb771164c0517f38251f11ec80ba858d6c014
                                  • Instruction ID: 5fc3304d9b82d3dc79dabe00c0642320b0ee7f0d1078ed612e8d08a174907fe0
                                  • Opcode Fuzzy Hash: 0932faaeb2feb8aaa773a8096a9bb771164c0517f38251f11ec80ba858d6c014
                                  • Instruction Fuzzy Hash: AC01F53213437576DBA19EE4BD49FFE334CAF06742F040481F905E5480D764D9E09BA5
                                  Function 00223A90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: 59b9ab9dedd6b4fe4e9311d4fa1694c3270355e900e5bd4ced079bc6dd103120
                                  • Instruction ID: 21cd935370b054846250d2d30d836a59fc8d9d197aef7eb8f3d5724a158cb036
                                  • Opcode Fuzzy Hash: 59b9ab9dedd6b4fe4e9311d4fa1694c3270355e900e5bd4ced079bc6dd103120
                                  • Instruction Fuzzy Hash: 5C610F71520F54BEDB20DFB0DC41AEBB7E8AB14301F44492EE1AB87152DB366A68CF10
                                  Function 002482B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 002482D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Info
                                  • String ID:
                                  • API String ID: 1807457897-3916222277
                                  • Opcode ID: badf1f245630cb8a008869b65ae3c1dd8babec4abaad78b168b4069409a5ba50
                                  • Instruction ID: 30575305e417923ddcf20b42bea349d12e0e951a4c3522e0e530935cb7473d44
                                  • Opcode Fuzzy Hash: badf1f245630cb8a008869b65ae3c1dd8babec4abaad78b168b4069409a5ba50
                                  • Instruction Fuzzy Hash: 294149705283889BDB2A8F288C84BFEBFF9EB45704F1404ECE58A87142D6759955CF20
                                  Function 00221DD2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00221DD7
                                    • Part of subcall function 00223A90: __EH_prolog.LIBCMT ref: 00223A95
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: cb66ebd4e9473fb67e763d5001c0d8a79eae923eeb3aa0b638029d33c1fec1cc
                                  • Instruction ID: 0399f8e57335c7eb2b13aa9ad34d22540ae92f148681147bad6ca4c64445b921
                                  • Opcode Fuzzy Hash: cb66ebd4e9473fb67e763d5001c0d8a79eae923eeb3aa0b638029d33c1fec1cc
                                  • Instruction Fuzzy Hash: E5214B71910219AFCB15DF98D991DEEFBF6BF68300F1000A9E845A7251DB325E21CF61
                                  Function 0022192C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: b5eaa0f23be17e6905151f2501b6ac6439ec202c0c80318e97a25afa32fd7c2e
                                  • Instruction ID: aebf3bcf7688fcf833abbea7caeda0a336e5f2009432694a75a97ff600654ba2
                                  • Opcode Fuzzy Hash: b5eaa0f23be17e6905151f2501b6ac6439ec202c0c80318e97a25afa32fd7c2e
                                  • Instruction Fuzzy Hash: B911AF71A10226FFCB14DFA5E491ABEF7A9BF69300F04405AE84597341DB3599B0CB90
                                  Function 002479FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00247A6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: String
                                  • String ID: LCMapStringEx
                                  • API String ID: 2568140703-3893581201
                                  • Opcode ID: f1aae6269a8f6486f06ed90801a1a938364148f5ca12839b18222be1afb493c3
                                  • Instruction ID: d2528e418ee5899f8ba10564a8ab93907f0aa9c60dba9250c528ef38f18b1020
                                  • Opcode Fuzzy Hash: f1aae6269a8f6486f06ed90801a1a938364148f5ca12839b18222be1afb493c3
                                  • Instruction Fuzzy Hash: 93011376950219BBCF069F90EC4ADAEBFA2EB0C751F004114FE1866160DB728A30AB84
                                  Function 00247998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0024708B), ref: 002479E3
                                  Strings
                                  • InitializeCriticalSectionEx, xrefs: 002479B3
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CountCriticalInitializeSectionSpin
                                  • String ID: InitializeCriticalSectionEx
                                  • API String ID: 2593887523-3084827643
                                  • Opcode ID: 591bf8b82d84cd6a5dd68c2bb2726b42724b32767774a1262645fa19d10da5a3
                                  • Instruction ID: 0b14a79dcfda403f8c9f938b3b974bf11db2d5481e98572554f0bcf2c7a57e05
                                  • Opcode Fuzzy Hash: 591bf8b82d84cd6a5dd68c2bb2726b42724b32767774a1262645fa19d10da5a3
                                  • Instruction Fuzzy Hash: D6F0B475A55208BBCB059F50ED4ADAEBF61DB08761F004115FC185A160DB714E30DBC5
                                  Function 0024783D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Alloc
                                  • String ID: FlsAlloc
                                  • API String ID: 2773662609-671089009
                                  • Opcode ID: 241851ec31ec0158803c9be3f6ad48523f21fe1b331eeba4f1e4cc423905dcbf
                                  • Instruction ID: 7fa1a65eb41b766be3b8fa16c361025f010430c71c5618079d2671169506b4d9
                                  • Opcode Fuzzy Hash: 241851ec31ec0158803c9be3f6ad48523f21fe1b331eeba4f1e4cc423905dcbf
                                  • Instruction Fuzzy Hash: BFE05571F653087B8309BF60BC4A92EBF94CB08B22F000018FC09A7240DE700E20D6CD
                                  Function 00241D87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • try_get_function.LIBVCRUNTIME ref: 00241D9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: try_get_function
                                  • String ID: FlsAlloc
                                  • API String ID: 2742660187-671089009
                                  • Opcode ID: 295e855b94e84ecd90e3374e3789c7a859fd1c214e9b6a9bea1a249258ec66e2
                                  • Instruction ID: 8f15866be380431532d2fa6db80a6145671393c20bfe22a79ff331cefff07afb
                                  • Opcode Fuzzy Hash: 295e855b94e84ecd90e3374e3789c7a859fd1c214e9b6a9bea1a249258ec66e2
                                  • Instruction Fuzzy Hash: B2D05B76FA273477D5153694EC02BD9BA48CB01FB3F080051FF0C651C69571497085DA
                                  Function 00248609 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002481DC: GetOEMCP.KERNEL32(00000000,?,?,00248465,?), ref: 00248207
                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,002484AA,?,00000000), ref: 0024867D
                                  • GetCPInfo.KERNEL32(00000000,002484AA,?,?,?,002484AA,?,00000000), ref: 00248690
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CodeInfoPageValid
                                  • String ID:
                                  • API String ID: 546120528-0
                                  • Opcode ID: a4adc6c93a2bbbdec2215f05e5c37046f16bbe038eae1f0a0d012272316e2b8a
                                  • Instruction ID: 4be7c51b4ade78eb795074004ba9bc4166f3a4ee753fab34fda140e94f53be61
                                  • Opcode Fuzzy Hash: a4adc6c93a2bbbdec2215f05e5c37046f16bbe038eae1f0a0d012272316e2b8a
                                  • Instruction Fuzzy Hash: 645144749302069FDB298F31C895ABFFBE9EF41310F24406ED4868B251EF749962CB91
                                  Function 002213B4 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 002213B4
                                    • Part of subcall function 00225F9E: __EH_prolog.LIBCMT ref: 00225FA3
                                    • Part of subcall function 0022C463: __EH_prolog.LIBCMT ref: 0022C468
                                    • Part of subcall function 0022C463: new.LIBCMT ref: 0022C4AB
                                    • Part of subcall function 0022C463: new.LIBCMT ref: 0022C4CF
                                  • new.LIBCMT ref: 0022142C
                                    • Part of subcall function 0022ACB6: __EH_prolog.LIBCMT ref: 0022ACBB
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9be62da739bd5303434534ddb4c0ae052cd195578515f3dce1b27ee716da538b
                                  • Instruction ID: 96d2e7818dbec854c8376ac139ec85c734ed5a6cc2b1ed760e396096f4093c13
                                  • Opcode Fuzzy Hash: 9be62da739bd5303434534ddb4c0ae052cd195578515f3dce1b27ee716da538b
                                  • Instruction Fuzzy Hash: 424124B0915B40DED720DFB994859E6FBE5FF28300F50496EE5EE87282CB326564CB11
                                  Function 002213AF Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 002213B4
                                    • Part of subcall function 00225F9E: __EH_prolog.LIBCMT ref: 00225FA3
                                    • Part of subcall function 0022C463: __EH_prolog.LIBCMT ref: 0022C468
                                    • Part of subcall function 0022C463: new.LIBCMT ref: 0022C4AB
                                    • Part of subcall function 0022C463: new.LIBCMT ref: 0022C4CF
                                  • new.LIBCMT ref: 0022142C
                                    • Part of subcall function 0022ACB6: __EH_prolog.LIBCMT ref: 0022ACBB
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: b6721a991977067cefeba2aa97303a6f01a593ce2a40470969a635da2d75a63a
                                  • Instruction ID: 7ba7214769a478e3de597b29bb47ebda2b1bed3ed0b46763201f8bfb32b9dd7d
                                  • Opcode Fuzzy Hash: b6721a991977067cefeba2aa97303a6f01a593ce2a40470969a635da2d75a63a
                                  • Instruction Fuzzy Hash: 8F4124B0915B409ED724DFB994859E6FAE5FF28300F50496ED5EE83282CB326564CB11
                                  Function 00248448 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0024630E: GetLastError.KERNEL32(?,0025CBE8,00242664,0025CBE8,?,?,00242203,?,?,0025CBE8), ref: 00246312
                                    • Part of subcall function 0024630E: _free.LIBCMT ref: 00246345
                                    • Part of subcall function 0024630E: SetLastError.KERNEL32(00000000,?,0025CBE8), ref: 00246386
                                    • Part of subcall function 0024630E: _abort.LIBCMT ref: 0024638C
                                    • Part of subcall function 00248567: _abort.LIBCMT ref: 00248599
                                    • Part of subcall function 00248567: _free.LIBCMT ref: 002485CD
                                    • Part of subcall function 002481DC: GetOEMCP.KERNEL32(00000000,?,?,00248465,?), ref: 00248207
                                  • _free.LIBCMT ref: 002484C0
                                  • _free.LIBCMT ref: 002484F6
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free$ErrorLast_abort
                                  • String ID:
                                  • API String ID: 2991157371-0
                                  • Opcode ID: e0cec833f7b1db193f1417f138e2694fdcdf772a9ae548c48bd488c32147846b
                                  • Instruction ID: 638879141b2777d8ffeb2c0e868ad0ea3841456ce450e2d3bd44d0eb4252dfa8
                                  • Opcode Fuzzy Hash: e0cec833f7b1db193f1417f138e2694fdcdf772a9ae548c48bd488c32147846b
                                  • Instruction Fuzzy Hash: EF31E831920216AFDB18EFA8D445B6D77F4EF40320F254199E9089B292EF359E60CF50
                                  Function 00229541 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00229BD7,?,?,00227735), ref: 002295C9
                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00229BD7,?,?,00227735), ref: 002295FE
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 58639851116d7324c9164b568304611a7825c719054c97005f2254bf8ac4e350
                                  • Instruction ID: 5e3297d303f636f67c9930baaa9690f0ba4f0febbff4b2b0659b33fa128312f1
                                  • Opcode Fuzzy Hash: 58639851116d7324c9164b568304611a7825c719054c97005f2254bf8ac4e350
                                  • Instruction Fuzzy Hash: BC2104B1514349BED3318FA4DC85BA777ECEF08764F40492DF4E5821D1C374ACA98A61
                                  Function 00229A62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00227436,?,?,?), ref: 00229A7C
                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00229B2C
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: File$BuffersFlushTime
                                  • String ID:
                                  • API String ID: 1392018926-0
                                  • Opcode ID: 7b2217761bb1179a60903c94542ed98de62f253b19a9c35c485a2fb2d7d5292f
                                  • Instruction ID: e3b4541531cbada8a0eeea0a44fe03be0044b156106492445a89106179734846
                                  • Opcode Fuzzy Hash: 7b2217761bb1179a60903c94542ed98de62f253b19a9c35c485a2fb2d7d5292f
                                  • Instruction Fuzzy Hash: 0B21F631168362BFC710CFA4E991AAABBE4BF92304F48091CF8C587181D329DD9CCB91
                                  Function 00247726 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00247786
                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00247793
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AddressProc__crt_fast_encode_pointer
                                  • String ID:
                                  • API String ID: 2279764990-0
                                  • Opcode ID: 4f07e37f2da4b816a5f69eb0403ae3a048e47b2a324df842d74b099550f5be46
                                  • Instruction ID: 3c4a532303b7d37428e59318ac00b818ea5ed799ee4c311d2664dd8b4af6679c
                                  • Opcode Fuzzy Hash: 4f07e37f2da4b816a5f69eb0403ae3a048e47b2a324df842d74b099550f5be46
                                  • Instruction Fuzzy Hash: 62119C376246218FAB29CF2CECD085AB794AB84330B528220FC38EB244DB31DC5087D1
                                  Function 00229B3B Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00229B71
                                  • GetLastError.KERNEL32 ref: 00229B7D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer
                                  • String ID:
                                  • API String ID: 2976181284-0
                                  • Opcode ID: dc4ac54c52160699f344bc1a52c2eec470fe01b5760156271906866d8ccc7afb
                                  • Instruction ID: 58d5d87927f2f6943023dda85e53e1a30b13eda0daa3fcaf7ab33fa0b06c74bc
                                  • Opcode Fuzzy Hash: dc4ac54c52160699f344bc1a52c2eec470fe01b5760156271906866d8ccc7afb
                                  • Instruction Fuzzy Hash: FF01CC717203157FEB349EA8FC88B6BB2D9AB84319F10463EB142C2680DA75DC988620
                                  Function 002298E7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 0022993B
                                  • GetLastError.KERNEL32 ref: 00229948
                                    • Part of subcall function 002296FA: __EH_prolog.LIBCMT ref: 002296FF
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorFileH_prologLastPointer
                                  • String ID:
                                  • API String ID: 4236474358-0
                                  • Opcode ID: ee315381673144ad016bf7b12b2309049310927c99d17e71ddc2d89c33929316
                                  • Instruction ID: f2203f8d5adc84f9e1c9a06c6c6fd705216a44a3c0c029365dc0376576000dfe
                                  • Opcode Fuzzy Hash: ee315381673144ad016bf7b12b2309049310927c99d17e71ddc2d89c33929316
                                  • Instruction Fuzzy Hash: 4401B932521226B78F148E95BC446AF7759BF51331F04422DE925CB290D671DCE19660
                                  Function 00245ADA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00245AFB
                                    • Part of subcall function 002459EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0024239A,?,0000015D,?,?,?,?,00242F19,000000FF,00000000,?,?), ref: 00245A1E
                                  • HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,0025CBE8,002217D2,?,?,?,?,00000000,?,002213A9,?,?), ref: 00245B37
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Heap$AllocAllocate_free
                                  • String ID:
                                  • API String ID: 2447670028-0
                                  • Opcode ID: 819c48aa92a64effefcac72fb0c4a307cbaf667e93a2a414176cb9013b1b0478
                                  • Instruction ID: 078d1853b5c6d64e36ce6f8ca66bae5e076980d14181281a4d923512df9b881f
                                  • Opcode Fuzzy Hash: 819c48aa92a64effefcac72fb0c4a307cbaf667e93a2a414176cb9013b1b0478
                                  • Instruction Fuzzy Hash: DEF0C832331E366BDB3E2E15AC05F6A371CDF81BB5B114115FCD496197DA709D60C9A0
                                  Function 0022FC94 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?), ref: 0022FCA1
                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 0022FCA8
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Process$AffinityCurrentMask
                                  • String ID:
                                  • API String ID: 1231390398-0
                                  • Opcode ID: daacb05e2b7aeab643f8ebdc7deab2e06d2138975de093614d95f0fd150aba30
                                  • Instruction ID: 7b31ae5c45f29c1531756ef5068120cc75dac6b277e27cdd635dd6f528b97ecf
                                  • Opcode Fuzzy Hash: daacb05e2b7aeab643f8ebdc7deab2e06d2138975de093614d95f0fd150aba30
                                  • Instruction Fuzzy Hash: 7AE06D32A6022E778B88CAE8BE499AF72ADDA14311720057BAC07D3304F934DD5146A4
                                  Function 0022A113 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00229F49,?,?,?,00229DE2,?,00000001,00000000,?,?), ref: 0022A127
                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00229F49,?,?,?,00229DE2,?,00000001,00000000,?,?), ref: 0022A158
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: a36794436d6bb082ec5be8ca7546e89254fe7e91778695e9871cf51703cdf602
                                  • Instruction ID: a89790c2d6a0a4c027e0139e47eebb2c2568c020a3dd8bcc6f3a6d82e81f578b
                                  • Opcode Fuzzy Hash: a36794436d6bb082ec5be8ca7546e89254fe7e91778695e9871cf51703cdf602
                                  • Instruction Fuzzy Hash: 06F0A031250219BBDF115FA4EC45BDE376DAF04782F048051BD88D6060DB32CEB89B50
                                  Function 0023C0CF Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ItemText_swprintf
                                  • String ID:
                                  • API String ID: 3011073432-0
                                  • Opcode ID: 234b32d32d2d47f4ed6d426487ba3c5f480b2c7c7a00a0e76c31599075e015cd
                                  • Instruction ID: 767d31087468b8591942ad839618665a02b53399766868ad2e63825898d0ccc8
                                  • Opcode Fuzzy Hash: 234b32d32d2d47f4ed6d426487ba3c5f480b2c7c7a00a0e76c31599075e015cd
                                  • Instruction Fuzzy Hash: 0FF0ECB2574748FAE711EBB0AC0BFDA371DA704741F048455FA05A20A2D5B15A30DBA1
                                  Function 00229DFC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNELBASE(?,?,?,00229661,?,?,002294BC), ref: 00229E0D
                                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00229661,?,?,002294BC), ref: 00229E3B
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: 4b81e21d592a8bf7fc4c2ab4ac85bfacbfd92936a3568e1273430f99990848bd
                                  • Instruction ID: 6fe3ebc773790975ea5d1d4e472b4ae9a79fcd57d98f83a6487965874600f328
                                  • Opcode Fuzzy Hash: 4b81e21d592a8bf7fc4c2ab4ac85bfacbfd92936a3568e1273430f99990848bd
                                  • Instruction Fuzzy Hash: E7E0227165021AABDB119FA0EC45BEA339DAF0C782F844062BD88C2090DB31CCA09A90
                                  Function 00229E63 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?,?,?,00229E58,?,002275A0,?,?,?,?), ref: 00229E74
                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00229E58,?,002275A0,?,?,?,?), ref: 00229EA0
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: c03e9a435143d0dd91b31aa93be5d3792460b8df14b7e1e1d6667c499adda49f
                                  • Instruction ID: 4968a31ab309bed46204a3ab3e3369f79787bfaecb63f206c1e4aeaec085e918
                                  • Opcode Fuzzy Hash: c03e9a435143d0dd91b31aa93be5d3792460b8df14b7e1e1d6667c499adda49f
                                  • Instruction Fuzzy Hash: EBE09B325102286BCB11ABA8EC05BD9775C9B083E3F010261FD58E3190D7719DA48BD0
                                  Function 0022F35B Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0022F376
                                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022DF18,Crypt32.dll,?,0022DF9C,?,0022DF7E,?,?,?,?), ref: 0022F398
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystem
                                  • String ID:
                                  • API String ID: 1175261203-0
                                  • Opcode ID: cc2a327460515d96c21db0468b06174de3c1e6ce08e7f7b4cc572dcabe2975a0
                                  • Instruction ID: aa9cf3b23518462ea5e83c6b562f69ab5abf25a88e96914d089731083a33393c
                                  • Opcode Fuzzy Hash: cc2a327460515d96c21db0468b06174de3c1e6ce08e7f7b4cc572dcabe2975a0
                                  • Instruction Fuzzy Hash: BEE0127281026C67DB119AE4EC49FD777ACEB08392F4444A5B948D3044DA7499908BB4
                                  Function 00238923 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00238944
                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0023894B
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: BitmapCreateFromGdipStream
                                  • String ID:
                                  • API String ID: 1918208029-0
                                  • Opcode ID: 8085af384a28639ff356eece7bcafc1ea1ed9c03518afb2a9834ef356638c9f3
                                  • Instruction ID: d5e76b9413a264ca8d652473e244aafb72b5f03af4f87865496744a6a8bf55a6
                                  • Opcode Fuzzy Hash: 8085af384a28639ff356eece7bcafc1ea1ed9c03518afb2a9834ef356638c9f3
                                  • Instruction Fuzzy Hash: D0E065B1920308EBC710DF95C5017E9B7F8EB04311F20806AF84493700D6705E249F92
                                  Function 0023909D Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • GdiplusShutdown.GDIPLUS(?,?,?,0024F605,000000FF), ref: 002390C6
                                  • CoUninitialize.COMBASE(?,?,?,0024F605,000000FF), ref: 002390CB
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: GdiplusShutdownUninitialize
                                  • String ID:
                                  • API String ID: 3856339756-0
                                  • Opcode ID: 760971f9454c812f58a509033e7317d54dacf4f9f7e9d7a8d020cbdcca035bc1
                                  • Instruction ID: d5779c5ee7f975f71ee3ce25a2a974b236340490d028cb6e389e24a976f58010
                                  • Opcode Fuzzy Hash: 760971f9454c812f58a509033e7317d54dacf4f9f7e9d7a8d020cbdcca035bc1
                                  • Instruction Fuzzy Hash: 98E09A32518A44DFC310DB48ED0AB41BBE9FB09B20F108369B81A83B60DB386C00CB85
                                  Function 00240C46 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00241D87: try_get_function.LIBVCRUNTIME ref: 00241D9C
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00240C64
                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00240C6F
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                  • String ID:
                                  • API String ID: 806969131-0
                                  • Opcode ID: 9bb2ab933c47d1604e1f962c02a8cda700049512f0c818851b279305faeb74d1
                                  • Instruction ID: d27743301ecc982cccc2ec20b57b5baa207034e0c77071f508f09c33f851889c
                                  • Opcode Fuzzy Hash: 9bb2ab933c47d1604e1f962c02a8cda700049512f0c818851b279305faeb74d1
                                  • Instruction Fuzzy Hash: 55D023AD674B03D45E0C3670F8C344E27404D537743704347E234860C2DE7550F1581E
                                  Function 002212C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ItemShowWindow
                                  • String ID:
                                  • API String ID: 3351165006-0
                                  • Opcode ID: ebad91504fc0d6ded6fb0ebc7868ad33dded2f8b70b420b4405f908883bb4c98
                                  • Instruction ID: e7d56ca1156412f4057a487f054c866dfca7933334ded51f4b54a8d8cde21776
                                  • Opcode Fuzzy Hash: ebad91504fc0d6ded6fb0ebc7868ad33dded2f8b70b420b4405f908883bb4c98
                                  • Instruction Fuzzy Hash: F9C01232058300BFCB010BB0EC0EC2EBBAAABB5216F00CA08B5A5C00A0D238C020DB92
                                  Function 0022FC3C Relevance: 2.5, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(00261E74,?,?,0022A5F0,?,?,?,?,0024F605,000000FF), ref: 0022FC4B
                                  • LeaveCriticalSection.KERNEL32(00261E74,?,?,0022A5F0,?,?,?,?,0024F605,000000FF), ref: 0022FC89
                                    • Part of subcall function 0022FA23: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0022FA57
                                    • Part of subcall function 0022FA23: CloseHandle.KERNELBASE(0068BE04,0068BE04), ref: 0022FA71
                                    • Part of subcall function 0022FA23: DeleteCriticalSection.KERNEL32(0068BFA0), ref: 0022FA8A
                                    • Part of subcall function 0022FA23: CloseHandle.KERNELBASE(?), ref: 0022FA96
                                    • Part of subcall function 0022FA23: CloseHandle.KERNEL32(?), ref: 0022FAA2
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CloseCriticalHandleSection$DeleteEnterLeaveReleaseSemaphore
                                  • String ID:
                                  • API String ID: 3265325312-0
                                  • Opcode ID: 17427babc41ff9092b115a15824281f35fa557e93686889dac9d9ee095f62d98
                                  • Instruction ID: 9f205633fcdc39e91d5ba3aa22170d6c8c0a192052a6dd1cb1bb649161bb266e
                                  • Opcode Fuzzy Hash: 17427babc41ff9092b115a15824281f35fa557e93686889dac9d9ee095f62d98
                                  • Instruction Fuzzy Hash: 25F0A731615321A793529F14FD0DA6E7674AB45B61B48843BFC04A71D0C7B1DC21CB54
                                  Function 002219E2 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: bd1369f238ac1a85e0930c9b87835f4a68c9269f605ae3feae45e9f5b4e53e07
                                  • Instruction ID: 0021e21e0203012b9705cfd8386570b8de719f45fd8e090000237670c4876e63
                                  • Opcode Fuzzy Hash: bd1369f238ac1a85e0930c9b87835f4a68c9269f605ae3feae45e9f5b4e53e07
                                  • Instruction Fuzzy Hash: 73B1E170A20666BFEB28CFF8D444EB9FBB1BF25304F14425AE45597281CB31A970CB91
                                  Function 002281ED Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 002281F2
                                    • Part of subcall function 002213AF: __EH_prolog.LIBCMT ref: 002213B4
                                    • Part of subcall function 002213AF: new.LIBCMT ref: 0022142C
                                    • Part of subcall function 002219E2: __EH_prolog.LIBCMT ref: 002219E7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9f7c47f311569ae61b869fe198705ca0add2443841a01f07d0a5c4e48f566352
                                  • Instruction ID: 5673ce69fd99c2a36900747a481ef347a49cacbc530b9acd9bea892a4df9d8cd
                                  • Opcode Fuzzy Hash: 9f7c47f311569ae61b869fe198705ca0add2443841a01f07d0a5c4e48f566352
                                  • Instruction Fuzzy Hash: B841C772861674AEDB24DBA0E851BEA73A9AF50700F0400EAE44A93053DF745FE8DF50
                                  Function 002321E5 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 0989d3065e66b28833e27285212b64282e8c32fece76a7c23a4b7851523638c2
                                  • Instruction ID: 88b3102d6f26e6bc24f3506d170a965b25ccf55dc3c083262669c0ec76965ec9
                                  • Opcode Fuzzy Hash: 0989d3065e66b28833e27285212b64282e8c32fece76a7c23a4b7851523638c2
                                  • Instruction Fuzzy Hash: FC21FBF1E60216AFDB14DFB9DC41B6B7668FB08714F00053AE905EB681D7749D24CBA8
                                  Function 00239484 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00239489
                                    • Part of subcall function 002213AF: __EH_prolog.LIBCMT ref: 002213B4
                                    • Part of subcall function 002213AF: new.LIBCMT ref: 0022142C
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9e3b126728d596bc51c286bd9428389faaa0be504aed13e1c30f23d1d2fc2184
                                  • Instruction ID: 945105413ccf28264ef521a55f3a9fd1e8b2d0ad6ebab21f32cfaf363f164b29
                                  • Opcode Fuzzy Hash: 9e3b126728d596bc51c286bd9428389faaa0be504aed13e1c30f23d1d2fc2184
                                  • Instruction Fuzzy Hash: 4C216BB1C14259AFCF15DF94D9819EEB7B4EF29300F5000AAE809B3202D775AE65CF60
                                  Function 00229120 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 412da2c4a248c9d8049d6f742ded108c4d994e41df2977ce55f040c8f25829b5
                                  • Instruction ID: 05089dbd6abfda34d762b99e6985c65bb588acc5851c50beafc08de8932d9320
                                  • Opcode Fuzzy Hash: 412da2c4a248c9d8049d6f742ded108c4d994e41df2977ce55f040c8f25829b5
                                  • Instruction Fuzzy Hash: 00115172D2053A6BCB16AFD8E8519DEB735AF88740F114125F80567211CA348D708A90
                                  Function 0022A6F9 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e95ee28532b51306dce8df1ac8ba5749f961c6c7f7d8ca424c4966959d876736
                                  • Instruction ID: 2647045f3c50851447f1070b47c3a62384fba6f62abe5f8a8f443fe2cde93278
                                  • Opcode Fuzzy Hash: e95ee28532b51306dce8df1ac8ba5749f961c6c7f7d8ca424c4966959d876736
                                  • Instruction Fuzzy Hash: F9F0A430930726AFCB709EA4E84571AB7F4EB15360F20892EE495C7980E7B0D8A08746
                                  Function 002459EC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,0024239A,?,0000015D,?,?,?,?,00242F19,000000FF,00000000,?,?), ref: 00245A1E
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: fd711b93ddba779cf33fccfa1d080abe4231d94e0ae4cdf36c64b8b6996b72ab
                                  • Instruction ID: 78a98e378c1ce751d5a866b5d7b100cb0547515f9fc869a94910b82a43369e4f
                                  • Opcode Fuzzy Hash: fd711b93ddba779cf33fccfa1d080abe4231d94e0ae4cdf36c64b8b6996b72ab
                                  • Instruction Fuzzy Hash: 96E02B31131E325BE7392F61AC85B9A374CDF053B1F110324BCC59A193EBA0CD2089A5
                                  Function 00225B05 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00225B0A
                                    • Part of subcall function 0022ACB6: __EH_prolog.LIBCMT ref: 0022ACBB
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 0071cf754fc767f325eefc53440332039a8497f07e35142b87997e260ee57bb1
                                  • Instruction ID: 7ef6141e09ec4693bd1ab3c1fb02d7785d3f28d11055a97f14ef24dc8141c54d
                                  • Opcode Fuzzy Hash: 0071cf754fc767f325eefc53440332039a8497f07e35142b87997e260ee57bb1
                                  • Instruction Fuzzy Hash: 9401A230920769EAC714E7E4E5153DDF7F49F15300F4080AEA85923342CFB41B28CBA2
                                  Function 0022A195 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0022A1C4
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: 156bb2d8522aa4d6c6f9f65bf6da6c0cecdfb757d386f1630bb54c3b87baf4d8
                                  • Instruction ID: d7778065316cafd4975d028dc157fd35652d7f672cf7236cd7fa9d7a2be1e051
                                  • Opcode Fuzzy Hash: 156bb2d8522aa4d6c6f9f65bf6da6c0cecdfb757d386f1630bb54c3b87baf4d8
                                  • Instruction Fuzzy Hash: 9BF0BE314297A0FBCA225BF4A804BCABB916F16331F008A4AF0FD021D2C27514F99B22
                                  Function 00221EBF Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00221EC4
                                    • Part of subcall function 00221927: __EH_prolog.LIBCMT ref: 0022192C
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 5dfd057b95b3a5b93c58eeb71e0b093054c3e5e4b25a37a63ac1cd5efab36c7d
                                  • Instruction ID: c4f89cce08b247fd946c406cda070db028bbb1d1016c497a64fc9e2da06a6728
                                  • Opcode Fuzzy Hash: 5dfd057b95b3a5b93c58eeb71e0b093054c3e5e4b25a37a63ac1cd5efab36c7d
                                  • Instruction Fuzzy Hash: 69F01CB1C102599ECF45DFE8D505AEEBBF4BB29300F0401BED419F3202EB3546248B91
                                  Function 00221EC4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00221EC4
                                    • Part of subcall function 00221927: __EH_prolog.LIBCMT ref: 0022192C
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
                                  • Instruction ID: 4c1e57544d559bfed291d9676ae9975e2202d5b61a56f66d73e92f4e59d7cd1e
                                  • Opcode Fuzzy Hash: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
                                  • Instruction Fuzzy Hash: DAF015B1C102589ECF40DFE8D506AEEBBF0BB29300F0401BED409F3202EB3546248B90
                                  Function 0022F944 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 0022F979
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ExecutionStateThread
                                  • String ID:
                                  • API String ID: 2211380416-0
                                  • Opcode ID: aaf25a25c921c1417b4cf8c6659ef154513f11a88163020b866d1625ba56c82e
                                  • Instruction ID: 1511f521c11428d8badc46c37462c9187e7e48f79158cf6d726af645bb4536f7
                                  • Opcode Fuzzy Hash: aaf25a25c921c1417b4cf8c6659ef154513f11a88163020b866d1625ba56c82e
                                  • Instruction Fuzzy Hash: 63D0C291B3026136DA5137A8394EBFD151A0FC1716F0C0035B445671828A6508A25E72
                                  Function 00238B64 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipAlloc.GDIPLUS(00000010), ref: 00238B6A
                                    • Part of subcall function 00238923: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00238944
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Gdip$AllocBitmapCreateFromStream
                                  • String ID:
                                  • API String ID: 1915507550-0
                                  • Opcode ID: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
                                  • Instruction ID: d4de1a0d0cd869e814393a5393286bfe039e8e25895509bb321fc174458eb863
                                  • Opcode Fuzzy Hash: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
                                  • Instruction Fuzzy Hash: 86D0A7F023030E7BDF416F608C02A7DBA99EB41350F008135BC04D9250FE71CD30A652
                                  Function 0022976A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNELBASE(000000FF,0022969C), ref: 00229776
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: b7f692df4d72d18034112944487b4af787e911132d8ba4d3e4cd1676e7eec8a4
                                  • Instruction ID: a2cbb0dfd0daba9969c0d313f3f9d1121dcbb1f2f7e21d189f0b1cfda059ed19
                                  • Opcode Fuzzy Hash: b7f692df4d72d18034112944487b4af787e911132d8ba4d3e4cd1676e7eec8a4
                                  • Instruction Fuzzy Hash: 96D012B0071211758E610F74BD4D0A5A651AB833A7F68CAE4E025C40B1C732C8A3F540
                                  Function 0023BF76 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0023BF9B
                                    • Part of subcall function 0023991D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0023992E
                                    • Part of subcall function 0023991D: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0023993F
                                    • Part of subcall function 0023991D: TranslateMessage.USER32(?), ref: 00239949
                                    • Part of subcall function 0023991D: DispatchMessageW.USER32(?), ref: 00239953
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Message$DispatchItemPeekSendTranslate
                                  • String ID:
                                  • API String ID: 4142818094-0
                                  • Opcode ID: 6dca87b8d10641692e781b4f3bc4214ad10135ff19fab10fbd83f339c3ecc57c
                                  • Instruction ID: f8d4ed63f1f1b5938cddfae4c169ef95f116b56e6ad59515ea2e0563ad854178
                                  • Opcode Fuzzy Hash: 6dca87b8d10641692e781b4f3bc4214ad10135ff19fab10fbd83f339c3ecc57c
                                  • Instruction Fuzzy Hash: 91D09E72158300BADA012B51DD06F0A7AA3BB99B05F404554B644340B186A29D31EF06
                                  Function 0023CD5B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023CD6D
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 942997a391e48b0ae523d3b18f0c313e7106ede566f102d5afb9c18189ec16e9
                                  • Instruction ID: fc073f868b44fbbf41f10309365b22567abbf8b4215b648a6bea6043b4e22019
                                  • Opcode Fuzzy Hash: 942997a391e48b0ae523d3b18f0c313e7106ede566f102d5afb9c18189ec16e9
                                  • Instruction Fuzzy Hash: 5EB092D1278004BD2114A2286A0A8360118C080F12770816AB802B0040A890487A4136
                                  Function 0023C725 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 424c2564da90974f9426265e20b8fe74eca217ab23b2914ae24badf3077fb99d
                                  • Instruction ID: b56a583d6cd5413df5a3e85e0d9f8e5e910812fa20d02d84bf0b4ed44323e37f
                                  • Opcode Fuzzy Hash: 424c2564da90974f9426265e20b8fe74eca217ab23b2914ae24badf3077fb99d
                                  • Instruction Fuzzy Hash: 88B012F12786017C3104A1042D47C36051CC0C5F22B30821BFC00F0144DCD00C7E4A36
                                  Function 0023C740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 6eab3007a99ce6e9150bd4762069969691fd67d7d7b2c26bbc1fbc751df545ee
                                  • Instruction ID: 1fac4420376b05cc5633d58a83f5b6abc26e3e6494da7ab789670fb2ee45fc19
                                  • Opcode Fuzzy Hash: 6eab3007a99ce6e9150bd4762069969691fd67d7d7b2c26bbc1fbc751df545ee
                                  • Instruction Fuzzy Hash: 41B012F12784017C3104E1046D07C3B015CC0C1F12B30821BFC05E0140DCD00C3E063A
                                  Function 0023C74A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 391ea24abf3d84deb4de778c8d12cb50cd0cd209d07bd100e8eb2a4420d4df81
                                  • Instruction ID: 6fa18ecdb85094b354f5ee4fdfb1948f7438d2418ba8e3ad09ebd77a4ef10ef3
                                  • Opcode Fuzzy Hash: 391ea24abf3d84deb4de778c8d12cb50cd0cd209d07bd100e8eb2a4420d4df81
                                  • Instruction Fuzzy Hash: 1EB012F12785017C3104E5082D07C36015CC0C1F12B30C11BFC04E1240DCD00C3E0A36
                                  Function 0023C75E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 56ad7a34e4facd33c79ba9aabc95f36f075fc8b7bd75dcf76266ace29b17e63b
                                  • Instruction ID: be46e1f34e7b3a1297918b6a62d8a1d8e241b14d39a8b4b9a83fea8ed56ed05a
                                  • Opcode Fuzzy Hash: 56ad7a34e4facd33c79ba9aabc95f36f075fc8b7bd75dcf76266ace29b17e63b
                                  • Instruction Fuzzy Hash: 59B092E12786016D2104A1182E06836015CC081B12B30811ABD05E1240D8900C2A0A36
                                  Function 0023C7B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C798
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 7ebce0977fbf00355e6bfe5672d0648e8f71516d1e49f75102fc1d9da4e60ac7
                                  • Instruction ID: 284ada5dcbaca04728b7fad4b5d5044a40c846ef8797d0d2700b2d0965bd4436
                                  • Opcode Fuzzy Hash: 7ebce0977fbf00355e6bfe5672d0648e8f71516d1e49f75102fc1d9da4e60ac7
                                  • Instruction Fuzzy Hash: 48B012E22781046C3108D14A2C07C36015CC1C9F12B30C11BFC04E1140DCD00C39073E
                                  Function 0023C7BF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C798
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 9d9cff1aa113928ddb8b5bce8d0031417ca67dbab99a7c539936d83775f712f9
                                  • Instruction ID: ab7460b39369908af04c86c8cb0db8765374fb78cd3b32941d26d2ef6d6dddd1
                                  • Opcode Fuzzy Hash: 9d9cff1aa113928ddb8b5bce8d0031417ca67dbab99a7c539936d83775f712f9
                                  • Instruction Fuzzy Hash: 4CB092E22780006C210891452906836015DC189B12B30811ABC04E1140A8900C2E063A
                                  Function 0023C786 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C798
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: e48d8e117de5fd9c7aaae38af7fa7f75773b583286fc27a898c6fb4e3dfab0e6
                                  • Instruction ID: 62e797f30c13358717679c4fae38bccc951cbd0aedcfbf34b20f2f70569e55ac
                                  • Opcode Fuzzy Hash: e48d8e117de5fd9c7aaae38af7fa7f75773b583286fc27a898c6fb4e3dfab0e6
                                  • Instruction Fuzzy Hash: 15B012F22791007C3108D1412C07C36011DC1CAF12B30C11BFC04F0040ACD01C3D053E
                                  Function 0023C76D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 38b176ad57136052b983d0101ee070a6755ef93267bdfdc57899d835648aafe4
                                  • Instruction ID: 2d0f0f47b3f01495f03c88b6ef93b0153dee2542f483c10c266158de0919d3b7
                                  • Opcode Fuzzy Hash: 38b176ad57136052b983d0101ee070a6755ef93267bdfdc57899d835648aafe4
                                  • Instruction Fuzzy Hash: EEA001F62B9956BC3108A6516D0AC3A465CC4C6FA2B30891AFD06E4185ADD0186A1A35
                                  Function 0023C777 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 4edca0d1591fbe7180de88156cee58ed3d6d220cf67e7ea32ada13c9e7424ef0
                                  • Instruction ID: 2d0f0f47b3f01495f03c88b6ef93b0153dee2542f483c10c266158de0919d3b7
                                  • Opcode Fuzzy Hash: 4edca0d1591fbe7180de88156cee58ed3d6d220cf67e7ea32ada13c9e7424ef0
                                  • Instruction Fuzzy Hash: EEA001F62B9956BC3108A6516D0AC3A465CC4C6FA2B30891AFD06E4185ADD0186A1A35
                                  Function 0023C759 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 0a2ba6b94faec89a0f793f2266e74ae8cdbc19d1174ee723d86407b12824724a
                                  • Instruction ID: 2d0f0f47b3f01495f03c88b6ef93b0153dee2542f483c10c266158de0919d3b7
                                  • Opcode Fuzzy Hash: 0a2ba6b94faec89a0f793f2266e74ae8cdbc19d1174ee723d86407b12824724a
                                  • Instruction Fuzzy Hash: EEA001F62B9956BC3108A6516D0AC3A465CC4C6FA2B30891AFD06E4185ADD0186A1A35
                                  Function 0023C7A6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C798
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: c5413c02b169c547fa3d70460964cd4d3a91d4b2147936fb00cfe1d1c35fa079
                                  • Instruction ID: 74160f56a31d0235ba4f87ff54b9e0b0cd9609bedaf8aa758770fb251d7b30aa
                                  • Opcode Fuzzy Hash: c5413c02b169c547fa3d70460964cd4d3a91d4b2147936fb00cfe1d1c35fa079
                                  • Instruction Fuzzy Hash: 2AA001E62B9546BC3108A6926D0AC3A466CC4CAF62B30891AFC06E4181ADD0186A1A39
                                  Function 0023C7B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C798
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 89682785d4f4c021af0e6b7ae8a3669884f56763406c2e97b4838a3844bd2b18
                                  • Instruction ID: 74160f56a31d0235ba4f87ff54b9e0b0cd9609bedaf8aa758770fb251d7b30aa
                                  • Opcode Fuzzy Hash: 89682785d4f4c021af0e6b7ae8a3669884f56763406c2e97b4838a3844bd2b18
                                  • Instruction Fuzzy Hash: 2AA001E62B9546BC3108A6926D0AC3A466CC4CAF62B30891AFC06E4181ADD0186A1A39
                                  Function 0023C781 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0023C737
                                    • Part of subcall function 0023CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0023CB38
                                    • Part of subcall function 0023CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0023CB49
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 9e02ad7a86bec9434794483f2a19f01c9ddbfcfd40245e1ef380370e9d861e7d
                                  • Instruction ID: 2d0f0f47b3f01495f03c88b6ef93b0153dee2542f483c10c266158de0919d3b7
                                  • Opcode Fuzzy Hash: 9e02ad7a86bec9434794483f2a19f01c9ddbfcfd40245e1ef380370e9d861e7d
                                  • Instruction Fuzzy Hash: EEA001F62B9956BC3108A6516D0AC3A465CC4C6FA2B30891AFD06E4185ADD0186A1A35
                                  Function 00239022 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetCurrentDirectoryW.KERNELBASE(?,00239279,00262120,00000000,00263122,00000006), ref: 00239026
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory
                                  • String ID:
                                  • API String ID: 1611563598-0
                                  • Opcode ID: 289bc2234c4d94cbc79291775c08ab498e728be22461d258444f5aa31ca045b4
                                  • Instruction ID: f48b47392f9c5213bc8b4fef9a5d16683ac9c827c23a038fa4b56ea0c0b9b835
                                  • Opcode Fuzzy Hash: 289bc2234c4d94cbc79291775c08ab498e728be22461d258444f5aa31ca045b4
                                  • Instruction Fuzzy Hash: 68A012301A420646CE000B30DC0DC1576505760703F00C6207006C00A0CF308810E505
                                  Function 002294F3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(000000FF,?,?,002294C3), ref: 0022950E
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 36fe7acb7a88b0b011321565c6f62b1fcf1f5b80f022353c2bfbb03003c6bd92
                                  • Instruction ID: e6e87a8b239e5a3bbb20e0b984d0deded5bb765b894042f9a87e0413bec9ab33
                                  • Opcode Fuzzy Hash: 36fe7acb7a88b0b011321565c6f62b1fcf1f5b80f022353c2bfbb03003c6bd92
                                  • Instruction Fuzzy Hash: ABF0B470662B256EDB318E64E548792B3E45B11721F444B1E84E6474E0937168F88F10

                                  Non-executed Functions

                                  Function 0023A536 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002212E7: GetDlgItem.USER32(00000000,00003021), ref: 0022132B
                                    • Part of subcall function 002212E7: SetWindowTextW.USER32(00000000,002502E4), ref: 00221341
                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0023A5C7
                                  • EndDialog.USER32(?,00000006), ref: 0023A5DA
                                  • GetDlgItem.USER32(?,0000006C), ref: 0023A5F6
                                  • SetFocus.USER32(00000000), ref: 0023A5FD
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0023A63D
                                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0023A670
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0023A686
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0023A6A4
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0023A6B4
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0023A6D1
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0023A6EF
                                    • Part of subcall function 0022D192: LoadStringW.USER32(?,?,00000200,?), ref: 0022D1D7
                                    • Part of subcall function 0022D192: LoadStringW.USER32(?,?,00000200,?), ref: 0022D1ED
                                  • _swprintf.LIBCMT ref: 0023A71F
                                    • Part of subcall function 00223F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00223F3E
                                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0023A732
                                  • FindClose.KERNEL32(00000000), ref: 0023A735
                                  • _swprintf.LIBCMT ref: 0023A790
                                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 0023A7A3
                                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0023A7B9
                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0023A7D9
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0023A7E9
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0023A803
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0023A81B
                                  • _swprintf.LIBCMT ref: 0023A84C
                                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0023A85F
                                  • _swprintf.LIBCMT ref: 0023A8AF
                                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 0023A8C2
                                    • Part of subcall function 0023932E: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00239354
                                    • Part of subcall function 0023932E: GetNumberFormatW.KERNEL32(00000400,00000000,?,0025A154,?,?), ref: 002393A3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                  • API String ID: 3227067027-1840816070
                                  • Opcode ID: 7c7319e3e0a8cc55caf96d28d67b9124088e88b217b643b48a359b6d10590ad5
                                  • Instruction ID: 6891b3791d7b317cbf48125bd7e07383a3792242cddedd190236b941b6abb90e
                                  • Opcode Fuzzy Hash: 7c7319e3e0a8cc55caf96d28d67b9124088e88b217b643b48a359b6d10590ad5
                                  • Instruction Fuzzy Hash: DF91D7B2558309BFD231DBA0DD89FFB77ACEB49701F404829F689D2080D775AA148B63
                                  Function 00227070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00227075
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 002271D5
                                  • CloseHandle.KERNEL32(00000000), ref: 002271E5
                                    • Part of subcall function 00227A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00227AAC
                                    • Part of subcall function 00227A9D: GetLastError.KERNEL32 ref: 00227AF2
                                    • Part of subcall function 00227A9D: CloseHandle.KERNEL32(?), ref: 00227B01
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 002271F0
                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 002272FE
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0022732A
                                  • CloseHandle.KERNEL32(?), ref: 0022733C
                                  • GetLastError.KERNEL32(00000015,00000000,?), ref: 0022734C
                                  • RemoveDirectoryW.KERNEL32(?), ref: 00227398
                                  • DeleteFileW.KERNEL32(?), ref: 002273C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                  • API String ID: 3935142422-3508440684
                                  • Opcode ID: 3e6ccb51d43a8abf1541cf256b9ccaed707f84cda9355264631ead122fa63c73
                                  • Instruction ID: 6c10014716135add800f6a69baf9b84f7702df4698bc1c585df24dd9446dfac3
                                  • Opcode Fuzzy Hash: 3e6ccb51d43a8abf1541cf256b9ccaed707f84cda9355264631ead122fa63c73
                                  • Instruction Fuzzy Hash: 7DB1D471924225AFDB20DFA4EC85BEE77B8AF08300F1045A9FD19E7141D730AA64CF61
                                  Function 002231F0 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 604COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prolog_memcmp
                                  • String ID: CMT$h%u$hc%u
                                  • API String ID: 3004599000-3282847064
                                  • Opcode ID: 11ea1c291b833bd5be2f449eaa79089cf8482e71e8d2705a88510458dfdb8aab
                                  • Instruction ID: a452ff9288241a1a7506599ba16e399b0599be2b3bdd7694f2e5781243b9a3a8
                                  • Opcode Fuzzy Hash: 11ea1c291b833bd5be2f449eaa79089cf8482e71e8d2705a88510458dfdb8aab
                                  • Instruction Fuzzy Hash: 8C32C271520394AFDF14DFA4D886AEA37A5AF55300F04447EFD4A8F282DB749A68CF60
                                  Function 0024A350 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: a46640b39147d2734ec8a76d67580700aef800d480b5b2a89e1e448844873a6f
                                  • Instruction ID: 53f9061c5e58d5a61c587465ab8b1fe13f1cba1291ff25f8b16946b5036fd686
                                  • Opcode Fuzzy Hash: a46640b39147d2734ec8a76d67580700aef800d480b5b2a89e1e448844873a6f
                                  • Instruction Fuzzy Hash: 04C25E71E246298FDB29CF28DD407EAB7B9EB44305F1541EAD80EE7240E774AE918F41
                                  Function 00222759 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 793COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00222762
                                  • _strlen.LIBCMT ref: 00222CEC
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00222E43
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                  • String ID: CMT
                                  • API String ID: 3741668355-2756464174
                                  • Opcode ID: b40c8bad90acc611d1f25aa7a6474a38a4483d705b9008037fb0791fadd6f0a7
                                  • Instruction ID: e1b2bc8357ac388e64578e9d83809387cc805e336cd84d7be535fd2a61492268
                                  • Opcode Fuzzy Hash: b40c8bad90acc611d1f25aa7a6474a38a4483d705b9008037fb0791fadd6f0a7
                                  • Instruction Fuzzy Hash: 92622671520255EFCF18DFB4D8857EA3BE1AF14304F05457EEC8A9B282DB759968CB20
                                  Function 00245B43 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00245C3B
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00245C45
                                  • UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00245C52
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 469a738f9b2ed589712eba7d03940c437478c6e333ba1ca8d72aa3b4996478f9
                                  • Instruction ID: 2a38ec89a8ccb5428c98bb1d223ebbde58b9f373d11c6638b12a29885213fadb
                                  • Opcode Fuzzy Hash: 469a738f9b2ed589712eba7d03940c437478c6e333ba1ca8d72aa3b4996478f9
                                  • Instruction Fuzzy Hash: B231C6749113299BCB21DF64DC8979DBBB4BF08711F5041EAE80CA7251EB709F918F45
                                  Function 00247D69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .
                                  • API String ID: 0-248832578
                                  • Opcode ID: 41b14542c4fd97629875860bbf6b1fdb9f6c7cef568e2632a0f4e795bfaef87e
                                  • Instruction ID: 03aad213f22083e46e996ce20a55f8a92cb7533380e44001fb12d7c7c8eee3b7
                                  • Opcode Fuzzy Hash: 41b14542c4fd97629875860bbf6b1fdb9f6c7cef568e2632a0f4e795bfaef87e
                                  • Instruction Fuzzy Hash: 2C31387192421AAFCB289E78CC84EFB7BBDDF85304F1002A8F929D7252E7309D558B50
                                  Function 00249EA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d8cca871330e4123537bb6ab64568d03676673747229a1061e8821d119ab4a2
                                  • Instruction ID: 5d5278cd8a2734eec07fc6dad7f6b9eed9c766c3bc67f9248ce634138916868b
                                  • Opcode Fuzzy Hash: 1d8cca871330e4123537bb6ab64568d03676673747229a1061e8821d119ab4a2
                                  • Instruction Fuzzy Hash: C9024D71E502199FDF18CFA9C8806AEBBF1FF88314F258169D919E7284D731AD518B81
                                  Function 0023932E Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00239354
                                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,0025A154,?,?), ref: 002393A3
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: FormatInfoLocaleNumber
                                  • String ID:
                                  • API String ID: 2169056816-0
                                  • Opcode ID: 10cac912fa967dd1691249b6bd33193959b9d1da5df59b9f998bc7a941391156
                                  • Instruction ID: 5b1ec772b625e1fcd315aedeec2caeac8c533661892cbd9776a99ddda41c2435
                                  • Opcode Fuzzy Hash: 10cac912fa967dd1691249b6bd33193959b9d1da5df59b9f998bc7a941391156
                                  • Instruction Fuzzy Hash: DF019E75110359BADB10CFA4ED49FAB77BCEF09311F008522BB08D72A0E3709924CBA6
                                  Function 0024E8D4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0024E8CF,?,?,00000008,?,?,0024E56F,00000000), ref: 0024EB01
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: 821c378a232839ca46472b0f581e9c8d67b3bd29450d752126478468df8f4266
                                  • Instruction ID: a1e67e24476bc0e263b6bc7cb6ff4b155d915146ccad9baaeb24fb6d03bf7ef2
                                  • Opcode Fuzzy Hash: 821c378a232839ca46472b0f581e9c8d67b3bd29450d752126478468df8f4266
                                  • Instruction Fuzzy Hash: 7FB13F31520609DFEB19CF28C486B657BE0FF45365F268658E8DACF2A1C375E9A1CB40
                                  Function 00223F95 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: gj
                                  • API String ID: 0-4203073231
                                  • Opcode ID: 3b8f0b1deaf2e9a2ced38aa994824f337de3fc662b6e5a9345091faa3549d5c1
                                  • Instruction ID: 3ea2d6b8400e0800ce8ab437d0824d69a767652d20f2814198f2c312724614cf
                                  • Opcode Fuzzy Hash: 3b8f0b1deaf2e9a2ced38aa994824f337de3fc662b6e5a9345091faa3549d5c1
                                  • Instruction Fuzzy Hash: 06F1C2B2A083418FD748CF29D880A1AFBE1BFC8308F19896EF598D7711D734E9558B56
                                  Function 0022A930 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 0022A955
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Version
                                  • String ID:
                                  • API String ID: 1889659487-0
                                  • Opcode ID: 86608aabb941a857e65647ab923b7b92a97a80b58e84b71c9b7d0fdb4c36feac
                                  • Instruction ID: 6969315dc7ab8ab8a8365026af72e70c0b1d7f392f1e9f84b53a7bbaa703e27b
                                  • Opcode Fuzzy Hash: 86608aabb941a857e65647ab923b7b92a97a80b58e84b71c9b7d0fdb4c36feac
                                  • Instruction Fuzzy Hash: 3AF06DB0D203198FCB28CF58FC8A6E973A5FB49315F200294D91553390E2719DC08E5A
                                  Function 0023DB63 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001DB6F,0023D5E4), ref: 0023DB68
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 37d4f481a24b69881864c7a763da4b456187a47e7d3089965f84696dc2388f37
                                  • Instruction ID: 0fa26f3b14df6631fb33f5aca3d959db9fa1bc70e940d2c2ae9d3078b925cb2d
                                  • Opcode Fuzzy Hash: 37d4f481a24b69881864c7a763da4b456187a47e7d3089965f84696dc2388f37
                                  • Instruction Fuzzy Hash:
                                  Function 0022DC32 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8%
                                  • API String ID: 0-218294443
                                  • Opcode ID: e5d128f1b6e94d1d743f4bcef3a9ed20da49faceca7bdfbbfb85825205c2bb88
                                  • Instruction ID: 593c1134daeba298a95edd16afe29e14e1f91e29b4b097c8fa69fb338b362534
                                  • Opcode Fuzzy Hash: e5d128f1b6e94d1d743f4bcef3a9ed20da49faceca7bdfbbfb85825205c2bb88
                                  • Instruction Fuzzy Hash: BF5103325183A66FC712CF68D1804AEBFF1AFDA314F4A489EE4D54B252C230D699CF52
                                  Function 00248A9B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: HeapProcess
                                  • String ID:
                                  • API String ID: 54951025-0
                                  • Opcode ID: 4833d7f0a2db39c8e2fb82d72258511e912220353278893e22cb61147f496cae
                                  • Instruction ID: bd3851fb02fdf49cb50665a5db4ef2d09c2409db425a320f842b75a21f97a529
                                  • Opcode Fuzzy Hash: 4833d7f0a2db39c8e2fb82d72258511e912220353278893e22cb61147f496cae
                                  • Instruction Fuzzy Hash: 53A001706026019BA7518F36BE4E3093AA9AA4A7A671590A9A80DC6260EB3485909A0A
                                  Function 00234FB4 Relevance: .8, Instructions: 800COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 289fefe8c5a67303e04c4f7979b92612d24f26a9e9caf40240c5c4cc4755c92c
                                  • Instruction ID: cfeaa2625103984cca7c6ed05690638e14f4f83c46aba18eb0c3d0526d072b08
                                  • Opcode Fuzzy Hash: 289fefe8c5a67303e04c4f7979b92612d24f26a9e9caf40240c5c4cc4755c92c
                                  • Instruction Fuzzy Hash: 3D6218B1624B959FCB29DF38C8906B9BBE1AF55304F08856DD8DF8B346D230E965CB10
                                  Function 002363F1 Relevance: .8, Instructions: 773COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7df07331dc8246d27593e118a7ee815c0dd8300ee0f02b9d281ebf78cfae13a
                                  • Instruction ID: d3f558edf6205a97bcd1f13833d39037426a95a8bbe31c58a0f77aaac8d39465
                                  • Opcode Fuzzy Hash: a7df07331dc8246d27593e118a7ee815c0dd8300ee0f02b9d281ebf78cfae13a
                                  • Instruction Fuzzy Hash: 566224B062474AAFC719CF28C8846B9FBE5FB45308F14C66ED99687742D730E969CB40
                                  Function 0022E097 Relevance: .7, Instructions: 694COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4dd2caf385a59822b9a14fbc93f7aaa4fbbe767d050e2cf75e0f52348a67b4f0
                                  • Instruction ID: 721bed20e3bb5d63c2fb64f7d9cfc9023edc337372bab7e16846bfb314a0f506
                                  • Opcode Fuzzy Hash: 4dd2caf385a59822b9a14fbc93f7aaa4fbbe767d050e2cf75e0f52348a67b4f0
                                  • Instruction Fuzzy Hash: C25249B26147019FC758CF19C891A6AF7E1FFC8304F8A892DF5869B255D334E919CB82
                                  Function 00235DB8 Relevance: .5, Instructions: 509COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c690d1f42ddde34193b822b417f4b7bb99401d4b955e4ea9af1c22e8224f298
                                  • Instruction ID: 4de1d49c526e465a813bcb4e3e7ffee18d2edb7385d9a4db806499433dff0444
                                  • Opcode Fuzzy Hash: 5c690d1f42ddde34193b822b417f4b7bb99401d4b955e4ea9af1c22e8224f298
                                  • Instruction Fuzzy Hash: 0412E4F1620B069BC728DF28C894779B3E4FB44308F10892DE99BC7A81D374A8A5CB45
                                  Function 0022BA6A Relevance: .4, Instructions: 449COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 292576d89c0934d0e65749edb6c389f3575b9b2f0939abd14752bce88f2b13e6
                                  • Instruction ID: ccd248fc721f796975076b22c3152270d197c5b6c8e86d40ce86aac0bc17c49c
                                  • Opcode Fuzzy Hash: 292576d89c0934d0e65749edb6c389f3575b9b2f0939abd14752bce88f2b13e6
                                  • Instruction Fuzzy Hash: 7DF1D971628362AFC31ACF69D58466ABBE6FFC8314F144A2EF49587351C730E9258F42
                                  Function 0023F635 Relevance: .3, Instructions: 345COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction ID: 4ff1d1ceca680b714fe75ea7308719851add9b48b2a7310dc70212508c8972d8
                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction Fuzzy Hash: 64C1C5B262529349DB9D4A3DEA3413EFAA05EA27B1B1A037DD4F6CB1D4EE20C534C610
                                  Function 0023FA6A Relevance: .3, Instructions: 341COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction ID: 315d32ba7b81e1e29fa13668faccfa776cad74cf6346ddd5bcab05c89c959e94
                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction Fuzzy Hash: A4C1D8B262529349DF9D4A3DEA3403EFAA16AA27B171B077DD4F6CB0D4EE20C534D610
                                  Function 0023F200 Relevance: .3, Instructions: 331COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction ID: e3e54a1e6d124202961befacf075ec9510ad7342a4e009dbbe52ea831bbcaafa
                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction Fuzzy Hash: 88C1C7B262529349DF9D4A3DEA3403FBAA05AA27B171A037DD8F7CB0D4EE20C534D610
                                  Function 0023EDE8 Relevance: .3, Instructions: 323COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction ID: a771c864fb73bffb25572ef4da6306dab43bc9cf0268d886de4ddc70b28adc67
                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction Fuzzy Hash: 37C1D8B262529349DF5D4A3DEA3403EBAA16AA27B171B077DD4F6CB1C4EE20C538D610
                                  Function 0022D634 Relevance: .3, Instructions: 318COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e631e4fa23e3c8f33370c22e3c85ab0fc7558225e8bd501687fd53c5dcff33ca
                                  • Instruction ID: 103e4a1c6f5dfd74dd954b7a357b465acf4218b646caa2432c6bf79d9e865b96
                                  • Opcode Fuzzy Hash: e631e4fa23e3c8f33370c22e3c85ab0fc7558225e8bd501687fd53c5dcff33ca
                                  • Instruction Fuzzy Hash: 07E166755193908FC344CF69E89086BBBF0AFCA300F49499EF9C597362C274EA15DB62
                                  Function 00232DB4 Relevance: .3, Instructions: 263COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27f2a4d6ddd3b585317645cc5051d726e6ea8aecf25b64319d1df32cbac21ee2
                                  • Instruction ID: 367c877650763fa8f4463a22546a583abca19116517470cbc437873e77fc97af
                                  • Opcode Fuzzy Hash: 27f2a4d6ddd3b585317645cc5051d726e6ea8aecf25b64319d1df32cbac21ee2
                                  • Instruction Fuzzy Hash: E7917DF1224306DBD728EF64D8D5BBE73D5AB50300F10092DE59BC7682DAB4E668CB52
                                  Function 00242B68 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b54df74966c104d7672ade8818cbfe8865ba91336dc4c8812e09e5b37c5f9e5c
                                  • Instruction ID: 0a9fb3c51ee5e5d40b6c02c601f865d344b3431fd59b33a302f7d28fe635b03f
                                  • Opcode Fuzzy Hash: b54df74966c104d7672ade8818cbfe8865ba91336dc4c8812e09e5b37c5f9e5c
                                  • Instruction Fuzzy Hash: 3A619C71A3070AE2DA3C9E2BC9D57BE6384EB01704FD0091AF843DB281D6919D7E8B55
                                  Function 002330E5 Relevance: .2, Instructions: 232COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00179462e72e715994715ee1dba655cee4073e68508d321703d4c828cdcba7bf
                                  • Instruction ID: bdfb647a82a24e8a5260b5c506e6885bb3ea0bb00c28ebfb90cbc16e55817ee2
                                  • Opcode Fuzzy Hash: 00179462e72e715994715ee1dba655cee4073e68508d321703d4c828cdcba7bf
                                  • Instruction Fuzzy Hash: 02715EF17343465BDB24DE68C8C4BAE77D5AB90304F00496DE9CACB282CA74CB98C752
                                  Function 0022D222 Relevance: .2, Instructions: 190COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8995d95ba31cb68ecd67f508875119d850bbab8cf1e2c7b06167800722185fd
                                  • Instruction ID: 0104134ba42e6e134cfb38010da107adfbd8be6ff4e5b8583550ffdbf9faa0d0
                                  • Opcode Fuzzy Hash: e8995d95ba31cb68ecd67f508875119d850bbab8cf1e2c7b06167800722185fd
                                  • Instruction Fuzzy Hash: 4B81D5911292E0ADC7468F7D38E91F93EA15777341F1D84FAC8C5C62B3C0768A68E721
                                  Function 0022ECE9 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c727befb3c4882ad100ced8855fc6fb33e0ca2d8967eb5b04da9fc7556d8f5d4
                                  • Instruction ID: 656b8caa2b52f4da4d2251aab599b70ba6001482d65f58124dc3f37c3f8d5d41
                                  • Opcode Fuzzy Hash: c727befb3c4882ad100ced8855fc6fb33e0ca2d8967eb5b04da9fc7556d8f5d4
                                  • Instruction Fuzzy Hash: AB512671A083129FC748CF19E49059AF7E1FF88314F054A2EE899A7740DB34E959CBDA
                                  Function 00232B39 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                  • Instruction ID: faa062bddd73362745ea997f0cea37e4b7073acf8669be32e70c4f1eea97f38d
                                  • Opcode Fuzzy Hash: 03d8200d211fb2155360bb18f1da6528e951efe338ec765a37701bdcb59cc893
                                  • Instruction Fuzzy Hash: 7E3124B162431A9FCB14EF28D85126EFBD1FB95304F00492DE88AD7741C678E919CF92
                                  Function 00225E83 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a08a63780973e12e01ec173dbae7b2df660e0d068e0af751bcafa189aa01330
                                  • Instruction ID: 19b159526ac526f220aead965ae53089386b79dacc65b437f23f2447df92ab63
                                  • Opcode Fuzzy Hash: 5a08a63780973e12e01ec173dbae7b2df660e0d068e0af751bcafa189aa01330
                                  • Instruction Fuzzy Hash: 0C21CB31A206356BC708CF6DFCA94367751A74A302786826BED428B291C535DD24CBE0
                                  Function 0024957E Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 002495C2
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 0024917A
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 0024918C
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 0024919E
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 002491B0
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 002491C2
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 002491D4
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 002491E6
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 002491F8
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 0024920A
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 0024921C
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 0024922E
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 00249240
                                    • Part of subcall function 0024915D: _free.LIBCMT ref: 00249252
                                  • _free.LIBCMT ref: 002495B7
                                    • Part of subcall function 002459B2: RtlFreeHeap.NTDLL(00000000,00000000,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?), ref: 002459C8
                                    • Part of subcall function 002459B2: GetLastError.KERNEL32(?,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?,?), ref: 002459DA
                                  • _free.LIBCMT ref: 002495D9
                                  • _free.LIBCMT ref: 002495EE
                                  • _free.LIBCMT ref: 002495F9
                                  • _free.LIBCMT ref: 0024961B
                                  • _free.LIBCMT ref: 0024962E
                                  • _free.LIBCMT ref: 0024963C
                                  • _free.LIBCMT ref: 00249647
                                  • _free.LIBCMT ref: 0024967F
                                  • _free.LIBCMT ref: 00249686
                                  • _free.LIBCMT ref: 002496A3
                                  • _free.LIBCMT ref: 002496BB
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: becf0c207e1e3f84548f137d6d4892f699909ba0aad36a39312e0ceb62ad5c1d
                                  • Instruction ID: a518bd7c2a30f9ec3d2497499c35115841c540ef6e38839ce14bf86698c81958
                                  • Opcode Fuzzy Hash: becf0c207e1e3f84548f137d6d4892f699909ba0aad36a39312e0ceb62ad5c1d
                                  • Instruction Fuzzy Hash: 65313B31621A02DFEB2DAE79D845B5B73E8FF00320F214419E489D6252DA31ACE0CF54
                                  Function 0023B8BB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindow.USER32(?,00000005), ref: 0023B8DC
                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0023B90B
                                    • Part of subcall function 00230B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0022AC99,?,?,?,0022AC48,?,-00000002,?,00000000,?), ref: 00230B16
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0023B929
                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0023B940
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0023B953
                                    • Part of subcall function 00238B21: GetDC.USER32(00000000), ref: 00238B2D
                                    • Part of subcall function 00238B21: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00238B3C
                                    • Part of subcall function 00238B21: ReleaseDC.USER32(00000000,00000000), ref: 00238B4A
                                    • Part of subcall function 00238ADE: GetDC.USER32(00000000), ref: 00238AEA
                                    • Part of subcall function 00238ADE: GetDeviceCaps.GDI32(00000000,00000058), ref: 00238AF9
                                    • Part of subcall function 00238ADE: ReleaseDC.USER32(00000000,00000000), ref: 00238B07
                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0023B97A
                                  • DeleteObject.GDI32(00000000), ref: 0023B981
                                  • GetWindow.USER32(00000000,00000002), ref: 0023B98A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                  • String ID: STATIC
                                  • API String ID: 1444658586-1882779555
                                  • Opcode ID: f72cf85a212b5a27f775651ab5b2d6e08cd46da4513d58e3dc1bf7f64815fb58
                                  • Instruction ID: 23d70b8b7b8a299fd9fc1f28210df57e6282836773daf4462a43cdd422e2a4a4
                                  • Opcode Fuzzy Hash: f72cf85a212b5a27f775651ab5b2d6e08cd46da4513d58e3dc1bf7f64815fb58
                                  • Instruction Fuzzy Hash: CA21C3B25203257BEB226F64EC4AFAE776DAF05701F004111FB01A6091CF749E618ABA
                                  Function 0024621A Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0024622E
                                    • Part of subcall function 002459B2: RtlFreeHeap.NTDLL(00000000,00000000,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?), ref: 002459C8
                                    • Part of subcall function 002459B2: GetLastError.KERNEL32(?,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?,?), ref: 002459DA
                                  • _free.LIBCMT ref: 0024623A
                                  • _free.LIBCMT ref: 00246245
                                  • _free.LIBCMT ref: 00246250
                                  • _free.LIBCMT ref: 0024625B
                                  • _free.LIBCMT ref: 00246266
                                  • _free.LIBCMT ref: 00246271
                                  • _free.LIBCMT ref: 0024627C
                                  • _free.LIBCMT ref: 00246287
                                  • _free.LIBCMT ref: 00246295
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 7da4a09fa63c4e5c4a873ea1a52677acb32b72876bed4137efe57c64ab4e150d
                                  • Instruction ID: 58a3aa2e0182107a6d6ba41ab4354a014f2f95c5ce8dde576f5f3f015ee18019
                                  • Opcode Fuzzy Hash: 7da4a09fa63c4e5c4a873ea1a52677acb32b72876bed4137efe57c64ab4e150d
                                  • Instruction Fuzzy Hash: 2C116376521918EFDF09EF94C942CDD3BB5FF04360B5140A5BA898B222DA31DAA0DFC1
                                  Function 002220D3 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;%u$x%u$xc%u
                                  • API String ID: 0-2277559157
                                  • Opcode ID: c6949c99ce01d32501671dde91cc208354833109f8dba3d690f29333b11a5480
                                  • Instruction ID: 43c4ab38df54dd87a418011763f1b7a5155b883c56a4a6c182d3b68bd9439a5c
                                  • Opcode Fuzzy Hash: c6949c99ce01d32501671dde91cc208354833109f8dba3d690f29333b11a5480
                                  • Instruction Fuzzy Hash: C9F15C716243A1FADB14EFE4A995BFE77995F90300F084568FC858F243CA65886CCB62
                                  Function 0023995E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002212E7: GetDlgItem.USER32(00000000,00003021), ref: 0022132B
                                    • Part of subcall function 002212E7: SetWindowTextW.USER32(00000000,002502E4), ref: 00221341
                                  • EndDialog.USER32(?,00000001), ref: 002399AE
                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 002399DB
                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 002399F0
                                  • SetWindowTextW.USER32(?,?), ref: 00239A01
                                  • GetDlgItem.USER32(?,00000065), ref: 00239A0A
                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00239A1E
                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00239A30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: MessageSend$Item$TextWindow$Dialog
                                  • String ID: LICENSEDLG
                                  • API String ID: 3214253823-2177901306
                                  • Opcode ID: 4f03540118a5d975823781a46d3e643e64f4d0c344464aa5169918a9bbcff7a7
                                  • Instruction ID: 83e24e1d3df6b72efe2554875670bf4e94ee970473066718f35969023ddbc316
                                  • Opcode Fuzzy Hash: 4f03540118a5d975823781a46d3e643e64f4d0c344464aa5169918a9bbcff7a7
                                  • Instruction Fuzzy Hash: 76210572220305BBE2115F65FD8DF3B3BACEB4BB86F004108F601A6590CBA29C61D677
                                  Function 00246541 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID: >,$$>,$$>,$
                                  • API String ID: 1036877536-1581211809
                                  • Opcode ID: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
                                  • Instruction ID: bdbf69d3eaa4d292aa621a3be4abcff029cc6b0b5d6d84bf61e2daccb937fd7a
                                  • Opcode Fuzzy Hash: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
                                  • Instruction Fuzzy Hash: 38A18B72A203479FEB19CF18C8997AEFFE5EF52314F14016DE4859B281C6389D61CB52
                                  Function 0022927D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00229282
                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 002292A5
                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 002292C4
                                    • Part of subcall function 00230B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0022AC99,?,?,?,0022AC48,?,-00000002,?,00000000,?), ref: 00230B16
                                  • _swprintf.LIBCMT ref: 00229360
                                    • Part of subcall function 00223F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00223F3E
                                  • MoveFileW.KERNEL32(?,?), ref: 002293D5
                                  • MoveFileW.KERNEL32(?,?), ref: 00229411
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                  • String ID: rtmp%d
                                  • API String ID: 2111052971-3303766350
                                  • Opcode ID: c1325842c5bd6da9842ad9a0e83614df00f59bf6fa661148540e14ea1ddbf6c5
                                  • Instruction ID: 24a9f62d06e34e90f720cb7313cb2aa14e0dae4342223d8f8e5ddd6c2a90e46b
                                  • Opcode Fuzzy Hash: c1325842c5bd6da9842ad9a0e83614df00f59bf6fa661148540e14ea1ddbf6c5
                                  • Instruction Fuzzy Hash: AB418D71921269BADF21FBE0ED44EEA777CAF44341F5040A5B908A7042EA349BE5CF64
                                  Function 00237EE4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00238704,?), ref: 00237FB9
                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00237FDA
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00238001
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Global$AllocByteCharCreateMultiStreamWide
                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                  • API String ID: 4094277203-4209811716
                                  • Opcode ID: bf17aa3b0d5a6faf78ba6aa96a77d415a00cdb8154eb948daa7b7b4589f65f49
                                  • Instruction ID: 6eb4bd270b814d9d6a641aadea16ffdb06866b70c099cc465bb2daf9fadc1ce3
                                  • Opcode Fuzzy Hash: bf17aa3b0d5a6faf78ba6aa96a77d415a00cdb8154eb948daa7b7b4589f65f49
                                  • Instruction Fuzzy Hash: D03118B21383167EDB38AB609C06F6FB79CDF52720F104119F914961C1EF7099298BAA
                                  Function 00237D95 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00237DAE
                                  • GetTickCount.KERNEL32 ref: 00237DCC
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00237DE2
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00237DF6
                                  • TranslateMessage.USER32(?), ref: 00237E01
                                  • DispatchMessageW.USER32(?), ref: 00237E0C
                                  • ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00237EBC
                                  • SetWindowTextW.USER32(?,00000000), ref: 00237EC6
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
                                  • String ID:
                                  • API String ID: 4150546248-0
                                  • Opcode ID: 0d95cdc58800506acba7e4884d9ba26401a9cb0125ef5e27f1ac2bd25b5d14b6
                                  • Instruction ID: 65e85274ab022c54f65dd6b51c7b5e8aafcbd33c7a7d22a06a04b06d612e7827
                                  • Opcode Fuzzy Hash: 0d95cdc58800506acba7e4884d9ba26401a9cb0125ef5e27f1ac2bd25b5d14b6
                                  • Instruction Fuzzy Hash: 3A415AB1218306AFDB24DF65D88892B7BE9EF88705F00096DB646C7250DB71EC59CB62
                                  Function 0022FE0E Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __aulldiv.LIBCMT ref: 0022FE21
                                    • Part of subcall function 0022A930: GetVersionExW.KERNEL32(?), ref: 0022A955
                                  • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0022FE4A
                                  • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0022FE5C
                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0022FE69
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0022FE7F
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0022FE8B
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0022FEC1
                                  • __aullrem.LIBCMT ref: 0022FF4B
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                  • String ID:
                                  • API String ID: 1247370737-0
                                  • Opcode ID: 0ea55b24deb8385c9ee3f9d8a0c42b9a8a528557b957fba79bc975c7f2819909
                                  • Instruction ID: 81876da67582ede8d521fa0ff6ba738f4339160c148b62e8a8f456850bd8b6af
                                  • Opcode Fuzzy Hash: 0ea55b24deb8385c9ee3f9d8a0c42b9a8a528557b957fba79bc975c7f2819909
                                  • Instruction Fuzzy Hash: 1B418CB2418315AFC310DFA5D980AABF7F8FF88704F004A2EF58692650E739E558CB56
                                  Function 0024C56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0024CCE2,00000000,00000000,00000000,00000000,00000000,?), ref: 0024C5AF
                                  • __fassign.LIBCMT ref: 0024C62A
                                  • __fassign.LIBCMT ref: 0024C645
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0024C66B
                                  • WriteFile.KERNEL32(?,00000000,00000000,0024CCE2,00000000,?,?,?,?,?,?,?,?,?,0024CCE2,00000000), ref: 0024C68A
                                  • WriteFile.KERNEL32(?,00000000,00000001,0024CCE2,00000000,?,?,?,?,?,?,?,?,?,0024CCE2,00000000), ref: 0024C6C3
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: bf8079d5cb9e7c51c438436f16418fd43663bc8246bbcdf76fe83c5de85fc869
                                  • Instruction ID: 2ad3d2c2522f127a90de74fdb3e99e58977d6b68a3264d72d7736932ba8cd0ea
                                  • Opcode Fuzzy Hash: bf8079d5cb9e7c51c438436f16418fd43663bc8246bbcdf76fe83c5de85fc869
                                  • Instruction Fuzzy Hash: FC51C1B09102099FCB14CFA8D885AEEBBF8FF49310F24815AE955E7291E730A950CF65
                                  Function 0023B0D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000800,?), ref: 0023B0EE
                                  • _swprintf.LIBCMT ref: 0023B122
                                    • Part of subcall function 00223F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00223F3E
                                  • SetDlgItemTextW.USER32(?,00000066,00263122), ref: 0023B142
                                  • _wcschr.LIBVCRUNTIME ref: 0023B175
                                  • EndDialog.USER32(?,00000001), ref: 0023B256
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                  • String ID: %s%s%u
                                  • API String ID: 2892007947-1360425832
                                  • Opcode ID: c13df63c705b653e47122ebccff86889ecc4aadd88be71af4ecdb40ccf38f11a
                                  • Instruction ID: 1a928333842d5229f1c48cd3de66504193bcec4a95a1496eb4bfebebae37bd32
                                  • Opcode Fuzzy Hash: c13df63c705b653e47122ebccff86889ecc4aadd88be71af4ecdb40ccf38f11a
                                  • Instruction Fuzzy Hash: B04174B1D20619AEDF25DF60DD85EEE77BCEB05305F0040A6F90DE6051EBB09AA48F54
                                  Function 0022C96F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _strlen$_swprintf_wcschr_wcsrchr
                                  • String ID: %08x
                                  • API String ID: 1593746830-3682738293
                                  • Opcode ID: 9015ac4c4e687168bde6607411bc40bdf00564f281c789350a37c51c3c70d022
                                  • Instruction ID: 97836da8794432b1a841526a9505563335e7d7a3b6532cff9bbfd7b8b40561db
                                  • Opcode Fuzzy Hash: 9015ac4c4e687168bde6607411bc40bdf00564f281c789350a37c51c3c70d022
                                  • Instruction Fuzzy Hash: E6413B73934365BAD734EEA4EC89EBF73DCDB84310F20052AF94897142D6749D64C6A1
                                  Function 0023859B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000), ref: 002385B4
                                  • GetWindowRect.USER32(?,?), ref: 002385D9
                                  • ShowWindow.USER32(?,00000005,?), ref: 00238670
                                  • SetWindowTextW.USER32(?,00000000), ref: 00238678
                                  • ShowWindow.USER32(00000000,00000005), ref: 0023868E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Window$Show$RectText
                                  • String ID: RarHtmlClassName
                                  • API String ID: 3937224194-1658105358
                                  • Opcode ID: b2289f6761cf82986d26fd51ed9db82b710e1b35f7dc77234f2fe596efe73786
                                  • Instruction ID: df978ae900bdb68785b39875850572906fc8a169c7ddb5a5b4985cb1d3338c4e
                                  • Opcode Fuzzy Hash: b2289f6761cf82986d26fd51ed9db82b710e1b35f7dc77234f2fe596efe73786
                                  • Instruction Fuzzy Hash: A7319C72104310AFC7119F64AD4EA1BBFBCEB48702F004559FE49AA192DB30D910CFA6
                                  Function 00249300 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002492C4: _free.LIBCMT ref: 002492ED
                                  • _free.LIBCMT ref: 0024934E
                                    • Part of subcall function 002459B2: RtlFreeHeap.NTDLL(00000000,00000000,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?), ref: 002459C8
                                    • Part of subcall function 002459B2: GetLastError.KERNEL32(?,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?,?), ref: 002459DA
                                  • _free.LIBCMT ref: 00249359
                                  • _free.LIBCMT ref: 00249364
                                  • _free.LIBCMT ref: 002493B8
                                  • _free.LIBCMT ref: 002493C3
                                  • _free.LIBCMT ref: 002493CE
                                  • _free.LIBCMT ref: 002493D9
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
                                  • Instruction ID: 464bb3fb40d27da99b9e19c60482ee68055547507d4aa7ec92361f728f1f879f
                                  • Opcode Fuzzy Hash: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
                                  • Instruction Fuzzy Hash: 3B113071561F14F6DA38FBB0CC47FCF779CAF00710F404915BA9966092D6A5A5A4CE50
                                  Function 00240BB4 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00240BAB,0023E602), ref: 00240BC2
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00240BD0
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00240BE9
                                  • SetLastError.KERNEL32(00000000,?,00240BAB,0023E602), ref: 00240C3B
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 4ca03a399b3b08573438b40286c30f732d5c52ce7344073a998e551af2351611
                                  • Instruction ID: 8218a6d876568b6ba1493c5f54e683fcdc100486d997d67a9d8490a9d6908bfb
                                  • Opcode Fuzzy Hash: 4ca03a399b3b08573438b40286c30f732d5c52ce7344073a998e551af2351611
                                  • Instruction Fuzzy Hash: 8501D836279B269FE61C2A74FCCA52B2A54EB117BAB20032AF614451E1EFB14CB1954C
                                  Function 0023C7FC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                  • API String ID: 0-1718035505
                                  • Opcode ID: b841f5ccce9ed27cb032d1cfccca86fcf707673e0df837f085722421e29ede8f
                                  • Instruction ID: 4e64a589e344d034d10a63204ebe2196b6b7e7bfad353a39177e7243112d2668
                                  • Opcode Fuzzy Hash: b841f5ccce9ed27cb032d1cfccca86fcf707673e0df837f085722421e29ede8f
                                  • Instruction Fuzzy Hash: 7C0126B1672223D74F221E606CCC6A613845A02372B300139DA11E3140D730C9B4A7A0
                                  Function 0023003E Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0023009C
                                    • Part of subcall function 0022A930: GetVersionExW.KERNEL32(?), ref: 0022A955
                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002300BE
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 002300D8
                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 002300E9
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 002300F9
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00230105
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion
                                  • String ID:
                                  • API String ID: 2092733347-0
                                  • Opcode ID: 09faabcf3c628d76efeb42008019ffdaf5c01a91c6b27887eac7a20be21629e3
                                  • Instruction ID: a3844f4c81bc6c096e9a29b377bd554e46b7c696e84ad614e0090ff35c655c9d
                                  • Opcode Fuzzy Hash: 09faabcf3c628d76efeb42008019ffdaf5c01a91c6b27887eac7a20be21629e3
                                  • Instruction Fuzzy Hash: D731D3BA1183469BC704DFA9D8849ABB7F8BF98704F04491EF999D3210E730D559CB2A
                                  Function 0023820D Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID:
                                  • API String ID: 2931989736-0
                                  • Opcode ID: f9a26dcb73359bb2ad7a3b07baf965d8dd12c8419c30cade3b9a8f35ed57c6d3
                                  • Instruction ID: 3127ab3fb5e88dd78d075137f3c79f323c3c2881683126c55791b76322205b18
                                  • Opcode Fuzzy Hash: f9a26dcb73359bb2ad7a3b07baf965d8dd12c8419c30cade3b9a8f35ed57c6d3
                                  • Instruction Fuzzy Hash: 0F21D8F1A3064AABEB109E10DC82F37B7ACAB90B44F104524FC049E141E770DD789690
                                  Function 0024630E Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,0025CBE8,00242664,0025CBE8,?,?,00242203,?,?,0025CBE8), ref: 00246312
                                  • _free.LIBCMT ref: 00246345
                                  • _free.LIBCMT ref: 0024636D
                                  • SetLastError.KERNEL32(00000000,?,0025CBE8), ref: 0024637A
                                  • SetLastError.KERNEL32(00000000,?,0025CBE8), ref: 00246386
                                  • _abort.LIBCMT ref: 0024638C
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 997c44e37d2f6642dc0d9b1232929727dfac2ddad5ea666e0fce5acc4e1c3132
                                  • Instruction ID: 895714fb1b4dc237e6bbe232760040a263db17e30af46b0dbbeca011708ae95a
                                  • Opcode Fuzzy Hash: 997c44e37d2f6642dc0d9b1232929727dfac2ddad5ea666e0fce5acc4e1c3132
                                  • Instruction Fuzzy Hash: 3CF0A435135A5167C71D2F247C4FF6A1A659BC2B72F240254F828D21D2FF758C218567
                                  Function 0023A8D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperW.USER32(?,?,?,?,00001000), ref: 0023A92B
                                  • CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0023A952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CharUpper
                                  • String ID: *a&$-
                                  • API String ID: 9403516-1178523487
                                  • Opcode ID: a0570c31688645500d0bf522bfac37004c342cc67d80ad2481e3bc615baa78e2
                                  • Instruction ID: 6d4ca9b194225c6f936c98896b7188109ed2442dfe52d09b8e6ddfba7e3a48d3
                                  • Opcode Fuzzy Hash: a0570c31688645500d0bf522bfac37004c342cc67d80ad2481e3bc615baa78e2
                                  • Instruction Fuzzy Hash: E02129F2434307A5C721AF68A84CB77B6AC9B95310F02443BF5D5E2441D6B4D8F8A763
                                  Function 0023B81F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002212E7: GetDlgItem.USER32(00000000,00003021), ref: 0022132B
                                    • Part of subcall function 002212E7: SetWindowTextW.USER32(00000000,002502E4), ref: 00221341
                                  • EndDialog.USER32(?,00000001), ref: 0023B86A
                                  • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0023B880
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0023B89A
                                  • SetDlgItemTextW.USER32(?,00000066), ref: 0023B8A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: RENAMEDLG
                                  • API String ID: 445417207-3299779563
                                  • Opcode ID: aa75a4a76e5056e56bd2837c1e0a964bcc482d67f9822ba933f67fcf0c8c72c5
                                  • Instruction ID: 4bbc46ccfdc950ec7f6ab2c7778877fb9e918ebc144eb60470ca46084cbf50ed
                                  • Opcode Fuzzy Hash: aa75a4a76e5056e56bd2837c1e0a964bcc482d67f9822ba933f67fcf0c8c72c5
                                  • Instruction Fuzzy Hash: BA012873AA0322BAD1124EA5BE4DF377B6CE786F41F100415F344B24D0C3A6AC249776
                                  Function 00244A7F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00244A30,?,?,002449D0,?,00257F60,0000000C,00244B27,?,00000002), ref: 00244A9F
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00244AB2
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00244A30,?,?,002449D0,?,00257F60,0000000C,00244B27,?,00000002,00000000), ref: 00244AD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: c26c888a7aa80e50fc9a777bfac4bc36bc3efbd4ef73852cdc048f4c4d5324b8
                                  • Instruction ID: 3db0c0f1aea295abc090067c65c489ad193bfbf79f5937bf4b6c00bbd09a14f1
                                  • Opcode Fuzzy Hash: c26c888a7aa80e50fc9a777bfac4bc36bc3efbd4ef73852cdc048f4c4d5324b8
                                  • Instruction Fuzzy Hash: 9FF06231A51319BBCB15AF90EC5DB9EBFB8EF04722F0441A4F809A61A0DB754E54CB98
                                  Function 0022DF05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0022F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0022F376
                                    • Part of subcall function 0022F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0022DF18,Crypt32.dll,?,0022DF9C,?,0022DF7E,?,?,?,?), ref: 0022F398
                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0022DF24
                                  • GetProcAddress.KERNEL32(00261E58,CryptUnprotectMemory), ref: 0022DF34
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                  • API String ID: 2141747552-1753850145
                                  • Opcode ID: 1278295e5717d05c84191cf1be00a45eb225851738bc5b98ecf93c005207f730
                                  • Instruction ID: 7eff344ae9a94a270e487824fb660c5091b53c7a38b421f0de2ed91825a4354a
                                  • Opcode Fuzzy Hash: 1278295e5717d05c84191cf1be00a45eb225851738bc5b98ecf93c005207f730
                                  • Instruction Fuzzy Hash: 9AE04FB0524743BEDB405FB4AD88B04FBA87F95721F048165F419D2580D7B4D0B88B5C
                                  Function 002452C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: a62630a1704bc824ebcf39b4268598a1ee95ee91f99fea5a7daf55ed11ee2b74
                                  • Instruction ID: a815b3135000f4259a7b77596318ca78da0497c35c746a37c3cd02a1bcee8e8f
                                  • Opcode Fuzzy Hash: a62630a1704bc824ebcf39b4268598a1ee95ee91f99fea5a7daf55ed11ee2b74
                                  • Instruction Fuzzy Hash: DA41D532A20A209FCB28DF78C881A5DB7B5EF88710F1545A9E555EB382DB71AD11CB81
                                  Function 002489A0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 002489A9
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002489CC
                                    • Part of subcall function 002459EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0024239A,?,0000015D,?,?,?,?,00242F19,000000FF,00000000,?,?), ref: 00245A1E
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002489F2
                                  • _free.LIBCMT ref: 00248A05
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00248A14
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 93c5e27d4556f7595be1632b1ac74815b6865e0da0a66ca3a16576807f3643af
                                  • Instruction ID: 528fad55aa7cacee00e380701b3b15cc9a6a99905d647aff82fc67b5f26d64b4
                                  • Opcode Fuzzy Hash: 93c5e27d4556f7595be1632b1ac74815b6865e0da0a66ca3a16576807f3643af
                                  • Instruction Fuzzy Hash: 520175726326667F27295EA66C8DC7F696DDBCAFA1314011AFD04D2141DEB08C1189B1
                                  Function 00246392 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,00245E33,00245ACF,?,0024633C,00000001,00000364,?,00242203,?,?,0025CBE8), ref: 00246397
                                  • _free.LIBCMT ref: 002463CC
                                  • _free.LIBCMT ref: 002463F3
                                  • SetLastError.KERNEL32(00000000,?,0025CBE8), ref: 00246400
                                  • SetLastError.KERNEL32(00000000,?,0025CBE8), ref: 00246409
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 93b453d115bc035350756c6d34438454ff1448aac3115452d3a0e44acf2cc113
                                  • Instruction ID: 4f72c85cf1fc5e0b1d742bfed673d8b5ee0869454ea129f28fb39708a0f7746b
                                  • Opcode Fuzzy Hash: 93b453d115bc035350756c6d34438454ff1448aac3115452d3a0e44acf2cc113
                                  • Instruction Fuzzy Hash: B201FE72175B11678B1D3F247C8ED3B2569DBD2772B210124F814D2193EF75C8214567
                                  Function 0024925B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00249273
                                    • Part of subcall function 002459B2: RtlFreeHeap.NTDLL(00000000,00000000,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?), ref: 002459C8
                                    • Part of subcall function 002459B2: GetLastError.KERNEL32(?,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?,?), ref: 002459DA
                                  • _free.LIBCMT ref: 00249285
                                  • _free.LIBCMT ref: 00249297
                                  • _free.LIBCMT ref: 002492A9
                                  • _free.LIBCMT ref: 002492BB
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 1077227cfc5d0bc9d40289d167fbb50d3f9dcc6c5676b183fea621ade6e2fc1d
                                  • Instruction ID: f6b043801c98a759e773ffc7431e0d5d41d725339a1971e3c8077919e5002410
                                  • Opcode Fuzzy Hash: 1077227cfc5d0bc9d40289d167fbb50d3f9dcc6c5676b183fea621ade6e2fc1d
                                  • Instruction Fuzzy Hash: 16F0FF32526B15FB9A2CEF58F88BC1A77E9FA007207644905F848E7602C674FCD08A94
                                  Function 00245513 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00245531
                                    • Part of subcall function 002459B2: RtlFreeHeap.NTDLL(00000000,00000000,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?), ref: 002459C8
                                    • Part of subcall function 002459B2: GetLastError.KERNEL32(?,?,002492F2,?,00000000,?,00000000,?,00249319,?,00000007,?,?,00249716,?,?), ref: 002459DA
                                  • _free.LIBCMT ref: 00245543
                                  • _free.LIBCMT ref: 00245556
                                  • _free.LIBCMT ref: 00245567
                                  • _free.LIBCMT ref: 00245578
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: ebe888295b6df3bb18c2dbe41c266bbc2e2774de2b6ec93bd496662042e39d65
                                  • Instruction ID: a7669c292f62ad9e5289c602814cd086f75026d987addbe83a0364b3d283b623
                                  • Opcode Fuzzy Hash: ebe888295b6df3bb18c2dbe41c266bbc2e2774de2b6ec93bd496662042e39d65
                                  • Instruction Fuzzy Hash: 41F017B0832A209B9F1A6F18BC0A40D3BB4FB04731381024AF85896262D73908E2DED7
                                  Function 00244B7A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe,00000104), ref: 00244BBA
                                  • _free.LIBCMT ref: 00244C85
                                  • _free.LIBCMT ref: 00244C8F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Users\user\Desktop\T.T_Copy.12.18.2024.exe
                                  • API String ID: 2506810119-1612214765
                                  • Opcode ID: 45465b2e5b93055f02d75de39a733a9e202df14a2bc0ec9a5c49cfccba68cb7a
                                  • Instruction ID: 37e8dc92c8df0bd070f371c477a7a413d715faae43d22a7b5e0044750ae69fa2
                                  • Opcode Fuzzy Hash: 45465b2e5b93055f02d75de39a733a9e202df14a2bc0ec9a5c49cfccba68cb7a
                                  • Instruction Fuzzy Hash: 06318671A11259EFDB29EF99DC85B9EBBFCEF84710B144097F8049B211D7708A90CB90
                                  Function 00227463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00227468
                                    • Part of subcall function 00223A90: __EH_prolog.LIBCMT ref: 00223A95
                                  • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 0022752E
                                    • Part of subcall function 00227A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00227AAC
                                    • Part of subcall function 00227A9D: GetLastError.KERNEL32 ref: 00227AF2
                                    • Part of subcall function 00227A9D: CloseHandle.KERNEL32(?), ref: 00227B01
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                  • API String ID: 3813983858-639343689
                                  • Opcode ID: fcdacd3e1e78489a47007a1ea8a71d17102b918e8595f043ba1ffaf11ffe11fd
                                  • Instruction ID: 5cff2b686b40807a2ae9558efef4c2798b04d828e24dab96f16453581cb8dbaf
                                  • Opcode Fuzzy Hash: fcdacd3e1e78489a47007a1ea8a71d17102b918e8595f043ba1ffaf11ffe11fd
                                  • Instruction Fuzzy Hash: BE31BE71928329BEDF20EFA4BC46BEEBB78AF14314F504065F849A7242D7704A748B61
                                  Function 00239122 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002212E7: GetDlgItem.USER32(00000000,00003021), ref: 0022132B
                                    • Part of subcall function 002212E7: SetWindowTextW.USER32(00000000,002502E4), ref: 00221341
                                  • EndDialog.USER32(?,00000001), ref: 002391AA
                                  • GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 002391BF
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 002391D4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: ASKNEXTVOL
                                  • API String ID: 445417207-3402441367
                                  • Opcode ID: 08ecf575df395bb095dd8559b629d3444de113a01b11dccfc88854bb3753267e
                                  • Instruction ID: d58935dd5ea6c3cc0479a036a25918dd87d98558d89613b13d669825cc18f4dd
                                  • Opcode Fuzzy Hash: 08ecf575df395bb095dd8559b629d3444de113a01b11dccfc88854bb3753267e
                                  • Instruction Fuzzy Hash: 7A11DA72260223BFE6119FA8ED4DF667769EB47701F004011F748A70A0C3A19CB19B66
                                  Function 0023BFA9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • DialogBoxParamW.USER32(GETPASSWORD1,?,00239645,?,?), ref: 0023C021
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: DialogParam
                                  • String ID: *a&$*a&$GETPASSWORD1
                                  • API String ID: 665744214-285589960
                                  • Opcode ID: 15104c583119be66b3516be6f9f31f5d3c7db161e7f943ff97c89e1c8d7c4396
                                  • Instruction ID: 85f75f2fb140a418f8d6d5c6aa903217f9a8927a42b6664e7363e295c5c6c916
                                  • Opcode Fuzzy Hash: 15104c583119be66b3516be6f9f31f5d3c7db161e7f943ff97c89e1c8d7c4396
                                  • Instruction Fuzzy Hash: C3119B72634314ABDB12DE24BC49BAA3798FB0A761F144065FD08B71C1D6F14CB0DB98
                                  Function 00239645 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002212E7: GetDlgItem.USER32(00000000,00003021), ref: 0022132B
                                    • Part of subcall function 002212E7: SetWindowTextW.USER32(00000000,002502E4), ref: 00221341
                                  • EndDialog.USER32(?,00000001), ref: 00239693
                                  • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 002396AB
                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 002396D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: GETPASSWORD1
                                  • API String ID: 445417207-3292211884
                                  • Opcode ID: 384d5827a85544c448b6b8e4ef80cac6be620570a663a9974b990e6c309979c1
                                  • Instruction ID: 58846209ca665f48fe1b32c8e304ff619df63b1338a47b1f1cfe1dfc9dcfd61e
                                  • Opcode Fuzzy Hash: 384d5827a85544c448b6b8e4ef80cac6be620570a663a9974b990e6c309979c1
                                  • Instruction Fuzzy Hash: 9811C2729212297BDB215E74AD4BFFA377CAB4A711F000011FA05E6080C2E5ADA09EA5
                                  Function 0022B150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • _swprintf.LIBCMT ref: 0022B177
                                    • Part of subcall function 00223F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00223F3E
                                  • _wcschr.LIBVCRUNTIME ref: 0022B195
                                  • _wcschr.LIBVCRUNTIME ref: 0022B1A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                                  • String ID: %c:\
                                  • API String ID: 525462905-3142399695
                                  • Opcode ID: 9d856f32aae6dc0e50df8ba2b484f33a5f087ea6901d4e2af2a6bdc51e101202
                                  • Instruction ID: d53a7f86216376128523f916fb91362e96a552d1f5c30c2a52802a8f0697f1ba
                                  • Opcode Fuzzy Hash: 9d856f32aae6dc0e50df8ba2b484f33a5f087ea6901d4e2af2a6bdc51e101202
                                  • Instruction Fuzzy Hash: E401FE6352032375D6316FB56C82D6BA7ACEE95360B504406FD48D6481FB30D470C7B1
                                  Function 0022F982 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSection.KERNEL32(000001A0,00000000,00261E74,?,?,0022FB9D,00000020,?,0022A812,?,0022C79B,?,00000000,?,00000001,?), ref: 0022F9BB
                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0022A812,?,0022C79B,?,00000000,?,00000001,?,?,?,00233AFE), ref: 0022F9C5
                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0022A812,?,0022C79B,?,00000000,?,00000001,?,?,?,00233AFE), ref: 0022F9D5
                                  Strings
                                  • Thread pool initialization failed., xrefs: 0022F9ED
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                  • String ID: Thread pool initialization failed.
                                  • API String ID: 3340455307-2182114853
                                  • Opcode ID: 3b56fef4f1e1f27e86e529099c1c39ad65a24237ade80bf68cd1fbfa34b02d55
                                  • Instruction ID: 5515ccd89dd038f8158b77030370d8f19430f9dbd65f66980a52652f264a414a
                                  • Opcode Fuzzy Hash: 3b56fef4f1e1f27e86e529099c1c39ad65a24237ade80bf68cd1fbfa34b02d55
                                  • Instruction Fuzzy Hash: 9C1170B1610715BFD3305FA5AD89AA7FBECFB95756F10483EE6DA82240DA712890CB10
                                  Function 0023BEE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                  • API String ID: 0-56093855
                                  • Opcode ID: 0822c206440f87d391ff5dc977f3d45d87303e4098645bbaec51ff9235227b6b
                                  • Instruction ID: fe0f578aee923ae5511824bb6caf4f9b0634ca843cc6bc03a588dbe10cfc040b
                                  • Opcode Fuzzy Hash: 0822c206440f87d391ff5dc977f3d45d87303e4098645bbaec51ff9235227b6b
                                  • Instruction Fuzzy Hash: E801B1B1A29302FFC312CF28FC09E22BB98E749394F004466FA4492530E3718C29DF66
                                  Function 0022CE98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0022CEA7
                                  • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0022CEB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: FindHandleModuleResource
                                  • String ID: LTR$RTL
                                  • API String ID: 3537982541-719208805
                                  • Opcode ID: 89c46185f8a2e562960156ec72ba512bb57fe3b8c54e427dc39187da9c931801
                                  • Instruction ID: e6477e6f8d990181fea034fab03d554ce2a0c93af35329e172182e0f94bc075c
                                  • Opcode Fuzzy Hash: 89c46185f8a2e562960156ec72ba512bb57fe3b8c54e427dc39187da9c931801
                                  • Instruction Fuzzy Hash: 32F08B3162435477E62466B47C0AFAB37ACE780B11F10025DF602970C0CFB1951C87B8
                                  Function 00229F7A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00227F55,?,?,?), ref: 0022A020
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00227F55,?,?), ref: 0022A064
                                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00227F55,?,?,?,?,?,?,?,?), ref: 0022A0E5
                                  • CloseHandle.KERNEL32(?,?,00000000,?,00227F55,?,?,?,?,?,?,?,?,?,?,?), ref: 0022A0EC
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: File$Create$CloseHandleTime
                                  • String ID:
                                  • API String ID: 2287278272-0
                                  • Opcode ID: 1271836c678eb40235ba6e18ce8b1b88a22f079861580021f2536bb33cfb9337
                                  • Instruction ID: fc4bb8961a2b1dad96ca17b9d7001bf474f5c3e52cec23dc1028215c08110e7d
                                  • Opcode Fuzzy Hash: 1271836c678eb40235ba6e18ce8b1b88a22f079861580021f2536bb33cfb9337
                                  • Instruction Fuzzy Hash: 4841E131268392ABD731DE64EC46BAFBBE8AB85700F040918F5D5D35C0C6749A58CB53
                                  Function 002493E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00242784,00000000,00000000,00242FB2,?,00242FB2,?,00000001,00242784,F5E85006,00000001,00242FB2,00242FB2), ref: 00249431
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002494BA
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 002494CC
                                  • __freea.LIBCMT ref: 002494D5
                                    • Part of subcall function 002459EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0024239A,?,0000015D,?,?,?,?,00242F19,000000FF,00000000,?,?), ref: 00245A1E
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                  • String ID:
                                  • API String ID: 2652629310-0
                                  • Opcode ID: 2ca71fece2cdc0bc5871990f5908e73e4ca10d008d98bb7ed645ee76bfe22b8c
                                  • Instruction ID: d93b231d8285b55c27a8d9924abe598a5bce4744c92597e70043525e757d002e
                                  • Opcode Fuzzy Hash: 2ca71fece2cdc0bc5871990f5908e73e4ca10d008d98bb7ed645ee76bfe22b8c
                                  • Instruction Fuzzy Hash: 0D31AE72A2020AABDF29DF64DC85DAF7BA5EB40710F054268FC14D7191E735CDA1CB90
                                  Function 00239A75 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadBitmapW.USER32(00000065), ref: 00239A85
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00239AA6
                                  • DeleteObject.GDI32(00000000), ref: 00239ACE
                                  • DeleteObject.GDI32(00000000), ref: 00239AED
                                    • Part of subcall function 00238BCF: FindResourceW.KERNEL32(00000066,PNG,?,?,00239AC7,00000066), ref: 00238BE0
                                    • Part of subcall function 00238BCF: SizeofResource.KERNEL32(00000000,75755780,?,?,00239AC7,00000066), ref: 00238BF8
                                    • Part of subcall function 00238BCF: LoadResource.KERNEL32(00000000,?,?,00239AC7,00000066), ref: 00238C0B
                                    • Part of subcall function 00238BCF: LockResource.KERNEL32(00000000,?,?,00239AC7,00000066), ref: 00238C16
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                  • String ID:
                                  • API String ID: 142272564-0
                                  • Opcode ID: 0f66be3f93147b5ef55e0ffa757debaa4fee3ce410df0a9ffd2bbea5be688cb3
                                  • Instruction ID: e9beeaa3028039e500e3952448c3d1fbd3448622ce5e38bc0c2534b50e257183
                                  • Opcode Fuzzy Hash: 0f66be3f93147b5ef55e0ffa757debaa4fee3ce410df0a9ffd2bbea5be688cb3
                                  • Instruction Fuzzy Hash: F5012BB255031627C61177785D47E7FB67EDF85B52F080111FD00EB251EEA18C3186A5
                                  Function 00240FD6 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00240FED
                                    • Part of subcall function 00241625: ___AdjustPointer.LIBCMT ref: 0024166F
                                  • _UnwindNestedFrames.LIBCMT ref: 00241004
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00241016
                                  • CallCatchBlock.LIBVCRUNTIME ref: 0024103A
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
                                  • Instruction ID: 3b6d79ddf104e7459229fbc6bf88c7eacde8a0b25721832e4f6d75745caf0bda
                                  • Opcode Fuzzy Hash: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
                                  • Instruction Fuzzy Hash: FB011332010149BBCF266F95DC42EDA3FAAEF48754F054014FE1866121C776E8B1EFA4
                                  Function 0022FB54 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0022FB59
                                  • EnterCriticalSection.KERNEL32(00261E74,?,?,0022A812,?,0022C79B,?,00000000,?,00000001,?,?,?,00233AFE,?,00008000), ref: 0022FB66
                                  • new.LIBCMT ref: 0022FB82
                                    • Part of subcall function 0022F982: InitializeCriticalSection.KERNEL32(000001A0,00000000,00261E74,?,?,0022FB9D,00000020,?,0022A812,?,0022C79B,?,00000000,?,00000001,?), ref: 0022F9BB
                                    • Part of subcall function 0022F982: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0022A812,?,0022C79B,?,00000000,?,00000001,?,?,?,00233AFE), ref: 0022F9C5
                                    • Part of subcall function 0022F982: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0022A812,?,0022C79B,?,00000000,?,00000001,?,?,?,00233AFE), ref: 0022F9D5
                                  • LeaveCriticalSection.KERNEL32(00261E74,?,0022A812,?,0022C79B,?,00000000,?,00000001,?,?,?,00233AFE,?,00008000,?), ref: 0022FBA3
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Create$EnterEventH_prologInitializeLeaveSemaphore
                                  • String ID:
                                  • API String ID: 3780591329-0
                                  • Opcode ID: 04af0466086ad243c21163e07c906fda7e03ea727dbe0e507a7b46517e1c8396
                                  • Instruction ID: 7b1c4ce5610b1b904ee5763980a02c323a871828ff843bd94962cbb1aa95292c
                                  • Opcode Fuzzy Hash: 04af0466086ad243c21163e07c906fda7e03ea727dbe0e507a7b46517e1c8396
                                  • Instruction Fuzzy Hash: 89F01275A112159BD7889F68FC15AA976B4EB49315F04413AFC09D3250DBB199208B54
                                  Function 00240B06 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00240B06
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00240B0B
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00240B10
                                    • Part of subcall function 00241BDE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00241BEF
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00240B25
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
                                  • Instruction ID: 665f66dbce777cbf1914ebcd701adb95991011c4222063eb3303422808e5afbe
                                  • Opcode Fuzzy Hash: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
                                  • Instruction Fuzzy Hash: 65C04C18770256941D2E3EB165C21ED33409C627CC78015C2EA541F5079A6608FB5C3B
                                  Function 00238CF2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00238BA4: GetDC.USER32(00000000), ref: 00238BA8
                                    • Part of subcall function 00238BA4: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00238BB3
                                    • Part of subcall function 00238BA4: ReleaseDC.USER32(00000000,00000000), ref: 00238BBE
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00238D23
                                    • Part of subcall function 00238EE9: GetDC.USER32(00000000), ref: 00238EF2
                                    • Part of subcall function 00238EE9: GetObjectW.GDI32(?,00000018,?), ref: 00238F21
                                    • Part of subcall function 00238EE9: ReleaseDC.USER32(00000000,?), ref: 00238FB5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ObjectRelease$CapsDevice
                                  • String ID: (
                                  • API String ID: 1061551593-3887548279
                                  • Opcode ID: 20643291f25aaf24221837dbd774f206407395f5b6e4b05a9384329509053552
                                  • Instruction ID: 5d1c225961381e5c5c0ab43607af1dcbdafde9bfe48dd5683545ddd42cdcae93
                                  • Opcode Fuzzy Hash: 20643291f25aaf24221837dbd774f206407395f5b6e4b05a9384329509053552
                                  • Instruction Fuzzy Hash: B16124B1218305AFD210DF64C888E6BBBE9EF89704F10491DF599CB260DB71E919CB62
                                  Function 002301CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: _swprintf
                                  • String ID: %ls$%s: %s
                                  • API String ID: 589789837-2259941744
                                  • Opcode ID: 7f85cc4c64e9e9f7722154029e1aa575969b51e51629705451aafd43599cc32c
                                  • Instruction ID: ca841dc5330610a6839321422bda613f5f44df67646d34146e1c4a180de5f7dc
                                  • Opcode Fuzzy Hash: 7f85cc4c64e9e9f7722154029e1aa575969b51e51629705451aafd43599cc32c
                                  • Instruction Fuzzy Hash: FE5198F12B8300F6E7351A949DFAF377655AB05F00F608506BF8E644D1C5E1A970AB3A
                                  Function 00247BD9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00247D45
                                    • Part of subcall function 00245D1D: IsProcessorFeaturePresent.KERNEL32(00000017,00245D0C,0000002C,002580C8,00248D62,00000000,00000000,00246391,?,?,00245D19,00000000,00000000,00000000,00000000,00000000), ref: 00245D1F
                                    • Part of subcall function 00245D1D: GetCurrentProcess.KERNEL32(C0000417,002580C8,0000002C,00245A4A,00000016,00246391), ref: 00245D41
                                    • Part of subcall function 00245D1D: TerminateProcess.KERNEL32(00000000), ref: 00245D48
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                  • String ID: *?$.
                                  • API String ID: 2667617558-3972193922
                                  • Opcode ID: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
                                  • Instruction ID: 4ddb684d31b9fcfa104ffdf3da5b72fab3daa1e6e95c0e52cd42abdfc231c19f
                                  • Opcode Fuzzy Hash: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
                                  • Instruction Fuzzy Hash: 1051B171E2421AEFDF18DFA8C881AADB7B5EF48314F24416AE864E7341E7719A118F50
                                  Function 00227619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0022761E
                                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00227799
                                    • Part of subcall function 0022A113: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00229F49,?,?,?,00229DE2,?,00000001,00000000,?,?), ref: 0022A127
                                    • Part of subcall function 0022A113: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00229F49,?,?,?,00229DE2,?,00000001,00000000,?,?), ref: 0022A158
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: File$Attributes$H_prologTime
                                  • String ID: :
                                  • API String ID: 1861295151-336475711
                                  • Opcode ID: dfe9b3cf814ab265d28ee89f8fffafa1a4e0b365e4f12a00d0ac5d361229c066
                                  • Instruction ID: 2a8c3e056f39ddbe111115755d853e89dd6cea9403b8591ccd46af69082f2650
                                  • Opcode Fuzzy Hash: dfe9b3cf814ab265d28ee89f8fffafa1a4e0b365e4f12a00d0ac5d361229c066
                                  • Instruction Fuzzy Hash: 2441A471829268BADB34EFA0EC45EEEB77CEF45340F4040A9B50566052DB745FA5CF60
                                  Function 0022B2C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UNC$\\?\
                                  • API String ID: 0-253988292
                                  • Opcode ID: 344732ca5a7064afbf1e8d507d09396187df1d2901de975694336b42050291ff
                                  • Instruction ID: 4e51533e14d55017b1da86f50a419b9842a35da06987c3ce51d5fa79a6df5200
                                  • Opcode Fuzzy Hash: 344732ca5a7064afbf1e8d507d09396187df1d2901de975694336b42050291ff
                                  • Instruction Fuzzy Hash: CD41923542027ABACF22BFA1FC81EEE77B9BF01350F904565F85496042E77099B4DA90
                                  Function 0023802C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Shell.Explorer$about:blank
                                  • API String ID: 0-874089819
                                  • Opcode ID: 0feb4ada04ae8b002629b14461436d3d988c90de9aee5a1f93929ffb1d382968
                                  • Instruction ID: 87d9dde305626d240e6caafecbe4090e4af2a33ce053450ee99d324aa1a30795
                                  • Opcode Fuzzy Hash: 0feb4ada04ae8b002629b14461436d3d988c90de9aee5a1f93929ffb1d382968
                                  • Instruction Fuzzy Hash: 5B2180B5230706AFD7089F64C890E26B769BF85710F148519B5058F242CF71EC64CB90
                                  Function 0022DF86 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0022DF05: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0022DF24
                                    • Part of subcall function 0022DF05: GetProcAddress.KERNEL32(00261E58,CryptUnprotectMemory), ref: 0022DF34
                                  • GetCurrentProcessId.KERNEL32(?,?,?,0022DF7E), ref: 0022E007
                                  Strings
                                  • CryptUnprotectMemory failed, xrefs: 0022DFFF
                                  • CryptProtectMemory failed, xrefs: 0022DFC7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: AddressProc$CurrentProcess
                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                  • API String ID: 2190909847-396321323
                                  • Opcode ID: 97af66d49bc295b1cf746e4921a00c78784813a859c6ff75e4d48004d5f23ab3
                                  • Instruction ID: 515c2691c9e1282073f2b6f88136df5e8df7bd37899564cf4eca5a29722098f8
                                  • Opcode Fuzzy Hash: 97af66d49bc295b1cf746e4921a00c78784813a859c6ff75e4d48004d5f23ab3
                                  • Instruction Fuzzy Hash: BA115B317242327BDF249FB9FC54A7A33999F84B50B094019F801EB192DBF1EE329694
                                  Function 002212E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0022CF27: GetWindowRect.USER32(?,?), ref: 0022CF5E
                                    • Part of subcall function 0022CF27: GetClientRect.USER32(?,?), ref: 0022CF6A
                                    • Part of subcall function 0022CF27: GetWindowLongW.USER32(?,000000F0), ref: 0022D00B
                                    • Part of subcall function 0022CF27: GetWindowRect.USER32(?,?), ref: 0022D038
                                    • Part of subcall function 0022CF27: GetWindowTextW.USER32(?,?,00000400), ref: 0022D057
                                  • GetDlgItem.USER32(00000000,00003021), ref: 0022132B
                                  • SetWindowTextW.USER32(00000000,002502E4), ref: 00221341
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: Window$Rect$Text$ClientItemLong
                                  • String ID: 0
                                  • API String ID: 660763476-4108050209
                                  • Opcode ID: 070df14e1c1186ea286635cf2feeb9942eddd42acac858472bc15fd637deb8d4
                                  • Instruction ID: 886f675d0c83490f00ae72e9a996ad12e45c4f0b0bbee396e6f21b1b7aa89b63
                                  • Opcode Fuzzy Hash: 070df14e1c1186ea286635cf2feeb9942eddd42acac858472bc15fd637deb8d4
                                  • Instruction Fuzzy Hash: 67F0F470420359BBCF114F90AC0EEE93B5BAB2874AF084045FD4494490C774C474DF99
                                  Function 0022FB19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,0022FCF9,?,?,0022FD6E,?,?,?,?,?,0022FD58), ref: 0022FB1F
                                  • GetLastError.KERNEL32(?,?,0022FD6E,?,?,?,?,?,0022FD58), ref: 0022FB2B
                                    • Part of subcall function 00226D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00226DAD
                                  Strings
                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 0022FB34
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.1450511225.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000001.00000002.1450484971.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450554230.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000025E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450577769.000000000027A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000001.00000002.1450663496.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_1_2_220000_T.jbxd
                                  Similarity
                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                  • API String ID: 1091760877-2248577382
                                  • Opcode ID: 92bb73491c9730e152078e21254753feedbae2d4d5614ef9556786efdab762d0
                                  • Instruction ID: 09352e56eb4826e45acf42b774deb6380269f7c4829a98ad1e3f2cd2660e48ca
                                  • Opcode Fuzzy Hash: 92bb73491c9730e152078e21254753feedbae2d4d5614ef9556786efdab762d0
                                  • Instruction Fuzzy Hash: BFD02B3252813037C50023647C5EE7F39045B12736F640314F535651E0CA3008624699

                                  Execution Graph

                                  Execution Coverage:11.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:1514
                                  Total number of Limit Nodes:24
                                  execution_graph 21953 bec7bf 21954 bec790 21953->21954 21954->21953 21956 becabb 21954->21956 21984 bec7c9 21956->21984 21958 becad5 21959 becb56 21958->21959 21960 becb32 21958->21960 21964 becbce LoadLibraryExA 21959->21964 21966 becc2f 21959->21966 21968 becc41 21959->21968 21980 beccfd 21959->21980 21995 beca39 11 API calls 3 library calls 21960->21995 21962 becb3d RaiseException 21978 becd2b 21962->21978 21964->21966 21967 becbe1 GetLastError 21964->21967 21965 becd3a 21965->21954 21966->21968 21972 becc3a FreeLibrary 21966->21972 21969 becc0a 21967->21969 21970 becbf4 21967->21970 21971 becc9f GetProcAddress 21968->21971 21968->21980 21996 beca39 11 API calls 3 library calls 21969->21996 21970->21966 21970->21969 21974 beccaf GetLastError 21971->21974 21971->21980 21972->21968 21975 beccc2 21974->21975 21975->21980 21997 beca39 11 API calls 3 library calls 21975->21997 21977 becc15 RaiseException 21977->21978 21999 bed763 21978->21999 21998 beca39 11 API calls 3 library calls 21980->21998 21981 becce3 RaiseException 21982 bec7c9 ___delayLoadHelper2@8 11 API calls 21981->21982 21983 beccfa 21982->21983 21983->21980 21985 bec7fb 21984->21985 21986 bec7d5 21984->21986 21985->21958 22006 bec877 8 API calls 2 library calls 21986->22006 21988 bec7da 21989 bec7f6 21988->21989 22007 bec9c9 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 21988->22007 22008 bec7fc GetModuleHandleW GetProcAddress GetProcAddress 21989->22008 21992 bed763 ___delayLoadHelper2@8 5 API calls 21993 becab7 21992->21993 21993->21958 21994 beca86 21994->21992 21995->21962 21996->21977 21997->21981 21998->21978 22000 bed76e IsProcessorFeaturePresent 21999->22000 22001 bed76c 21999->22001 22003 bedd57 22000->22003 22001->21965 22009 bedd1b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22003->22009 22005 bede3a 22005->21965 22006->21988 22007->21989 22008->21994 22009->22005 23965 bf6fbc 71 API calls _free 22198 bd13b4 75 API calls 3 library calls 23966 be4fb4 119 API calls __vswprintf_c_l 23915 bf71b1 31 API calls 2 library calls 22899 bd10a9 22904 bd5b05 22899->22904 22905 bd5b0f __EH_prolog 22904->22905 22911 bdacb6 22905->22911 22907 bd5b1b 22917 bd5cfa GetCurrentProcess GetProcessAffinityMask 22907->22917 22912 bdacc0 __EH_prolog 22911->22912 22918 bdde12 73 API calls 22912->22918 22914 bdacd2 22919 bdadce 22914->22919 22918->22914 22920 bdade0 ___scrt_fastfail 22919->22920 22923 bdfcd4 22920->22923 22926 bdfc94 GetCurrentProcess GetProcessAffinityMask 22923->22926 22927 bdad48 22926->22927 22927->22907 23969 beaa98 91 API calls 3 library calls 23916 bf09a0 6 API calls 3 library calls 23940 bf8a9b GetProcessHeap 23941 bd7a9b GetCurrentProcess GetLastError CloseHandle 23917 be8999 GdipCloneImage GdipAlloc 23972 bf7b8b FreeLibrary 23846 bf7686 23847 bf7691 23846->23847 23849 bf76ba 23847->23849 23850 bf76b6 23847->23850 23852 bf7998 23847->23852 23859 bf76de DeleteCriticalSection 23849->23859 23853 bf7726 __dosmaperr 5 API calls 23852->23853 23854 bf79bf 23853->23854 23855 bf79dd InitializeCriticalSectionAndSpinCount 23854->23855 23856 bf79c8 23854->23856 23855->23856 23857 bed763 ___delayLoadHelper2@8 5 API calls 23856->23857 23858 bf79f4 23857->23858 23858->23847 23859->23850 23918 be9583 GetDlgItem EnableWindow ShowWindow SendMessageW 23862 bec781 23863 bec72f 23862->23863 23863->23862 23864 becabb ___delayLoadHelper2@8 19 API calls 23863->23864 23864->23863 23946 bf6ef2 21 API calls 2 library calls 23876 bf34f1 QueryPerformanceFrequency QueryPerformanceCounter 22364 bed5f1 22365 bed5fd ___FrameUnwindToState 22364->22365 22390 bed109 22365->22390 22367 bed604 22369 bed62d 22367->22369 22467 beda15 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 22367->22467 22370 bed66c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22369->22370 22401 bf571c 22369->22401 22374 bed6cc 22370->22374 22468 bf471f 38 API calls 4 library calls 22370->22468 22409 bedb30 22374->22409 22384 bed6f8 22386 bed701 22384->22386 22469 bf4b07 28 API calls _abort 22384->22469 22470 bed280 13 API calls 2 library calls 22386->22470 22389 bed64c ___FrameUnwindToState 22391 bed112 22390->22391 22471 bed86b IsProcessorFeaturePresent 22391->22471 22393 bed11e 22472 bf0b06 22393->22472 22395 bed123 22400 bed127 22395->22400 22481 bf558a 22395->22481 22398 bed13e 22398->22367 22400->22367 22403 bf5733 22401->22403 22402 bed763 ___delayLoadHelper2@8 5 API calls 22404 bed646 22402->22404 22403->22402 22404->22389 22405 bf56c0 22404->22405 22406 bf56ef 22405->22406 22407 bed763 ___delayLoadHelper2@8 5 API calls 22406->22407 22408 bf5718 22407->22408 22408->22370 22531 bede40 22409->22531 22412 bed6d2 22413 bf566d 22412->22413 22414 bf8549 51 API calls 22413->22414 22415 bf5676 22414->22415 22417 bed6db 22415->22417 22533 bf88d4 38 API calls 22415->22533 22418 bec130 22417->22418 22534 bdf3a5 22418->22534 22422 bec14f 22583 be9035 22422->22583 22424 bec158 22587 be0710 GetCPInfo 22424->22587 22426 bec162 ___scrt_fastfail 22427 bec175 GetCommandLineW 22426->22427 22428 bec184 22427->22428 22429 bec202 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 22427->22429 22590 bea8d3 22428->22590 22430 bd3f2b _swprintf 51 API calls 22429->22430 22432 bec26b SetEnvironmentVariableW GetModuleHandleW LoadIconW 22430->22432 22603 be9a75 LoadBitmapW 22432->22603 22435 bec1fc 22597 bebe09 22435->22597 22436 bec192 OpenFileMappingW 22439 bec1ab MapViewOfFile 22436->22439 22440 bec1f2 CloseHandle 22436->22440 22442 bec1bc __vswprintf_c_l 22439->22442 22443 bec1e9 UnmapViewOfFile 22439->22443 22440->22429 22444 bebe09 2 API calls 22442->22444 22443->22440 22446 bec1d8 22444->22446 22445 bec2b2 22447 bec2c4 DialogBoxParamW 22445->22447 22446->22443 22448 bec2fe 22447->22448 22449 bec317 22448->22449 22450 bec310 Sleep 22448->22450 22452 bec325 22449->22452 22628 be9236 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 22449->22628 22450->22449 22453 bec344 DeleteObject 22452->22453 22454 bec35e 22453->22454 22455 bec35b DeleteObject 22453->22455 22456 bec38f 22454->22456 22460 bec3a1 22454->22460 22455->22454 22629 bebe68 WaitForSingleObject PeekMessageW WaitForSingleObject 22456->22629 22459 bec395 CloseHandle 22459->22460 22626 be909d 22460->22626 22461 bec3db 22462 bf4a3b GetModuleHandleW 22461->22462 22463 bed6ee 22462->22463 22463->22384 22464 bf4b64 22463->22464 22825 bf48e1 22464->22825 22467->22367 22468->22374 22469->22386 22470->22389 22471->22393 22473 bf0b0b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 22472->22473 22485 bf1bde 22473->22485 22477 bf0b21 22478 bf0b2c 22477->22478 22499 bf1c1a DeleteCriticalSection 22477->22499 22478->22395 22480 bf0b19 22480->22395 22527 bf8ab6 22481->22527 22484 bf0b2f 8 API calls 3 library calls 22484->22400 22487 bf1be7 22485->22487 22488 bf1c10 22487->22488 22489 bf0b15 22487->22489 22500 bf1e72 22487->22500 22505 bf1c1a DeleteCriticalSection 22488->22505 22489->22480 22491 bf0c46 22489->22491 22520 bf1d87 22491->22520 22493 bf0c50 22498 bf0c5b 22493->22498 22525 bf1e35 6 API calls try_get_function 22493->22525 22495 bf0c69 22496 bf0c76 22495->22496 22526 bf0c79 6 API calls ___vcrt_FlsFree 22495->22526 22496->22477 22498->22477 22499->22480 22506 bf1c66 22500->22506 22503 bf1ea9 InitializeCriticalSectionAndSpinCount 22504 bf1e95 22503->22504 22504->22487 22505->22489 22507 bf1c9a 22506->22507 22508 bf1c96 22506->22508 22507->22503 22507->22504 22508->22507 22509 bf1cba 22508->22509 22513 bf1d06 22508->22513 22509->22507 22511 bf1cc6 GetProcAddress 22509->22511 22512 bf1cd6 __crt_fast_encode_pointer 22511->22512 22512->22507 22514 bf1d2e LoadLibraryExW 22513->22514 22515 bf1d23 22513->22515 22516 bf1d4a GetLastError 22514->22516 22517 bf1d62 22514->22517 22515->22508 22516->22517 22518 bf1d55 LoadLibraryExW 22516->22518 22517->22515 22519 bf1d79 FreeLibrary 22517->22519 22518->22517 22519->22515 22521 bf1c66 try_get_function 5 API calls 22520->22521 22522 bf1da1 22521->22522 22523 bf1db9 TlsAlloc 22522->22523 22524 bf1daa 22522->22524 22524->22493 22525->22495 22526->22498 22530 bf8acf 22527->22530 22528 bed763 ___delayLoadHelper2@8 5 API calls 22529 bed130 22528->22529 22529->22398 22529->22484 22530->22528 22532 bedb43 GetStartupInfoW 22531->22532 22532->22412 22533->22415 22535 becec0 22534->22535 22536 bdf3af GetModuleHandleW 22535->22536 22537 bdf3c9 GetProcAddress 22536->22537 22538 bdf41a 22536->22538 22539 bdf3f2 GetProcAddress 22537->22539 22540 bdf3e2 22537->22540 22541 bdf74f GetModuleFileNameW 22538->22541 22639 bf461a 42 API calls __vswprintf_c_l 22538->22639 22539->22538 22542 bdf3fe 22539->22542 22540->22539 22554 bdf76a 22541->22554 22542->22538 22544 bdf68d 22544->22541 22545 bdf698 GetModuleFileNameW CreateFileW 22544->22545 22546 bdf6c7 SetFilePointer 22545->22546 22547 bdf743 CloseHandle 22545->22547 22546->22547 22548 bdf6d7 ReadFile 22546->22548 22547->22541 22548->22547 22551 bdf6f6 22548->22551 22551->22547 22553 bdf35b 2 API calls 22551->22553 22552 bdf79f CompareStringW 22552->22554 22553->22551 22554->22552 22555 bdf7d5 GetFileAttributesW 22554->22555 22556 bdf7e9 22554->22556 22630 bda930 22554->22630 22633 bdf35b 22554->22633 22555->22554 22555->22556 22557 bdf7f6 22556->22557 22559 bdf828 22556->22559 22560 bdf80e GetFileAttributesW 22557->22560 22561 bdf822 22557->22561 22558 bdf937 22582 be8b8d GetCurrentDirectoryW 22558->22582 22559->22558 22562 bda930 GetVersionExW 22559->22562 22560->22557 22560->22561 22561->22559 22563 bdf842 22562->22563 22564 bdf8af 22563->22564 22565 bdf849 22563->22565 22566 bd3f2b _swprintf 51 API calls 22564->22566 22567 bdf35b 2 API calls 22565->22567 22568 bdf8d7 AllocConsole 22566->22568 22569 bdf853 22567->22569 22570 bdf92f ExitProcess 22568->22570 22571 bdf8e4 GetCurrentProcessId AttachConsole 22568->22571 22572 bdf35b 2 API calls 22569->22572 22647 bf20a3 22571->22647 22573 bdf85d 22572->22573 22640 bdd192 22573->22640 22576 bdf905 GetStdHandle WriteConsoleW Sleep FreeConsole 22576->22570 22578 bd3f2b _swprintf 51 API calls 22579 bdf88b 22578->22579 22580 bdd192 54 API calls 22579->22580 22581 bdf89a 22580->22581 22581->22570 22582->22422 22584 bdf35b 2 API calls 22583->22584 22585 be9049 OleInitialize 22584->22585 22586 be906c GdiplusStartup SHGetMalloc 22585->22586 22586->22424 22588 be0734 IsDBCSLeadByte 22587->22588 22588->22588 22589 be074c 22588->22589 22589->22426 22593 bea8dd 22590->22593 22591 bea9f3 22591->22435 22591->22436 22592 bea925 CharUpperW 22592->22593 22593->22591 22593->22592 22594 bea9a8 CharUpperW 22593->22594 22596 bea94c CharUpperW 22593->22596 22659 bde030 22593->22659 22594->22593 22596->22593 22598 becec0 22597->22598 22599 bebe16 SetEnvironmentVariableW 22598->22599 22601 bebe39 22599->22601 22600 bebe61 22600->22429 22601->22600 22602 bebe55 SetEnvironmentVariableW 22601->22602 22602->22600 22604 be9a9f GetObjectW 22603->22604 22605 be9a96 22603->22605 22685 be8abf 22604->22685 22690 be8bcf FindResourceW 22605->22690 22610 be9af2 22621 bdcaf7 22610->22621 22611 be9ad2 22706 be8b21 GetDC GetDeviceCaps ReleaseDC 22611->22706 22612 be8bcf 13 API calls 22614 be9ac7 22612->22614 22614->22611 22616 be9acd DeleteObject 22614->22616 22615 be9ada 22707 be8ade GetDC GetDeviceCaps ReleaseDC 22615->22707 22616->22611 22618 be9ae3 22708 be8cf2 8 API calls ___scrt_fastfail 22618->22708 22620 be9aea DeleteObject 22620->22610 22719 bdcb1c 22621->22719 22625 bdcb0a 22625->22445 22627 be90c3 GdiplusShutdown CoUninitialize 22626->22627 22627->22461 22628->22452 22629->22459 22631 bda944 GetVersionExW 22630->22631 22632 bda980 22630->22632 22631->22632 22632->22554 22634 becec0 22633->22634 22635 bdf368 GetSystemDirectoryW 22634->22635 22636 bdf39e 22635->22636 22637 bdf380 22635->22637 22636->22554 22638 bdf391 LoadLibraryW 22637->22638 22638->22636 22639->22544 22641 bdd1c2 22640->22641 22642 bdd1cb LoadStringW 22641->22642 22643 bdd1e1 LoadStringW 22641->22643 22642->22643 22644 bdd1f3 22642->22644 22643->22644 22649 bdc96f 22644->22649 22646 bdd201 22646->22578 22648 bf20ab 22647->22648 22648->22576 22648->22648 22650 bdc979 22649->22650 22651 bdc9ed _strlen 22650->22651 22656 bdca4b _wcschr _wcsrchr 22650->22656 22657 be08f3 WideCharToMultiByte 22650->22657 22658 be08f3 WideCharToMultiByte 22651->22658 22654 bdca18 _strlen 22655 bd3f2b _swprintf 51 API calls 22654->22655 22655->22656 22656->22646 22657->22651 22658->22654 22660 bde056 22659->22660 22662 bde03f ___scrt_fastfail 22659->22662 22663 bddf43 22660->22663 22662->22593 22664 bddf54 __vswprintf_c_l 22663->22664 22667 bddf86 22664->22667 22668 bddf9c 22667->22668 22669 bddf92 22667->22669 22671 bddfbc 22668->22671 22672 bde006 GetCurrentProcessId 22668->22672 22677 bddf05 22669->22677 22673 bddf7e 22671->22673 22683 bd6d8f 67 API calls __vswprintf_c_l 22671->22683 22672->22673 22673->22662 22675 bddfd7 __except_handler4 22684 bd6d8a RaiseException FindHandler 22675->22684 22678 bddf0e 22677->22678 22679 bddf3d 22677->22679 22680 bdf35b 2 API calls 22678->22680 22679->22668 22681 bddf18 22680->22681 22681->22679 22682 bddf1e GetProcAddress GetProcAddress 22681->22682 22682->22679 22683->22675 22684->22673 22709 be8ade GetDC GetDeviceCaps ReleaseDC 22685->22709 22687 be8ac6 22688 be8ad2 22687->22688 22710 be8b21 GetDC GetDeviceCaps ReleaseDC 22687->22710 22688->22610 22688->22611 22688->22612 22691 be8c22 22690->22691 22692 be8bf0 SizeofResource 22690->22692 22691->22604 22692->22691 22693 be8c04 LoadResource 22692->22693 22693->22691 22694 be8c15 LockResource 22693->22694 22694->22691 22695 be8c29 GlobalAlloc 22694->22695 22695->22691 22696 be8c40 GlobalLock 22695->22696 22697 be8c4b __vswprintf_c_l 22696->22697 22698 be8cb7 GlobalFree 22696->22698 22699 be8c53 CreateStreamOnHGlobal 22697->22699 22698->22691 22700 be8c6b 22699->22700 22701 be8cb0 GlobalUnlock 22699->22701 22711 be8b64 GdipAlloc 22700->22711 22701->22698 22704 be8c8f GdipCreateHBITMAPFromBitmap 22705 be8ca5 22704->22705 22705->22701 22706->22615 22707->22618 22708->22620 22709->22687 22710->22688 22712 be8b76 22711->22712 22713 be8b83 22711->22713 22715 be8923 22712->22715 22713->22701 22713->22704 22713->22705 22716 be894b GdipCreateBitmapFromStream 22715->22716 22717 be8944 GdipCreateBitmapFromStreamICM 22715->22717 22718 be8950 22716->22718 22717->22718 22718->22713 22720 bdcb26 _wcschr __EH_prolog 22719->22720 22721 bdcb52 GetModuleFileNameW 22720->22721 22722 bdcb83 22720->22722 22723 bdcb6c 22721->22723 22742 bd978d 22722->22742 22723->22722 22726 bdccef 22728 bd9a30 70 API calls 22726->22728 22737 bdcd39 22726->22737 22731 bdcd09 ___std_exception_copy 22728->22731 22732 bd995d 73 API calls 22731->22732 22731->22737 22735 bdcd2f ___std_exception_copy 22732->22735 22734 bdcbb3 22734->22726 22734->22737 22751 bd9b3b 22734->22751 22766 bd995d 22734->22766 22774 bd9a30 22734->22774 22735->22737 22779 be06d7 MultiByteToWideChar 22735->22779 22759 bd9487 22737->22759 22738 bdce98 GetModuleHandleW FindResourceW 22739 bdcec6 22738->22739 22740 bdcec0 22738->22740 22741 bdc96f 52 API calls 22739->22741 22740->22625 22741->22740 22743 bd9797 22742->22743 22744 bd97ed CreateFileW 22743->22744 22745 bd986b 22744->22745 22746 bd981a GetLastError 22744->22746 22745->22734 22747 bdb2c5 2 API calls 22746->22747 22748 bd983a 22747->22748 22748->22745 22749 bd983e CreateFileW GetLastError 22748->22749 22750 bd9862 22749->22750 22750->22745 22752 bd9b5f SetFilePointer 22751->22752 22753 bd9b4e 22751->22753 22754 bd9b7d GetLastError 22752->22754 22756 bd9b98 22752->22756 22753->22756 22780 bd6e6a 68 API calls 22753->22780 22755 bd9b87 22754->22755 22754->22756 22755->22756 22781 bd6e6a 68 API calls 22755->22781 22756->22734 22760 bd94ab 22759->22760 22761 bd94bc 22759->22761 22760->22761 22762 bd94be 22760->22762 22763 bd94b7 22760->22763 22761->22738 22787 bd94f3 22762->22787 22782 bd963a 22763->22782 22767 bd9974 22766->22767 22769 bd99d7 22767->22769 22770 bd99c7 22767->22770 22772 bd99d5 22767->22772 22802 bd9663 22767->22802 22769->22772 22773 bd9663 5 API calls 22769->22773 22814 bd6e30 68 API calls 22770->22814 22772->22734 22773->22769 22819 bd98e7 22774->22819 22777 bd9a5b 22777->22734 22779->22737 22780->22752 22781->22756 22783 bd9647 22782->22783 22784 bd9643 22782->22784 22783->22784 22793 bd9dfc 22783->22793 22784->22761 22788 bd94ff 22787->22788 22789 bd951d 22787->22789 22788->22789 22791 bd950b CloseHandle 22788->22791 22790 bd953c 22789->22790 22801 bd6d3c 67 API calls 22789->22801 22790->22761 22791->22789 22794 becec0 22793->22794 22795 bd9e09 DeleteFileW 22794->22795 22796 bd9e1c 22795->22796 22797 bd9661 22795->22797 22798 bdb2c5 2 API calls 22796->22798 22797->22761 22799 bd9e30 22798->22799 22799->22797 22800 bd9e34 DeleteFileW 22799->22800 22800->22797 22801->22790 22803 bd967c ReadFile 22802->22803 22804 bd9671 GetStdHandle 22802->22804 22805 bd96b5 22803->22805 22806 bd9695 22803->22806 22804->22803 22805->22767 22815 bd976a 22806->22815 22808 bd969c 22809 bd96aa 22808->22809 22810 bd96bd GetLastError 22808->22810 22811 bd96cc 22808->22811 22813 bd9663 GetFileType 22809->22813 22810->22805 22810->22811 22811->22805 22812 bd96dc GetLastError 22811->22812 22812->22805 22812->22809 22813->22805 22814->22772 22816 bd9770 22815->22816 22817 bd9773 GetFileType 22815->22817 22816->22808 22818 bd9781 22817->22818 22818->22808 22820 bd98f3 22819->22820 22823 bd9952 22819->22823 22821 bd992a SetFilePointer 22820->22821 22822 bd9948 GetLastError 22821->22822 22821->22823 22822->22823 22823->22777 22824 bd6e6a 68 API calls 22823->22824 22824->22777 22826 bf48ed _abort 22825->22826 22827 bf4a3b _abort GetModuleHandleW 22826->22827 22836 bf4905 22826->22836 22829 bf48f9 22827->22829 22829->22836 22862 bf4a7f GetModuleHandleExW 22829->22862 22830 bf49ab 22851 bf49eb 22830->22851 22833 bf490d 22833->22830 22835 bf4982 22833->22835 22848 bf5418 22833->22848 22839 bf499a 22835->22839 22844 bf56c0 _abort 5 API calls 22835->22844 22847 bf76c7 EnterCriticalSection 22836->22847 22837 bf49c8 22854 bf49fa 22837->22854 22838 bf49f4 22870 bff149 5 API calls ___delayLoadHelper2@8 22838->22870 22840 bf56c0 _abort 5 API calls 22839->22840 22840->22830 22844->22839 22847->22833 22871 bf5151 22848->22871 22890 bf770f LeaveCriticalSection 22851->22890 22853 bf49c4 22853->22837 22853->22838 22891 bf7b04 22854->22891 22857 bf4a28 22860 bf4a7f _abort 8 API calls 22857->22860 22858 bf4a08 GetPEB 22858->22857 22859 bf4a18 GetCurrentProcess TerminateProcess 22858->22859 22859->22857 22861 bf4a30 ExitProcess 22860->22861 22863 bf4acc 22862->22863 22864 bf4aa9 GetProcAddress 22862->22864 22865 bf4adb 22863->22865 22866 bf4ad2 FreeLibrary 22863->22866 22869 bf4abe 22864->22869 22867 bed763 ___delayLoadHelper2@8 5 API calls 22865->22867 22866->22865 22868 bf4ae5 22867->22868 22868->22836 22869->22863 22874 bf5100 22871->22874 22873 bf5175 22873->22835 22875 bf510c ___FrameUnwindToState 22874->22875 22882 bf76c7 EnterCriticalSection 22875->22882 22877 bf511a 22883 bf51a1 22877->22883 22881 bf5138 ___FrameUnwindToState 22881->22873 22882->22877 22886 bf51c9 22883->22886 22887 bf51c1 22883->22887 22884 bed763 ___delayLoadHelper2@8 5 API calls 22885 bf5127 22884->22885 22889 bf5145 LeaveCriticalSection _abort 22885->22889 22886->22887 22888 bf59b2 _free 20 API calls 22886->22888 22887->22884 22888->22887 22889->22881 22890->22853 22892 bf7b29 22891->22892 22896 bf7b1f 22891->22896 22893 bf7726 __dosmaperr 5 API calls 22892->22893 22893->22896 22894 bed763 ___delayLoadHelper2@8 5 API calls 22895 bf4a04 22894->22895 22895->22857 22895->22858 22896->22894 23878 bf88ec GetCommandLineA GetCommandLineW 23975 beffea RaiseException 23976 bec3e9 19 API calls ___delayLoadHelper2@8 23879 bfc0e4 51 API calls 23922 bed5df 27 API calls pre_c_initialization 23881 be7cdc GetClientRect 23883 beaa98 96 API calls 4 library calls 23978 bf7bd9 27 API calls 3 library calls 23884 bd94d1 72 API calls 23947 beaa98 101 API calls 4 library calls 23833 bec0cf 23834 bec0dc 23833->23834 23835 bdd192 54 API calls 23834->23835 23836 bec0f0 23835->23836 23837 bd3f2b _swprintf 51 API calls 23836->23837 23838 bec102 SetDlgItemTextW 23837->23838 23841 be991d PeekMessageW 23838->23841 23842 be9938 GetMessageW TranslateMessage DispatchMessageW 23841->23842 23843 be9959 23841->23843 23842->23843 23948 be86ca 22 API calls 23980 be63c2 114 API calls 23923 bea536 93 API calls _swprintf 23924 bed533 46 API calls 6 library calls 22897 bd192c 126 API calls __EH_prolog 23981 bed72a 28 API calls 2 library calls 23925 be0d28 26 API calls std::bad_exception::bad_exception 22928 bdde2a 22929 bdde3a 22928->22929 22930 bdde32 FreeLibrary 22928->22930 22930->22929 22932 bec725 19 API calls ___delayLoadHelper2@8 23926 be9122 73 API calls 23894 bff820 DeleteCriticalSection 23895 beb81f 72 API calls 23896 bd1019 29 API calls pre_c_initialization 22934 bd9c18 22935 bd9c2b 22934->22935 22936 bd9c24 22934->22936 22937 bd9c31 GetStdHandle 22935->22937 22939 bd9c3c 22935->22939 22937->22939 22938 bd9c91 WriteFile 22938->22939 22939->22936 22939->22938 22940 bd9c5c 22939->22940 22941 bd9c61 WriteFile 22939->22941 22943 bd9d04 22939->22943 22945 bd6d16 56 API calls 22939->22945 22940->22939 22940->22941 22941->22939 22941->22940 22946 bd6f23 68 API calls 22943->22946 22945->22939 22946->22936 22952 bf6417 22960 bf783d 22952->22960 22955 bf642b 22957 bf6433 22958 bf6440 22957->22958 22968 bf6443 11 API calls 22957->22968 22961 bf7726 __dosmaperr 5 API calls 22960->22961 22962 bf7864 22961->22962 22963 bf787c TlsAlloc 22962->22963 22966 bf786d 22962->22966 22963->22966 22964 bed763 ___delayLoadHelper2@8 5 API calls 22965 bf6421 22964->22965 22965->22955 22967 bf6392 20 API calls 2 library calls 22965->22967 22966->22964 22967->22957 22968->22955 23982 bed716 20 API calls 23953 bfee16 CloseHandle 23983 bd1714 79 API calls 23984 bf1b10 5 API calls 2 library calls 23928 bf550a 8 API calls ___vcrt_uninitialize 23954 bf7207 21 API calls 23902 bed002 38 API calls 2 library calls 23985 bfc301 21 API calls __vswprintf_c_l 23986 bf4b7a 52 API calls 3 library calls 22010 beb076 22012 beb07b 22010->22012 22021 beaa98 _wcsrchr 22010->22021 22012->22021 22036 beb9a9 22012->22036 22014 beb641 22016 bead85 SetWindowTextW 22016->22021 22021->22014 22021->22016 22024 beab69 ___scrt_fastfail 22021->22024 22035 be0b00 CompareStringW 22021->22035 22059 be96eb 22021->22059 22063 be8b8d GetCurrentDirectoryW 22021->22063 22064 bda1f9 7 API calls 22021->22064 22070 bda182 FindClose 22021->22070 22071 be9843 69 API calls ___std_exception_copy 22021->22071 22072 bf20ce 22021->22072 22022 beab76 SetFileAttributesW 22022->22024 22025 beac31 GetFileAttributesW 22022->22025 22024->22021 22024->22022 22024->22025 22029 beaf4f GetDlgItem SetWindowTextW SendMessageW 22024->22029 22031 beaf91 SendMessageW 22024->22031 22065 bdb150 52 API calls 2 library calls 22024->22065 22066 bd3f2b 22024->22066 22069 bda1f9 7 API calls 22024->22069 22025->22024 22027 beac3f DeleteFileW 22025->22027 22027->22024 22029->22024 22031->22021 22033 beac85 MoveFileW 22033->22024 22034 beac9d MoveFileExW 22033->22034 22034->22024 22035->22021 22037 beb9b3 ___scrt_fastfail 22036->22037 22038 beba9e 22037->22038 22044 bebc0b 22037->22044 22088 be0b00 CompareStringW 22037->22088 22085 bd9e4f 22038->22085 22042 bebad2 ShellExecuteExW 22042->22044 22050 bebae5 22042->22050 22044->22021 22045 bebaca 22045->22042 22046 bebb20 22090 bebe68 WaitForSingleObject PeekMessageW WaitForSingleObject 22046->22090 22047 bebb76 CloseHandle 22048 bebb84 22047->22048 22049 bebb8f 22047->22049 22091 be0b00 CompareStringW 22048->22091 22049->22044 22055 bebc06 ShowWindow 22049->22055 22050->22046 22050->22047 22053 bebb1a ShowWindow 22050->22053 22053->22046 22054 bebb38 22054->22047 22056 bebb4b GetExitCodeProcess 22054->22056 22055->22044 22056->22047 22057 bebb5e 22056->22057 22057->22047 22060 be96f5 22059->22060 22061 be97a8 ExpandEnvironmentStringsW 22060->22061 22062 be97cb 22060->22062 22061->22062 22062->22021 22063->22021 22064->22021 22065->22024 22115 bd3efe 22066->22115 22069->22024 22070->22021 22071->22021 22073 bf5ada 22072->22073 22074 bf5ae7 22073->22074 22075 bf5af2 22073->22075 22187 bf59ec 22074->22187 22077 bf5afa 22075->22077 22084 bf5b03 __dosmaperr 22075->22084 22080 bf59b2 _free 20 API calls 22077->22080 22078 bf5b2d RtlReAllocateHeap 22082 bf5aef 22078->22082 22078->22084 22079 bf5b08 22194 bf5e2e 20 API calls __dosmaperr 22079->22194 22080->22082 22082->22021 22084->22078 22084->22079 22195 bf4689 7 API calls 2 library calls 22084->22195 22092 bd9e63 22085->22092 22088->22038 22089 bdae70 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 22089->22045 22090->22054 22091->22049 22100 becec0 22092->22100 22095 bd9e58 22095->22042 22095->22089 22096 bd9e81 22102 bdb2c5 22096->22102 22098 bd9e95 22098->22095 22099 bd9e99 GetFileAttributesW 22098->22099 22099->22095 22101 bd9e70 GetFileAttributesW 22100->22101 22101->22095 22101->22096 22103 bdb2d2 22102->22103 22111 bdb2dc 22103->22111 22112 bdb45f CharUpperW 22103->22112 22105 bdb2eb 22113 bdb48b CharUpperW 22105->22113 22107 bdb2fa 22108 bdb2fe 22107->22108 22109 bdb375 GetCurrentDirectoryW 22107->22109 22114 bdb45f CharUpperW 22108->22114 22109->22111 22111->22098 22112->22105 22113->22107 22114->22111 22116 bd3f15 __vswprintf_c_l 22115->22116 22119 bf34cd 22116->22119 22122 bf21ab 22119->22122 22123 bf21eb 22122->22123 22124 bf21d3 22122->22124 22123->22124 22126 bf21f3 22123->22126 22139 bf5e2e 20 API calls __dosmaperr 22124->22139 22141 bf2626 22126->22141 22127 bf21d8 22140 bf5d0d 26 API calls pre_c_initialization 22127->22140 22132 bed763 ___delayLoadHelper2@8 5 API calls 22134 bd3f1f GetFileAttributesW 22132->22134 22133 bf227b 22150 bf282c 51 API calls 3 library calls 22133->22150 22134->22024 22134->22033 22137 bf2286 22151 bf26a9 20 API calls _free 22137->22151 22138 bf21e3 22138->22132 22139->22127 22140->22138 22142 bf2203 22141->22142 22143 bf2643 22141->22143 22149 bf25f1 20 API calls 2 library calls 22142->22149 22143->22142 22152 bf630e GetLastError 22143->22152 22145 bf2664 22173 bf645d 38 API calls __fassign 22145->22173 22147 bf267d 22174 bf648a 38 API calls __fassign 22147->22174 22149->22133 22150->22137 22151->22138 22153 bf6324 22152->22153 22154 bf6330 22152->22154 22175 bf78e9 11 API calls 2 library calls 22153->22175 22176 bf5a7d 20 API calls 2 library calls 22154->22176 22157 bf632a 22157->22154 22159 bf6379 SetLastError 22157->22159 22158 bf633c 22160 bf6344 22158->22160 22183 bf793f 11 API calls 2 library calls 22158->22183 22159->22145 22177 bf59b2 22160->22177 22162 bf6359 22162->22160 22164 bf6360 22162->22164 22184 bf6180 20 API calls __dosmaperr 22164->22184 22165 bf634a 22166 bf6385 SetLastError 22165->22166 22185 bf5a3a 38 API calls _abort 22166->22185 22168 bf636b 22170 bf59b2 _free 20 API calls 22168->22170 22172 bf6372 22170->22172 22172->22159 22172->22166 22173->22147 22174->22142 22175->22157 22176->22158 22178 bf59bd RtlFreeHeap 22177->22178 22182 bf59e6 __dosmaperr 22177->22182 22179 bf59d2 22178->22179 22178->22182 22186 bf5e2e 20 API calls __dosmaperr 22179->22186 22181 bf59d8 GetLastError 22181->22182 22182->22165 22183->22162 22184->22168 22186->22181 22188 bf5a2a 22187->22188 22193 bf59fa __dosmaperr 22187->22193 22197 bf5e2e 20 API calls __dosmaperr 22188->22197 22189 bf5a15 RtlAllocateHeap 22191 bf5a28 22189->22191 22189->22193 22191->22082 22193->22188 22193->22189 22196 bf4689 7 API calls 2 library calls 22193->22196 22194->22082 22195->22084 22196->22193 22197->22191 22200 bf4e74 22211 bf8549 22200->22211 22205 bf4e91 22207 bf59b2 _free 20 API calls 22205->22207 22208 bf4ec6 22207->22208 22209 bf4e9c 22210 bf59b2 _free 20 API calls 22209->22210 22210->22205 22212 bf8552 22211->22212 22214 bf4e86 22211->22214 22228 bf8448 22212->22228 22215 bf89a0 GetEnvironmentStringsW 22214->22215 22216 bf89b7 22215->22216 22226 bf8a0a 22215->22226 22219 bf89bd WideCharToMultiByte 22216->22219 22217 bf4e8b 22217->22205 22227 bf4ecc 26 API calls 4 library calls 22217->22227 22218 bf8a13 FreeEnvironmentStringsW 22218->22217 22220 bf89d9 22219->22220 22219->22226 22221 bf59ec __vswprintf_c_l 21 API calls 22220->22221 22222 bf89df 22221->22222 22223 bf89e6 WideCharToMultiByte 22222->22223 22224 bf89fc 22222->22224 22223->22224 22225 bf59b2 _free 20 API calls 22224->22225 22225->22226 22226->22217 22226->22218 22227->22209 22229 bf630e _abort 38 API calls 22228->22229 22230 bf8455 22229->22230 22248 bf8567 22230->22248 22232 bf845d 22257 bf81dc 22232->22257 22235 bf8474 22235->22214 22236 bf59ec __vswprintf_c_l 21 API calls 22237 bf8485 22236->22237 22238 bf84b7 22237->22238 22264 bf8609 22237->22264 22241 bf59b2 _free 20 API calls 22238->22241 22241->22235 22242 bf84b2 22274 bf5e2e 20 API calls __dosmaperr 22242->22274 22244 bf84fb 22244->22238 22275 bf80b2 26 API calls 22244->22275 22245 bf84cf 22245->22244 22246 bf59b2 _free 20 API calls 22245->22246 22246->22244 22249 bf8573 ___FrameUnwindToState 22248->22249 22250 bf630e _abort 38 API calls 22249->22250 22255 bf857d 22250->22255 22252 bf8601 ___FrameUnwindToState 22252->22232 22255->22252 22256 bf59b2 _free 20 API calls 22255->22256 22276 bf5a3a 38 API calls _abort 22255->22276 22277 bf76c7 EnterCriticalSection 22255->22277 22278 bf85f8 LeaveCriticalSection _abort 22255->22278 22256->22255 22258 bf2626 __fassign 38 API calls 22257->22258 22259 bf81ee 22258->22259 22260 bf820f 22259->22260 22261 bf81fd GetOEMCP 22259->22261 22262 bf8214 GetACP 22260->22262 22263 bf8226 22260->22263 22261->22263 22262->22263 22263->22235 22263->22236 22265 bf81dc 40 API calls 22264->22265 22266 bf8628 22265->22266 22269 bf8679 IsValidCodePage 22266->22269 22271 bf862f 22266->22271 22273 bf869e ___scrt_fastfail 22266->22273 22267 bed763 ___delayLoadHelper2@8 5 API calls 22268 bf84aa 22267->22268 22268->22242 22268->22245 22270 bf868b GetCPInfo 22269->22270 22269->22271 22270->22271 22270->22273 22271->22267 22279 bf82b4 GetCPInfo 22273->22279 22274->22238 22275->22238 22277->22255 22278->22255 22283 bf82ee 22279->22283 22288 bf8398 22279->22288 22282 bed763 ___delayLoadHelper2@8 5 API calls 22285 bf8444 22282->22285 22289 bf93e4 22283->22289 22285->22271 22287 bf75bc __vswprintf_c_l 43 API calls 22287->22288 22288->22282 22290 bf2626 __fassign 38 API calls 22289->22290 22291 bf9404 MultiByteToWideChar 22290->22291 22293 bf94da 22291->22293 22294 bf9442 22291->22294 22295 bed763 ___delayLoadHelper2@8 5 API calls 22293->22295 22296 bf59ec __vswprintf_c_l 21 API calls 22294->22296 22299 bf9463 __vswprintf_c_l ___scrt_fastfail 22294->22299 22297 bf834f 22295->22297 22296->22299 22303 bf75bc 22297->22303 22298 bf94d4 22308 bf7607 20 API calls _free 22298->22308 22299->22298 22301 bf94a8 MultiByteToWideChar 22299->22301 22301->22298 22302 bf94c4 GetStringTypeW 22301->22302 22302->22298 22304 bf2626 __fassign 38 API calls 22303->22304 22305 bf75cf 22304->22305 22309 bf739f 22305->22309 22308->22293 22310 bf73ba __vswprintf_c_l 22309->22310 22311 bf73e0 MultiByteToWideChar 22310->22311 22312 bf740a 22311->22312 22313 bf7594 22311->22313 22318 bf59ec __vswprintf_c_l 21 API calls 22312->22318 22320 bf742b __vswprintf_c_l 22312->22320 22314 bed763 ___delayLoadHelper2@8 5 API calls 22313->22314 22315 bf75a7 22314->22315 22315->22287 22316 bf74e0 22345 bf7607 20 API calls _free 22316->22345 22317 bf7474 MultiByteToWideChar 22317->22316 22319 bf748d 22317->22319 22318->22320 22336 bf79fa 22319->22336 22320->22316 22320->22317 22324 bf74ef 22326 bf59ec __vswprintf_c_l 21 API calls 22324->22326 22330 bf7510 __vswprintf_c_l 22324->22330 22325 bf74b7 22325->22316 22327 bf79fa __vswprintf_c_l 11 API calls 22325->22327 22326->22330 22327->22316 22328 bf7585 22344 bf7607 20 API calls _free 22328->22344 22330->22328 22331 bf79fa __vswprintf_c_l 11 API calls 22330->22331 22332 bf7564 22331->22332 22332->22328 22333 bf7573 WideCharToMultiByte 22332->22333 22333->22328 22334 bf75b3 22333->22334 22346 bf7607 20 API calls _free 22334->22346 22347 bf7726 22336->22347 22340 bf7a6a LCMapStringW 22341 bf7a2a 22340->22341 22342 bed763 ___delayLoadHelper2@8 5 API calls 22341->22342 22343 bf74a4 22342->22343 22343->22316 22343->22324 22343->22325 22344->22316 22345->22313 22346->22316 22348 bf7756 22347->22348 22352 bf7752 22347->22352 22348->22341 22354 bf7a82 10 API calls 3 library calls 22348->22354 22349 bf7776 22349->22348 22351 bf7782 GetProcAddress 22349->22351 22353 bf7792 __crt_fast_encode_pointer 22351->22353 22352->22348 22352->22349 22355 bf77c2 22352->22355 22353->22348 22354->22340 22356 bf77e3 LoadLibraryExW 22355->22356 22361 bf77d8 22355->22361 22357 bf7818 22356->22357 22358 bf7800 GetLastError 22356->22358 22360 bf782f FreeLibrary 22357->22360 22357->22361 22358->22357 22359 bf780b LoadLibraryExW 22358->22359 22359->22357 22360->22361 22361->22352 23987 bfd774 IsProcessorFeaturePresent 23959 bf0e6a 48 API calls 23907 bd1067 75 API calls pre_c_initialization 23930 be8962 GdipDisposeImage GdipFree __except_handler4 23931 be995e 104 API calls 23932 be955e 71 API calls 22947 becd5b 22948 becd65 22947->22948 22949 becabb ___delayLoadHelper2@8 19 API calls 22948->22949 22950 becd72 22949->22950 23990 bed759 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 23991 bee750 51 API calls 2 library calls 23992 bf1f50 RtlUnwind 22969 be9b4e 22970 be9b58 __EH_prolog 22969->22970 23129 bd12e7 22970->23129 22973 bea22f 23202 beb8bb 22973->23202 22974 be9b9a 22977 be9ba7 22974->22977 22978 be9c10 22974->22978 23034 be9b86 22974->23034 22982 be9bac 22977->22982 22983 be9be3 22977->22983 22981 be9caf GetDlgItemTextW 22978->22981 22987 be9c2a 22978->22987 22979 bea24d SendMessageW 22980 bea25b 22979->22980 22985 bea264 SendDlgItemMessageW 22980->22985 22986 bea275 GetDlgItem SendMessageW 22980->22986 22981->22983 22984 be9ce6 22981->22984 22988 bdd192 54 API calls 22982->22988 22982->23034 22989 be9c04 KiUserCallbackDispatcher 22983->22989 22983->23034 22991 be9cfe GetDlgItem 22984->22991 23127 be9cef 22984->23127 22985->22986 23220 be8b8d GetCurrentDirectoryW 22986->23220 22992 bdd192 54 API calls 22987->22992 22993 be9bc6 22988->22993 22989->23034 22995 be9d38 SetFocus 22991->22995 22996 be9d12 SendMessageW SendMessageW 22991->22996 22997 be9c4c SetDlgItemTextW 22992->22997 23240 bd1227 SHGetMalloc 22993->23240 22994 bea2a7 GetDlgItem 23001 bea2c6 SetWindowTextW 22994->23001 23002 bea2c0 22994->23002 22999 be9d48 22995->22999 23013 be9d54 22995->23013 22996->22995 22998 be9c5a 22997->22998 23008 be9c67 GetMessageW 22998->23008 23020 be9c8d TranslateMessage DispatchMessageW 22998->23020 22998->23034 23004 bdd192 54 API calls 22999->23004 23221 be8fc7 GetClassNameW 23001->23221 23002->23001 23009 be9d52 23004->23009 23005 be9bcd 23010 be9bd1 SetDlgItemTextW 23005->23010 23005->23034 23006 bea1cf 23011 bdd192 54 API calls 23006->23011 23008->22998 23008->23034 23139 beb70d GetDlgItem 23009->23139 23010->23034 23014 bea1df SetDlgItemTextW 23011->23014 23018 bdd192 54 API calls 23013->23018 23016 bea1f3 23014->23016 23023 bdd192 54 API calls 23016->23023 23022 be9d86 23018->23022 23019 be9da9 23147 bd9d1e 23019->23147 23020->22998 23021 bea311 23027 bea341 23021->23027 23031 bdd192 54 API calls 23021->23031 23028 bd3f2b _swprintf 51 API calls 23022->23028 23024 bea21c 23023->23024 23029 bdd192 54 API calls 23024->23029 23026 beaa44 91 API calls 23026->23021 23032 bea3f9 23027->23032 23033 beaa44 91 API calls 23027->23033 23028->23009 23029->23034 23038 bea324 SetDlgItemTextW 23031->23038 23035 bea4a9 23032->23035 23064 bea487 23032->23064 23075 bdd192 54 API calls 23032->23075 23039 bea35c 23033->23039 23040 bea4bb 23035->23040 23041 bea4b2 EnableWindow 23035->23041 23036 be9dde GetLastError 23037 be9de5 23036->23037 23153 be9022 SetCurrentDirectoryW 23037->23153 23043 bdd192 54 API calls 23038->23043 23046 bea36e 23039->23046 23058 bea393 23039->23058 23051 bea4d8 23040->23051 23251 bd12a4 GetDlgItem EnableWindow 23040->23251 23041->23040 23045 bea338 SetDlgItemTextW 23043->23045 23044 be9dfb 23049 be9e04 GetLastError 23044->23049 23055 be9e0e 23044->23055 23045->23027 23249 be859b 6 API calls 23046->23249 23047 bea3ec 23052 beaa44 91 API calls 23047->23052 23049->23055 23050 bea4ff 23050->23034 23056 bdd192 54 API calls 23050->23056 23051->23050 23061 bea4f7 SendMessageW 23051->23061 23052->23032 23054 bea4ce 23252 bd12a4 GetDlgItem EnableWindow 23054->23252 23060 be9e89 23055->23060 23062 be9e26 GetTickCount 23055->23062 23063 be9e99 23055->23063 23065 bea518 SetDlgItemTextW 23056->23065 23057 bea387 23057->23058 23058->23047 23076 beaa44 91 API calls 23058->23076 23060->23063 23066 bea0d2 23060->23066 23061->23050 23067 bd3f2b _swprintf 51 API calls 23062->23067 23070 bea06d 23063->23070 23071 be9eb1 GetModuleFileNameW 23063->23071 23250 be859b 6 API calls 23064->23250 23065->23034 23162 bd12c2 GetDlgItem ShowWindow 23066->23162 23073 be9e43 23067->23073 23070->22983 23080 bdd192 54 API calls 23070->23080 23241 bddecc 23071->23241 23154 bd9541 23073->23154 23074 bea4a6 23074->23035 23075->23032 23081 bea3c1 23076->23081 23077 bea0e2 23163 bd12c2 GetDlgItem ShowWindow 23077->23163 23085 bea081 23080->23085 23081->23047 23082 bea3ca DialogBoxParamW 23081->23082 23082->22983 23082->23047 23083 bea0ec 23086 bdd192 54 API calls 23083->23086 23084 bd3f2b _swprintf 51 API calls 23087 be9efd CreateFileMappingW 23084->23087 23089 bd3f2b _swprintf 51 API calls 23085->23089 23090 bea0f6 SetDlgItemTextW 23086->23090 23091 be9f5f GetCommandLineW 23087->23091 23121 be9fdc __vswprintf_c_l 23087->23121 23093 bea09f 23089->23093 23164 bd12c2 GetDlgItem ShowWindow 23090->23164 23096 be9f70 23091->23096 23092 be9e69 23097 be9e77 23092->23097 23098 be9e70 GetLastError 23092->23098 23105 bdd192 54 API calls 23093->23105 23094 be9fe7 ShellExecuteExW 23118 bea004 23094->23118 23245 be97e3 SHGetMalloc 23096->23245 23101 bd9487 72 API calls 23097->23101 23098->23097 23099 bea10a SetDlgItemTextW GetDlgItem 23102 bea13b 23099->23102 23103 bea123 GetWindowLongW SetWindowLongW 23099->23103 23101->23060 23165 beaa44 23102->23165 23103->23102 23104 be9f8c 23246 be97e3 SHGetMalloc 23104->23246 23105->22983 23109 be9f98 23247 be97e3 SHGetMalloc 23109->23247 23110 bea047 23110->23070 23115 bea05d UnmapViewOfFile CloseHandle 23110->23115 23111 beaa44 91 API calls 23113 bea157 23111->23113 23190 bebc77 23113->23190 23114 be9fa4 23117 bde030 73 API calls 23114->23117 23115->23070 23120 be9fbb MapViewOfFile 23117->23120 23118->23110 23122 bea033 Sleep 23118->23122 23120->23121 23121->23094 23122->23110 23122->23118 23127->22983 23127->23006 23130 bd1349 23129->23130 23131 bd12f0 23129->23131 23271 bdcf00 GetWindowLongW SetWindowLongW 23130->23271 23132 bd1356 23131->23132 23253 bdcf27 23131->23253 23132->22973 23132->22974 23132->23034 23136 bd1325 GetDlgItem 23136->23132 23137 bd1335 23136->23137 23137->23132 23138 bd133b SetWindowTextW 23137->23138 23138->23132 23140 beb769 SendMessageW SendMessageW 23139->23140 23141 beb739 23139->23141 23142 beb7c0 SendMessageW SendMessageW SendMessageW 23140->23142 23143 beb7a1 23140->23143 23144 beb744 ShowWindow SendMessageW SendMessageW 23141->23144 23145 beb80a SendMessageW 23142->23145 23146 beb7eb SendMessageW 23142->23146 23143->23142 23144->23140 23145->23019 23146->23145 23150 bd9d28 23147->23150 23148 bd9db9 23149 bd9ed6 9 API calls 23148->23149 23151 bd9de2 23148->23151 23149->23151 23150->23148 23150->23151 23275 bd9ed6 23150->23275 23151->23036 23151->23037 23153->23044 23155 bd954b 23154->23155 23156 bd95b5 CreateFileW 23155->23156 23157 bd95a9 23155->23157 23156->23157 23158 bd9607 23157->23158 23159 bdb2c5 2 API calls 23157->23159 23158->23092 23160 bd95ee 23159->23160 23160->23158 23161 bd95f2 CreateFileW 23160->23161 23161->23158 23162->23077 23163->23083 23164->23099 23166 beaa4e __EH_prolog 23165->23166 23167 bea149 23166->23167 23168 be96eb ExpandEnvironmentStringsW 23166->23168 23167->23111 23176 beaa85 _wcsrchr 23168->23176 23170 be96eb ExpandEnvironmentStringsW 23170->23176 23171 bead85 SetWindowTextW 23171->23176 23174 bf20ce 22 API calls 23174->23176 23176->23167 23176->23170 23176->23171 23176->23174 23188 beab69 ___scrt_fastfail 23176->23188 23296 be0b00 CompareStringW 23176->23296 23297 be8b8d GetCurrentDirectoryW 23176->23297 23298 bda1f9 7 API calls 23176->23298 23301 bda182 FindClose 23176->23301 23302 be9843 69 API calls ___std_exception_copy 23176->23302 23177 beab76 SetFileAttributesW 23179 beac31 GetFileAttributesW 23177->23179 23177->23188 23181 beac3f DeleteFileW 23179->23181 23179->23188 23181->23188 23183 beaf4f GetDlgItem SetWindowTextW SendMessageW 23183->23188 23184 bd3f2b _swprintf 51 API calls 23186 beac74 GetFileAttributesW 23184->23186 23185 beaf91 SendMessageW 23185->23176 23187 beac85 MoveFileW 23186->23187 23186->23188 23187->23188 23189 beac9d MoveFileExW 23187->23189 23188->23176 23188->23177 23188->23179 23188->23183 23188->23184 23188->23185 23299 bdb150 52 API calls 2 library calls 23188->23299 23300 bda1f9 7 API calls 23188->23300 23189->23188 23191 bebc81 __EH_prolog 23190->23191 23303 bdf1b7 69 API calls 23191->23303 23193 bebcb2 23304 bd5b87 69 API calls 23193->23304 23195 bebcd0 23305 bd7b10 73 API calls 2 library calls 23195->23305 23197 bebd14 23306 bd7c84 23197->23306 23199 bebd23 23315 bd7ba0 23199->23315 23203 beb8c8 23202->23203 23204 be8abf 6 API calls 23203->23204 23205 beb8cd 23204->23205 23206 beb8d5 GetWindow 23205->23206 23207 bea235 23205->23207 23206->23207 23208 beb8f1 23206->23208 23207->22979 23207->22980 23208->23207 23209 beb8fe GetClassNameW 23208->23209 23211 beb926 GetWindowLongW 23208->23211 23212 beb987 GetWindow 23208->23212 23820 be0b00 CompareStringW 23209->23820 23211->23212 23213 beb936 SendMessageW 23211->23213 23212->23207 23212->23208 23213->23212 23214 beb94c GetObjectW 23213->23214 23821 be8b21 GetDC GetDeviceCaps ReleaseDC 23214->23821 23216 beb961 23822 be8ade GetDC GetDeviceCaps ReleaseDC 23216->23822 23823 be8cf2 8 API calls ___scrt_fastfail 23216->23823 23219 beb971 SendMessageW DeleteObject 23219->23212 23220->22994 23222 be900d 23221->23222 23223 be8fe8 23221->23223 23227 be9484 23222->23227 23824 be0b00 CompareStringW 23223->23824 23225 be8ffb 23225->23222 23226 be8fff FindWindowExW 23225->23226 23226->23222 23228 be948e __EH_prolog 23227->23228 23229 bd13af 75 API calls 23228->23229 23230 be94b0 23229->23230 23825 bd1f0e 23230->23825 23233 be94ca 23236 bd165f 79 API calls 23233->23236 23234 be94d9 23235 bd1927 126 API calls 23234->23235 23238 be94fb __vswprintf_c_l ___std_exception_copy 23235->23238 23237 be94d5 23236->23237 23237->23021 23237->23026 23239 bd165f 79 API calls 23238->23239 23239->23237 23240->23005 23242 bdded5 23241->23242 23244 bddeee 23241->23244 23243 bddf43 73 API calls 23242->23243 23243->23244 23244->23084 23245->23104 23246->23109 23247->23114 23249->23057 23250->23074 23251->23054 23252->23051 23272 bdc8de 23253->23272 23255 bdcf4d GetWindowRect GetClientRect 23256 bdd042 23255->23256 23259 bdcfa7 23255->23259 23257 bdd04c GetWindowTextW 23256->23257 23258 bdd084 GetSystemMetrics GetWindow 23256->23258 23260 bdc96f 52 API calls 23257->23260 23266 bdd0a4 23258->23266 23259->23258 23261 bdd008 GetWindowLongW 23259->23261 23263 bdd078 SetWindowTextW 23260->23263 23265 bdd032 GetWindowRect 23261->23265 23262 bd1312 23262->23132 23262->23136 23263->23258 23264 bdd0b0 GetWindowTextW 23264->23266 23265->23256 23266->23262 23266->23264 23267 bdd16b GetWindow 23266->23267 23268 bdd0f6 GetWindowRect 23266->23268 23269 bdc96f 52 API calls 23266->23269 23267->23262 23267->23266 23268->23267 23270 bdd0e3 SetWindowTextW 23269->23270 23270->23266 23271->23132 23273 bdc96f 52 API calls 23272->23273 23274 bdc906 _wcschr 23273->23274 23274->23255 23276 bd9ee3 23275->23276 23277 bd9f07 23276->23277 23278 bd9efa CreateDirectoryW 23276->23278 23279 bd9e4f 4 API calls 23277->23279 23278->23277 23280 bd9f3a 23278->23280 23282 bd9f0d 23279->23282 23284 bd9f49 23280->23284 23288 bda113 23280->23288 23281 bd9f4d GetLastError 23281->23284 23282->23281 23285 bdb2c5 2 API calls 23282->23285 23284->23150 23286 bd9f23 23285->23286 23286->23281 23287 bd9f27 CreateDirectoryW 23286->23287 23287->23280 23287->23281 23289 becec0 23288->23289 23290 bda120 SetFileAttributesW 23289->23290 23291 bda136 23290->23291 23292 bda163 23290->23292 23293 bdb2c5 2 API calls 23291->23293 23292->23284 23294 bda14a 23293->23294 23294->23292 23295 bda14e SetFileAttributesW 23294->23295 23295->23292 23296->23176 23297->23176 23298->23176 23299->23188 23300->23188 23301->23176 23302->23176 23303->23193 23304->23195 23305->23197 23307 bd7c8e 23306->23307 23308 bd7cf8 23307->23308 23341 bda195 23307->23341 23312 bd7d62 23308->23312 23313 bda195 8 API calls 23308->23313 23319 bd81ed 23308->23319 23310 bd7da4 23310->23199 23312->23310 23347 bd135c 67 API calls 23312->23347 23313->23308 23316 bd7bae 23315->23316 23318 bd7bb5 23315->23318 23317 be0e0f 79 API calls 23316->23317 23317->23318 23320 bd81f7 __EH_prolog 23319->23320 23348 bd13af 23320->23348 23322 bd8212 23356 bd9bf2 23322->23356 23325 bd8241 23476 bd165f 23325->23476 23329 bd82dc 23375 bd8385 23329->23375 23332 bd833c 23379 bd1ebf 23332->23379 23336 bd8347 23336->23325 23383 bd3a0d 23336->23383 23393 bd83eb 23336->23393 23338 bda195 8 API calls 23339 bd823d 23338->23339 23339->23325 23339->23329 23339->23338 23480 bdb71b CompareStringW 23339->23480 23342 bda1aa 23341->23342 23346 bda1ae 23342->23346 23808 bda2c3 23342->23808 23344 bda1be 23345 bda1c3 FindClose 23344->23345 23344->23346 23345->23346 23346->23307 23347->23310 23349 bd13b4 __EH_prolog 23348->23349 23482 bdc463 23349->23482 23351 bd13eb 23354 bd1444 ___scrt_fastfail 23351->23354 23488 becdac 23351->23488 23354->23322 23355 bdacb6 75 API calls 23355->23354 23357 bd9bfd 23356->23357 23358 bd8228 23357->23358 23497 bd6e22 67 API calls 23357->23497 23358->23325 23360 bd19e2 23358->23360 23361 bd19ec __EH_prolog 23360->23361 23368 bd1a2e 23361->23368 23374 bd1a15 23361->23374 23498 bd138d 23361->23498 23363 bd1b47 23501 bd135c 67 API calls 23363->23501 23365 bd3a0d 90 API calls 23370 bd1b9e 23365->23370 23366 bd1b57 23366->23365 23366->23374 23367 bd1be8 23373 bd1c1b 23367->23373 23367->23374 23502 bd135c 67 API calls 23367->23502 23368->23363 23368->23366 23368->23374 23370->23367 23371 bd3a0d 90 API calls 23370->23371 23371->23370 23372 bd3a0d 90 API calls 23372->23373 23373->23372 23373->23374 23374->23339 23376 bd8392 23375->23376 23520 bdffa6 GetSystemTime SystemTimeToFileTime 23376->23520 23378 bd82f6 23378->23332 23481 be06b6 65 API calls 23378->23481 23380 bd1ec4 __EH_prolog 23379->23380 23381 bd1ef8 23380->23381 23522 bd1927 23380->23522 23381->23336 23384 bd3a1d 23383->23384 23385 bd3a19 23383->23385 23386 bd3a3c 23384->23386 23387 bd3a4a 23384->23387 23385->23336 23389 bd3a7c 23386->23389 23748 bd31f0 78 API calls 3 library calls 23386->23748 23749 bd2759 90 API calls 3 library calls 23387->23749 23389->23336 23391 bd3a48 23391->23389 23750 bd1fbf 67 API calls 23391->23750 23394 bd83f5 __EH_prolog 23393->23394 23395 bd842e 23394->23395 23407 bd8432 23394->23407 23774 be77e6 93 API calls 23394->23774 23396 bd8457 23395->23396 23399 bd84e0 23395->23399 23395->23407 23398 bd8479 23396->23398 23396->23407 23775 bd7a2f 150 API calls 23396->23775 23398->23407 23776 be77e6 93 API calls 23398->23776 23399->23407 23751 bd5d68 23399->23751 23403 bd856b 23403->23407 23759 bd80da 23403->23759 23406 bd86cf 23408 bda195 8 API calls 23406->23408 23409 bd8734 23406->23409 23407->23336 23408->23409 23763 bd7c11 23409->23763 23411 bdc5cd 73 API calls 23412 bd878f _memcmp 23411->23412 23412->23407 23412->23411 23413 bd88b9 23412->23413 23415 bd88b2 23412->23415 23777 bd80a6 75 API calls 23412->23777 23778 bd135c 67 API calls 23412->23778 23414 bd898c 23413->23414 23420 bd8908 23413->23420 23418 bd89e7 23414->23418 23431 bd8997 23414->23431 23779 bd135c 67 API calls 23415->23779 23429 bd8979 23418->23429 23782 bd7f88 89 API calls 23418->23782 23419 bd89e5 23423 bd9487 72 API calls 23419->23423 23424 bd9e4f 4 API calls 23420->23424 23420->23429 23421 bd9005 23422 bd9487 72 API calls 23421->23422 23422->23407 23423->23407 23428 bd8940 23424->23428 23426 bd8a52 23426->23421 23427 bd8abd 23426->23427 23430 bd976a GetFileType 23426->23430 23432 bda6f9 8 API calls 23427->23432 23428->23429 23780 bd91b1 89 API calls 23428->23780 23429->23419 23429->23426 23433 bd8a95 23430->23433 23431->23419 23781 bd7dc4 93 API calls __except_handler4 23431->23781 23435 bd8b0c 23432->23435 23433->23427 23783 bd6f5f 67 API calls 23433->23783 23437 bda6f9 8 API calls 23435->23437 23455 bd8b22 23437->23455 23439 bd8aab 23784 bd6f23 68 API calls 23439->23784 23441 bd8be5 23442 bd8d46 23441->23442 23443 bd8c40 23441->23443 23445 bd8d6c 23442->23445 23446 bd8d58 23442->23446 23464 bd8c70 23442->23464 23444 bd8cb2 23443->23444 23447 bd8c50 23443->23447 23448 bd80da CharUpperW 23444->23448 23452 be1fa8 68 API calls 23445->23452 23451 bd9120 119 API calls 23446->23451 23449 bd8c96 23447->23449 23456 bd8c5e 23447->23456 23450 bd8ccd 23448->23450 23449->23464 23787 bd77d4 101 API calls 23449->23787 23460 bd8cfd 23450->23460 23461 bd8cf6 23450->23461 23450->23464 23451->23464 23454 bd8d85 23452->23454 23457 be1c3f 119 API calls 23454->23457 23455->23441 23785 bd98b9 SetFilePointer GetLastError SetEndOfFile 23455->23785 23786 bd6f5f 67 API calls 23456->23786 23457->23464 23789 bd905e 85 API calls __EH_prolog 23460->23789 23788 bd7586 77 API calls __except_handler4 23461->23788 23467 bd8e94 23464->23467 23790 bd6f5f 67 API calls 23464->23790 23466 bd8f2b 23769 bd9a62 23466->23769 23467->23421 23467->23466 23791 bd9bba SetEndOfFile 23467->23791 23470 bd8f85 23471 bd94f3 68 API calls 23470->23471 23472 bd8f90 23471->23472 23472->23421 23473 bda113 4 API calls 23472->23473 23474 bd8fef 23473->23474 23474->23421 23792 bd6f5f 67 API calls 23474->23792 23477 bd1671 23476->23477 23807 bdc506 79 API calls 23477->23807 23480->23339 23481->23332 23483 bdc46d __EH_prolog 23482->23483 23484 becdac new 8 API calls 23483->23484 23485 bdc4b0 23484->23485 23486 becdac new 8 API calls 23485->23486 23487 bdc4d4 23486->23487 23487->23351 23491 becdb1 ___std_exception_copy 23488->23491 23489 bd1431 23489->23354 23489->23355 23491->23489 23494 bf4689 7 API calls 2 library calls 23491->23494 23495 bed7dc RaiseException FindHandler new 23491->23495 23496 bed7bf RaiseException Concurrency::cancel_current_task FindHandler 23491->23496 23494->23491 23497->23358 23503 bd1736 23498->23503 23500 bd13a9 23500->23368 23501->23374 23502->23373 23504 bd174c 23503->23504 23515 bd17a4 __vswprintf_c_l 23503->23515 23505 bd1775 23504->23505 23516 bd6d8f 67 API calls __vswprintf_c_l 23504->23516 23507 bd17cb 23505->23507 23508 bd1791 ___std_exception_copy 23505->23508 23510 bf20ce 22 API calls 23507->23510 23508->23515 23518 bd6dc7 68 API calls 23508->23518 23509 bd176b 23517 bd6dc7 68 API calls 23509->23517 23512 bd17d2 23510->23512 23512->23515 23519 bd6dc7 68 API calls 23512->23519 23515->23500 23516->23509 23517->23505 23518->23515 23519->23515 23521 bdffd6 __vswprintf_c_l 23520->23521 23521->23378 23523 bd192c __EH_prolog 23522->23523 23524 bd1995 23523->23524 23525 bd1965 23523->23525 23529 bd1940 23523->23529 23531 bd3e39 23524->23531 23526 bd3a0d 90 API calls 23525->23526 23526->23529 23529->23381 23534 bd3e42 23531->23534 23532 bd3a0d 90 API calls 23532->23534 23534->23532 23535 bd19b1 23534->23535 23548 bdf944 23534->23548 23535->23529 23536 bd1dd2 23535->23536 23537 bd1ddc __EH_prolog 23536->23537 23556 bd3a90 23537->23556 23539 bd1e05 23540 bd1736 69 API calls 23539->23540 23547 bd1e8c 23539->23547 23541 bd1e1c 23540->23541 23586 bd18ad 69 API calls 23541->23586 23543 bd1e34 23545 bd1e40 23543->23545 23587 be06d7 MultiByteToWideChar 23543->23587 23588 bd18ad 69 API calls 23545->23588 23547->23529 23549 bdf94b 23548->23549 23550 bdf966 23549->23550 23554 bd6d8a RaiseException FindHandler 23549->23554 23552 bdf977 SetThreadExecutionState 23550->23552 23555 bd6d8a RaiseException FindHandler 23550->23555 23552->23534 23554->23550 23555->23552 23557 bd3a9a __EH_prolog 23556->23557 23558 bd3acc 23557->23558 23559 bd3ab0 23557->23559 23560 bd3d0c 23558->23560 23564 bd3af8 23558->23564 23625 bd135c 67 API calls 23559->23625 23644 bd135c 67 API calls 23560->23644 23563 bd3abb 23563->23539 23564->23563 23589 be0bce 23564->23589 23566 bd3b30 23593 be1fa8 23566->23593 23568 bd3b79 23570 bd3c04 23568->23570 23585 bd3b70 23568->23585 23628 bdc5cd 23568->23628 23569 bd3b75 23569->23568 23627 bd1fa5 69 API calls 23569->23627 23606 bda6f9 23570->23606 23572 bd3b47 23572->23568 23572->23569 23573 bd3b65 23572->23573 23626 bd135c 67 API calls 23573->23626 23574 bd3c17 23579 bd3c88 23574->23579 23580 bd3c92 23574->23580 23610 bd9120 23579->23610 23634 be1c3f 23580->23634 23583 bd3c90 23583->23585 23643 bd6f5f 67 API calls 23583->23643 23621 be0e0f 23585->23621 23586->23543 23587->23545 23588->23547 23590 be0bd8 __EH_prolog 23589->23590 23645 bdfb54 23590->23645 23592 be0cd8 23592->23566 23594 be1fb7 23593->23594 23596 be1fc1 23593->23596 23656 bd6dc7 68 API calls 23594->23656 23597 be2001 23596->23597 23598 be2006 ___std_exception_copy 23596->23598 23605 be205f ___scrt_fastfail 23596->23605 23658 bf006c RaiseException 23597->23658 23599 be2116 23598->23599 23602 be203b 23598->23602 23598->23605 23659 bf006c RaiseException 23599->23659 23657 be1ec9 68 API calls 3 library calls 23602->23657 23603 be2139 23605->23572 23607 bda706 23606->23607 23609 bda710 23606->23609 23608 becdac new 8 API calls 23607->23608 23608->23609 23609->23574 23611 bd912a __EH_prolog 23610->23611 23660 bd7c6b 23611->23660 23614 bd138d 69 API calls 23615 bd913c 23614->23615 23663 bdc6a8 23615->23663 23617 bd914e 23618 bd9196 23617->23618 23620 bdc6a8 114 API calls 23617->23620 23672 bdc860 90 API calls __vswprintf_c_l 23617->23672 23618->23583 23620->23617 23622 be0e31 23621->23622 23679 bdfc3c 23622->23679 23624 be0e4a 23624->23563 23625->23563 23626->23585 23627->23568 23629 bdc5ee 23628->23629 23630 bdc600 23628->23630 23693 bd6182 23629->23693 23632 bd6182 73 API calls 23630->23632 23633 bdc5f8 23632->23633 23633->23570 23635 be1c48 23634->23635 23636 be1c71 23634->23636 23637 be1c65 23635->23637 23639 be1c67 23635->23639 23640 be1c5d 23635->23640 23636->23637 23728 be421c 119 API calls 2 library calls 23636->23728 23637->23583 23727 be4f34 114 API calls 23639->23727 23714 be5983 23640->23714 23643->23585 23644->23563 23654 becdf0 23645->23654 23647 bdfb5e EnterCriticalSection 23648 bdfb7d 23647->23648 23649 bdfba2 LeaveCriticalSection 23647->23649 23650 becdac new 8 API calls 23648->23650 23649->23592 23651 bdfb87 23650->23651 23652 bdfb9d 23651->23652 23655 bdf982 71 API calls 23651->23655 23652->23649 23654->23647 23655->23652 23656->23596 23657->23605 23658->23599 23659->23603 23661 bda930 GetVersionExW 23660->23661 23662 bd7c70 23661->23662 23662->23614 23666 bdc6bd __vswprintf_c_l 23663->23666 23664 bdc807 23665 bdc82f 23664->23665 23673 bdc647 23664->23673 23668 bdf944 2 API calls 23665->23668 23666->23664 23669 bdc7fe 23666->23669 23677 bda7e1 84 API calls 23666->23677 23678 be77e6 93 API calls 23666->23678 23668->23669 23669->23617 23672->23617 23674 bdc6a1 23673->23674 23675 bdc650 23673->23675 23674->23665 23675->23674 23676 be066e PeekMessageW GetMessageW TranslateMessage DispatchMessageW SendDlgItemMessageW 23675->23676 23676->23674 23677->23666 23678->23666 23680 bdfc91 23679->23680 23681 bdfc43 EnterCriticalSection 23679->23681 23680->23624 23682 bdfc88 LeaveCriticalSection 23681->23682 23683 bdfc5d 23681->23683 23682->23680 23683->23682 23686 bdfa23 23683->23686 23685 bdfc7b 23685->23682 23687 bdfdb7 72 API calls 23686->23687 23688 bdfa45 ReleaseSemaphore 23687->23688 23689 bdfa65 23688->23689 23690 bdfa83 DeleteCriticalSection CloseHandle CloseHandle 23688->23690 23691 bdfb19 70 API calls 23689->23691 23690->23685 23692 bdfa6f CloseHandle 23691->23692 23692->23689 23692->23690 23694 bd61a1 23693->23694 23703 bd621d 23693->23703 23695 bddecc 73 API calls 23694->23695 23694->23703 23696 bd61c9 23695->23696 23704 be08f3 WideCharToMultiByte 23696->23704 23698 bd61dc 23699 bd621f 23698->23699 23700 bd61e1 23698->23700 23713 bd626a 73 API calls 2 library calls 23699->23713 23700->23703 23705 bd6551 23700->23705 23703->23633 23704->23698 23707 bd656e _memcmp 23705->23707 23712 bd66bd __vswprintf_c_l ___scrt_fastfail 23705->23712 23706 bdde4b 73 API calls 23706->23707 23707->23706 23708 bd6757 __vswprintf_c_l 23707->23708 23710 bd65c1 __vswprintf_c_l _strlen 23707->23710 23709 bddf86 73 API calls 23708->23709 23709->23712 23711 bddf86 73 API calls 23710->23711 23711->23712 23712->23703 23713->23703 23729 be21e5 23714->23729 23716 bdc6a8 114 API calls 23724 be5994 ___BuildCatchObject __vswprintf_c_l 23716->23724 23717 be5d66 23747 be3ef0 91 API calls __vswprintf_c_l 23717->23747 23719 be5d76 __vswprintf_c_l 23719->23637 23724->23716 23724->23717 23733 bdfab9 23724->23733 23739 be2b39 114 API calls 23724->23739 23740 be5db8 114 API calls 23724->23740 23741 bdfdb7 23724->23741 23745 be2592 91 API calls __vswprintf_c_l 23724->23745 23746 be63f1 119 API calls __vswprintf_c_l 23724->23746 23727->23637 23728->23637 23731 be21ef ___std_exception_copy __EH_prolog ___scrt_fastfail 23729->23731 23730 be22da 23730->23724 23731->23730 23732 bd6dc7 68 API calls 23731->23732 23732->23731 23734 bdfaca 23733->23734 23735 bdfac5 23733->23735 23737 bdfae3 23734->23737 23738 bdfdb7 72 API calls 23734->23738 23736 bdfbbd 77 API calls 23735->23736 23736->23734 23737->23724 23738->23737 23739->23724 23740->23724 23742 bdfdfc 23741->23742 23743 bdfdd1 ResetEvent ReleaseSemaphore 23741->23743 23742->23724 23744 bdfb19 70 API calls 23743->23744 23744->23742 23745->23724 23746->23724 23747->23719 23748->23391 23749->23391 23750->23389 23752 bd5d76 23751->23752 23793 bd5c95 23752->23793 23754 bd5da9 23755 bd5de1 23754->23755 23757 bd5dea 23754->23757 23798 bda9a0 CharUpperW CompareStringW CompareStringW 23754->23798 23755->23403 23757->23755 23799 bdf133 CompareStringW 23757->23799 23761 bd80f8 23759->23761 23760 bd8199 CharUpperW 23762 bd81ac 23760->23762 23761->23760 23762->23406 23764 bd7c20 23763->23764 23765 bd7c60 23764->23765 23805 bd6f05 67 API calls 23764->23805 23765->23412 23767 bd7c58 23806 bd135c 67 API calls 23767->23806 23770 bd9a73 23769->23770 23772 bd9a82 23769->23772 23771 bd9a79 FlushFileBuffers 23770->23771 23770->23772 23771->23772 23773 bd9afb SetFileTime 23772->23773 23773->23470 23774->23395 23775->23398 23776->23407 23777->23412 23778->23412 23779->23413 23780->23429 23781->23419 23782->23429 23783->23439 23784->23427 23785->23441 23786->23464 23787->23464 23788->23464 23789->23464 23790->23467 23791->23466 23792->23421 23800 bd5b92 23793->23800 23795 bd5cb6 23795->23754 23797 bd5b92 3 API calls 23797->23795 23798->23754 23799->23755 23801 bd5b9c 23800->23801 23803 bd5c84 23801->23803 23804 bda9a0 CharUpperW CompareStringW CompareStringW 23801->23804 23803->23795 23803->23797 23804->23801 23805->23767 23806->23765 23809 bda2cd 23808->23809 23810 bda35d FindNextFileW 23809->23810 23811 bda2eb FindFirstFileW 23809->23811 23812 bda37c 23810->23812 23813 bda368 GetLastError 23810->23813 23814 bda304 23811->23814 23819 bda341 23811->23819 23812->23819 23813->23812 23815 bdb2c5 2 API calls 23814->23815 23816 bda31d 23815->23816 23817 bda336 GetLastError 23816->23817 23818 bda321 FindFirstFileW 23816->23818 23817->23819 23818->23817 23818->23819 23819->23344 23820->23208 23821->23216 23822->23216 23823->23219 23824->23225 23826 bd9bf2 67 API calls 23825->23826 23827 bd1f1a 23826->23827 23828 bd19e2 90 API calls 23827->23828 23831 bd1f1e 23827->23831 23829 bd1f2b 23828->23829 23829->23831 23832 bd135c 67 API calls 23829->23832 23831->23233 23831->23234 23832->23831 23912 bd604b 73 API calls 23963 be9645 92 API calls

                                  Executed Functions

                                  Function 00BEC130 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 199filesleeptimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00BDF3A5: GetModuleHandleW.KERNEL32 ref: 00BDF3BD
                                    • Part of subcall function 00BDF3A5: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BDF3D5
                                    • Part of subcall function 00BDF3A5: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BDF3F8
                                    • Part of subcall function 00BE8B8D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00BE8B95
                                    • Part of subcall function 00BE9035: OleInitialize.OLE32(00000000), ref: 00BE904E
                                    • Part of subcall function 00BE9035: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BE9085
                                    • Part of subcall function 00BE9035: SHGetMalloc.SHELL32(00C120E8), ref: 00BE908F
                                    • Part of subcall function 00BE0710: GetCPInfo.KERNEL32(00000000,?), ref: 00BE0721
                                    • Part of subcall function 00BE0710: IsDBCSLeadByte.KERNEL32(00000000), ref: 00BE0735
                                  • GetCommandLineW.KERNEL32 ref: 00BEC178
                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00BEC19F
                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00BEC1B0
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 00BEC1EA
                                    • Part of subcall function 00BEBE09: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00BEBE1F
                                    • Part of subcall function 00BEBE09: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BEBE5B
                                  • CloseHandle.KERNEL32(00000000), ref: 00BEC1F3
                                  • GetModuleFileNameW.KERNEL32(00000000,00C27938,00000800), ref: 00BEC20E
                                  • SetEnvironmentVariableW.KERNEL32(sfxname,00C27938), ref: 00BEC220
                                  • GetLocalTime.KERNEL32(?), ref: 00BEC227
                                  • _swprintf.LIBCMT ref: 00BEC266
                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00BEC278
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00BEC27B
                                  • LoadIconW.USER32(00000000,00000064), ref: 00BEC292
                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4E,00000000), ref: 00BEC2E3
                                  • Sleep.KERNEL32(?), ref: 00BEC311
                                  • DeleteObject.GDI32 ref: 00BEC350
                                  • DeleteObject.GDI32(?), ref: 00BEC35C
                                    • Part of subcall function 00BEA8D3: CharUpperW.USER32(?,?,?,?,00001000), ref: 00BEA92B
                                    • Part of subcall function 00BEA8D3: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00BEA952
                                  • CloseHandle.KERNEL32 ref: 00BEC39B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                  • API String ID: 985665271-3710569615
                                  • Opcode ID: 280adb418a5eef75a870705381497440c97df5054005756e4aa557b9ff1e6d93
                                  • Instruction ID: 1085b10bd6462b665c4a7143da348248442fea169c4e2a3b24530b913f0689f5
                                  • Opcode Fuzzy Hash: 280adb418a5eef75a870705381497440c97df5054005756e4aa557b9ff1e6d93
                                  • Instruction Fuzzy Hash: 97610971904384AFD720AB76EC49F6F7BECEB49700F15446AF905931A2EBB48C45C7A2
                                  Function 00BDA2C3 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 872 bda2c3-bda2e9 call becec0 875 bda35d-bda366 FindNextFileW 872->875 876 bda2eb-bda2fe FindFirstFileW 872->876 877 bda37c-bda37e 875->877 878 bda368-bda376 GetLastError 875->878 879 bda384-bda42d call bdf160 call bdb952 call be01af * 3 876->879 880 bda304-bda31f call bdb2c5 876->880 877->879 881 bda432-bda445 877->881 878->877 879->881 886 bda336-bda33f GetLastError 880->886 887 bda321-bda334 FindFirstFileW 880->887 889 bda341-bda344 886->889 890 bda350 886->890 887->879 887->886 889->890 892 bda346-bda349 889->892 893 bda352-bda358 890->893 892->890 896 bda34b-bda34e 892->896 893->881 896->893
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,00BDA1BE,000000FF,?,?), ref: 00BDA2F8
                                  • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00BDA1BE,000000FF,?,?), ref: 00BDA32E
                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00BDA1BE,000000FF,?,?), ref: 00BDA336
                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,00BDA1BE,000000FF,?,?), ref: 00BDA35E
                                  • GetLastError.KERNEL32(?,?,?,?,00BDA1BE,000000FF,?,?), ref: 00BDA36A
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileFind$ErrorFirstLast$Next
                                  • String ID:
                                  • API String ID: 869497890-0
                                  • Opcode ID: 979ea5d8c53ca4503f394c5ce0bbb497898dc69cb6e1c18227c48637cb690501
                                  • Instruction ID: 22a60c7561f658183054192692594b03fa500d0f3a8118bdd4465809a5dd2017
                                  • Opcode Fuzzy Hash: 979ea5d8c53ca4503f394c5ce0bbb497898dc69cb6e1c18227c48637cb690501
                                  • Instruction Fuzzy Hash: 02417F72604281AFC324EF78C880BDAF7E9FF49350F050A6AF5D9D3240E774A9548B96
                                  Function 00BF49FA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,00BF49D0,?,00C07F60,0000000C,00BF4B27,?,00000002,00000000), ref: 00BF4A1B
                                  • TerminateProcess.KERNEL32(00000000,?,00BF49D0,?,00C07F60,0000000C,00BF4B27,?,00000002,00000000), ref: 00BF4A22
                                  • ExitProcess.KERNEL32 ref: 00BF4A34
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 86c0fcc793c16b25d8405a296c520e0e543c5e34a1f9fbdd221a97cb19f934fc
                                  • Instruction ID: be56693b3a33408a861ff40336bf8b8089758a30a87d6abe5194e68ee6dde04e
                                  • Opcode Fuzzy Hash: 86c0fcc793c16b25d8405a296c520e0e543c5e34a1f9fbdd221a97cb19f934fc
                                  • Instruction Fuzzy Hash: F1E04631040108AFCF11AF24DC08BAD3BA9EB01342F1200A4FA089B132CB35DE86DB40
                                  Function 00BD83EB Relevance: 3.9, APIs: 2, Instructions: 931COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD83F0
                                  • _memcmp.LIBVCRUNTIME ref: 00BD8858
                                    • Part of subcall function 00BD80DA: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,00BD86CF,?,-00000930,?), ref: 00BD819D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CharH_prologUpper_memcmp
                                  • String ID:
                                  • API String ID: 4047935103-0
                                  • Opcode ID: d5b90d30448d3f3727be48f63c1cb95431aaabef3365ad7dd017abd3c2bff2e6
                                  • Instruction ID: ec7d0cdb237177937d80f5e4f1807a9e6f85fc1f38dd9f8e00af1fda5f61b61d
                                  • Opcode Fuzzy Hash: d5b90d30448d3f3727be48f63c1cb95431aaabef3365ad7dd017abd3c2bff2e6
                                  • Instruction Fuzzy Hash: 5672B371904185AEDF15DB64C885BF9FBE9EF15301F0841FBE8499B382EB319A85CB60
                                  Function 00BE9B4E Relevance: 95.2, APIs: 46, Strings: 8, Instructions: 724COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BE9B53
                                    • Part of subcall function 00BD12E7: GetDlgItem.USER32(00000000,00003021), ref: 00BD132B
                                    • Part of subcall function 00BD12E7: SetWindowTextW.USER32(00000000,00C002E4), ref: 00BD1341
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prologItemTextWindow
                                  • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                  • API String ID: 810644672-2803697902
                                  • Opcode ID: d358c91ea10919f67a78fc30a53480f32068db54cd312c4570fdf4a1fdc7d503
                                  • Instruction ID: bf40986ba8748fff5a47dd80ff06d10d1c56c16c7426fc4900b621728511e0ba
                                  • Opcode Fuzzy Hash: d358c91ea10919f67a78fc30a53480f32068db54cd312c4570fdf4a1fdc7d503
                                  • Instruction Fuzzy Hash: 8F420471A40384BFEB21AB619C8AFEE7BECEB06700F1040D5F641A61D2D7B45D44DB66
                                  Function 00BDF3A5 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 257 bdf3a5-bdf3c7 call becec0 GetModuleHandleW 260 bdf3c9-bdf3e0 GetProcAddress 257->260 261 bdf41a-bdf681 257->261 262 bdf3f2-bdf3fc GetProcAddress 260->262 263 bdf3e2-bdf3ef 260->263 264 bdf74f-bdf780 GetModuleFileNameW call bdb8dc call bdf160 261->264 265 bdf687-bdf692 call bf461a 261->265 262->261 266 bdf3fe-bdf415 262->266 263->262 278 bdf782-bdf78c call bda930 264->278 265->264 273 bdf698-bdf6c5 GetModuleFileNameW CreateFileW 265->273 266->261 274 bdf6c7-bdf6d5 SetFilePointer 273->274 275 bdf743-bdf74a CloseHandle 273->275 274->275 277 bdf6d7-bdf6f4 ReadFile 274->277 275->264 277->275 280 bdf6f6-bdf71b 277->280 283 bdf78e-bdf792 call bdf35b 278->283 284 bdf799 278->284 282 bdf738-bdf741 call bdef59 280->282 282->275 292 bdf71d-bdf737 call bdf35b 282->292 289 bdf797 283->289 287 bdf79b-bdf79d 284->287 290 bdf7bf-bdf7e1 call bdb952 GetFileAttributesW 287->290 291 bdf79f-bdf7bd CompareStringW 287->291 289->287 294 bdf7e3-bdf7e7 290->294 299 bdf7eb 290->299 291->290 291->294 292->282 294->278 298 bdf7e9 294->298 300 bdf7ef-bdf7f4 298->300 299->300 301 bdf828-bdf82a 300->301 302 bdf7f6 300->302 304 bdf937-bdf941 301->304 305 bdf830-bdf847 call bdb926 call bda930 301->305 303 bdf7f8-bdf81a call bdb952 GetFileAttributesW 302->303 310 bdf81c-bdf820 303->310 311 bdf824 303->311 315 bdf8af-bdf8e2 call bd3f2b AllocConsole 305->315 316 bdf849-bdf8aa call bdf35b * 2 call bdd192 call bd3f2b call bdd192 call be8cca 305->316 310->303 313 bdf822 310->313 311->301 313->301 321 bdf92f-bdf931 ExitProcess 315->321 322 bdf8e4-bdf929 GetCurrentProcessId AttachConsole call bf20a3 GetStdHandle WriteConsoleW Sleep FreeConsole 315->322 316->321 322->321
                                  APIs
                                  • GetModuleHandleW.KERNEL32 ref: 00BDF3BD
                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00BDF3D5
                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00BDF3F8
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BDF6A3
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BDF6BB
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BDF6CD
                                  • ReadFile.KERNEL32(00000000,?,00007FFE,00C00858,00000000), ref: 00BDF6EC
                                  • CloseHandle.KERNEL32(00000000), ref: 00BDF744
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00BDF75A
                                  • CompareStringW.KERNEL32(00000400,00001001,00C008A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00BDF7B4
                                  • GetFileAttributesW.KERNEL32(?,?,00C00870,00000800,?,00000000,?,00000800), ref: 00BDF7DD
                                  • GetFileAttributesW.KERNEL32(?,?,00C00930,00000800), ref: 00BDF816
                                    • Part of subcall function 00BDF35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BDF376
                                    • Part of subcall function 00BDF35B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00BDDF18,Crypt32.dll,?,00BDDF9C,?,00BDDF7E,?,?,?,?), ref: 00BDF398
                                  • _swprintf.LIBCMT ref: 00BDF886
                                  • _swprintf.LIBCMT ref: 00BDF8D2
                                    • Part of subcall function 00BD3F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD3F3E
                                  • AllocConsole.KERNEL32 ref: 00BDF8DA
                                  • GetCurrentProcessId.KERNEL32 ref: 00BDF8E4
                                  • AttachConsole.KERNEL32(00000000), ref: 00BDF8EB
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00BDF911
                                  • WriteConsoleW.KERNEL32(00000000), ref: 00BDF918
                                  • Sleep.KERNEL32(00002710), ref: 00BDF923
                                  • FreeConsole.KERNEL32 ref: 00BDF929
                                  • ExitProcess.KERNEL32 ref: 00BDF931
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                  • API String ID: 1201351596-3298887752
                                  • Opcode ID: 596d02146311f6e072c701cb13874d43eaf281e482e8b84d74ba7bd614a2ba36
                                  • Instruction ID: e428746d9f39e5cb22706caf8d6ab553bf0fd47cbd183521183813451c48a72a
                                  • Opcode Fuzzy Hash: 596d02146311f6e072c701cb13874d43eaf281e482e8b84d74ba7bd614a2ba36
                                  • Instruction Fuzzy Hash: 61D153F15083859BDB30DF50C849BEFBBE8EB85704F62492DE589962C1DBB09548CB63
                                  Function 00BEAA44 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 404 beaa44-beaa5c call becdf0 call becec0 409 beb644-beb651 404->409 410 beaa62-beaa8c call be96eb 404->410 410->409 413 beaa92-beaa97 410->413 414 beaa98-beaaa6 413->414 415 beaaa7-beaab7 call be93b9 414->415 418 beaab9 415->418 419 beaabb-beaad0 call be0b00 418->419 422 beaadd-beaae0 419->422 423 beaad2-beaad6 419->423 425 beaae6 422->425 426 beb610-beb63b call be96eb 422->426 423->419 424 beaad8 423->424 424->426 427 beacdc-beacde 425->427 428 beaaed-beaaf0 425->428 429 bead7d-bead7f 425->429 430 bead9a-bead9c 425->430 426->414 441 beb641-beb643 426->441 427->426 435 beace4-beacf0 427->435 428->426 433 beaaf6-beab63 call be8b8d call bdb5be call bda16c call bda2a6 call bd6fa3 call bda1f9 428->433 429->426 432 bead85-bead95 SetWindowTextW 429->432 430->426 434 beada2-beada9 430->434 432->426 503 beacc8-beacd7 call bda182 433->503 504 beab69-beab6f 433->504 434->426 438 beadaf-beadc8 434->438 439 bead04-bead09 435->439 440 beacf2-bead03 call bf4644 435->440 445 beadca 438->445 446 beadd0-beadde call bf20a3 438->446 442 bead0b-bead11 439->442 443 bead13-bead1e call be9843 439->443 440->439 441->409 448 bead23-bead25 442->448 443->448 445->446 446->426 458 beade4-beaded 446->458 454 bead27-bead2e call bf20a3 448->454 455 bead30-bead50 call bf20a3 call bf20ce 448->455 454->455 481 bead69-bead6b 455->481 482 bead52-bead59 455->482 462 beadef-beadf3 458->462 463 beae16-beae19 458->463 462->463 468 beadf5-beadfd 462->468 469 beaefe-beaf0c call bdf160 463->469 470 beae1f-beae22 463->470 468->426 474 beae03-beae11 call bdf160 468->474 484 beaf0e-beaf22 call bf02bb 469->484 475 beae2f-beae4a 470->475 476 beae24-beae29 470->476 474->484 494 beae4c-beae86 475->494 495 beae94-beae9b 475->495 476->469 476->475 481->426 485 bead71-bead78 call bf20be 481->485 488 bead5b-bead5d 482->488 489 bead60-bead68 call bf4644 482->489 505 beaf2f-beaf8b call bdf160 call be9591 GetDlgItem SetWindowTextW SendMessageW call bf20d9 484->505 506 beaf24-beaf28 484->506 485->426 488->489 489->481 522 beae8a-beae8c 494->522 523 beae88 494->523 497 beae9d-beaeb5 call bf20a3 495->497 498 beaec9-beaeec call bf20a3 * 2 495->498 497->498 516 beaeb7-beaec4 call bdf138 497->516 498->484 534 beaeee-beaefc call bdf138 498->534 503->426 510 beab76-beab8b SetFileAttributesW 504->510 505->426 545 beaf91-beafa3 SendMessageW 505->545 506->505 511 beaf2a-beaf2c 506->511 517 beac31-beac3d GetFileAttributesW 510->517 518 beab91-beabc4 call bdb150 call bdae45 call bf20a3 510->518 511->505 516->498 527 beac3f-beac4e DeleteFileW 517->527 528 beacad-beacc2 call bda1f9 517->528 551 beabc6-beabd5 call bf20a3 518->551 552 beabd7-beabe5 call bdb57e 518->552 522->495 523->522 527->528 533 beac50-beac53 527->533 528->503 542 beab71 528->542 538 beac57-beac83 call bd3f2b GetFileAttributesW 533->538 534->484 548 beac55-beac56 538->548 549 beac85-beac9b MoveFileW 538->549 542->510 545->426 548->538 549->528 553 beac9d-beaca7 MoveFileExW 549->553 551->552 558 beabeb-beac2a call bf20a3 call bede40 551->558 552->503 552->558 553->528 558->517
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BEAA49
                                    • Part of subcall function 00BE96EB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00BE97B3
                                  • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,00BEA35C,?,00000000), ref: 00BEAB7E
                                  • GetFileAttributesW.KERNEL32(?), ref: 00BEAC38
                                  • DeleteFileW.KERNEL32(?), ref: 00BEAC46
                                  • SetWindowTextW.USER32(?,?), ref: 00BEAD8F
                                  • _wcsrchr.LIBVCRUNTIME ref: 00BEAF19
                                  • GetDlgItem.USER32(?,00000066), ref: 00BEAF54
                                  • SetWindowTextW.USER32(00000000,?), ref: 00BEAF64
                                  • SendMessageW.USER32(00000000,00000143,00000000,00C1412A), ref: 00BEAF78
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BEAFA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                                  • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                  • API String ID: 3676479488-312220925
                                  • Opcode ID: 1733d732ec88f70f711d5caf7106bf9b3025dd8636aa4917b9c2900e7719b5f6
                                  • Instruction ID: ba744547df0100940b117c6f203cd434d316e31312304013868a1184980823ff
                                  • Opcode Fuzzy Hash: 1733d732ec88f70f711d5caf7106bf9b3025dd8636aa4917b9c2900e7719b5f6
                                  • Instruction Fuzzy Hash: A7E12F72900259AAEF24ABA1DD85EEEB3FCEF05350F1044E6F505E3151EB749B84CB61
                                  Function 00BDCF27 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 563 bdcf27-bdcfa1 call bdc8de GetWindowRect GetClientRect 566 bdcfa7-bdcfaf 563->566 567 bdd042-bdd04a 563->567 569 bdd084-bdd09f GetSystemMetrics GetWindow 566->569 570 bdcfb5-bdcffe 566->570 568 bdd04c-bdd07e GetWindowTextW call bdc96f SetWindowTextW 567->568 567->569 568->569 574 bdd17d-bdd17f 569->574 571 bdd000 570->571 572 bdd002-bdd004 570->572 571->572 575 bdd008-bdd03e GetWindowLongW GetWindowRect 572->575 576 bdd006 572->576 577 bdd185-bdd18f 574->577 578 bdd0a4-bdd0aa 574->578 575->567 576->575 578->577 580 bdd0b0-bdd0c8 GetWindowTextW 578->580 582 bdd0ef-bdd0f4 580->582 583 bdd0ca-bdd0e9 call bdc96f SetWindowTextW 580->583 584 bdd16b-bdd17a GetWindow 582->584 585 bdd0f6-bdd164 GetWindowRect 582->585 583->582 584->577 587 bdd17c 584->587 585->584 587->574
                                  APIs
                                    • Part of subcall function 00BDC8DE: _wcschr.LIBVCRUNTIME ref: 00BDC90D
                                  • GetWindowRect.USER32(?,?), ref: 00BDCF5E
                                  • GetClientRect.USER32(?,?), ref: 00BDCF6A
                                  • GetWindowLongW.USER32(?,000000F0), ref: 00BDD00B
                                  • GetWindowRect.USER32(?,?), ref: 00BDD038
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00BDD057
                                  • SetWindowTextW.USER32(?,?), ref: 00BDD07E
                                  • GetSystemMetrics.USER32(00000008), ref: 00BDD086
                                  • GetWindow.USER32(?,00000005), ref: 00BDD091
                                  • GetWindowTextW.USER32(00000000,?,00000400), ref: 00BDD0BC
                                  • SetWindowTextW.USER32(00000000,00000000), ref: 00BDD0E9
                                  • GetWindowRect.USER32(00000000,?), ref: 00BDD0FC
                                  • GetWindow.USER32(00000000,00000002), ref: 00BDD16E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                  • String ID: d
                                  • API String ID: 4134264131-2564639436
                                  • Opcode ID: 9086e9c22609dc36c3e54b4131fd3df502bcb7d77b4e987991d3d81c30d222ed
                                  • Instruction ID: dc4afe559575e266cc06cf7bae80ae0078f81f347b8b1eb4ba2621383cb811d3
                                  • Opcode Fuzzy Hash: 9086e9c22609dc36c3e54b4131fd3df502bcb7d77b4e987991d3d81c30d222ed
                                  • Instruction Fuzzy Hash: 62615BB2208301AFD310DF68CD88F6FBBEAEBC9714F05491DF68492290D674E909CB52
                                  Function 00BEB70D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetDlgItem.USER32(00000068,00C28958), ref: 00BEB71C
                                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00BE9324), ref: 00BEB747
                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00BEB756
                                  • SendMessageW.USER32(00000000,000000C2,00000000,00C002E4), ref: 00BEB760
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BEB776
                                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00BEB78C
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BEB7CC
                                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00BEB7D6
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00BEB7E5
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00BEB808
                                  • SendMessageW.USER32(00000000,000000C2,00000000,00C01368), ref: 00BEB813
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: MessageSend$ItemShowWindow
                                  • String ID: \
                                  • API String ID: 1207805008-2967466578
                                  • Opcode ID: 23a8f8fb7aaf5279f05f464733a496faf341b244bcab9d699e8e51b2a77aeca6
                                  • Instruction ID: 9cb0e5b280f262613a8aeac7733b82486642354d1db3f1dd149aac2c68030a11
                                  • Opcode Fuzzy Hash: 23a8f8fb7aaf5279f05f464733a496faf341b244bcab9d699e8e51b2a77aeca6
                                  • Instruction Fuzzy Hash: 7E2123712857447BE311EB259C41FAF7EDCEF86714F010A18FA90961D0D7A55E08CAA7
                                  Function 00BE8BCF Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorywindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 598 be8bcf-be8bea FindResourceW 599 be8cc5-be8cc7 598->599 600 be8bf0-be8c02 SizeofResource 598->600 601 be8c04-be8c13 LoadResource 600->601 602 be8c22-be8c24 600->602 601->602 603 be8c15-be8c20 LockResource 601->603 604 be8cc4 602->604 603->602 605 be8c29-be8c3e GlobalAlloc 603->605 604->599 606 be8cbe-be8cc3 605->606 607 be8c40-be8c49 GlobalLock 605->607 606->604 608 be8c4b-be8c69 call bedfa0 CreateStreamOnHGlobal 607->608 609 be8cb7-be8cb8 GlobalFree 607->609 612 be8c6b-be8c83 call be8b64 608->612 613 be8cb0-be8cb1 GlobalUnlock 608->613 609->606 612->613 617 be8c85-be8c8d 612->617 613->609 618 be8c8f-be8ca3 GdipCreateHBITMAPFromBitmap 617->618 619 be8ca8-be8cac 617->619 618->619 620 be8ca5 618->620 619->613 620->619
                                  APIs
                                  • FindResourceW.KERNEL32(00000066,PNG,?,?,00BE9AC7,00000066), ref: 00BE8BE0
                                  • SizeofResource.KERNEL32(00000000,75755780,?,?,00BE9AC7,00000066), ref: 00BE8BF8
                                  • LoadResource.KERNEL32(00000000,?,?,00BE9AC7,00000066), ref: 00BE8C0B
                                  • LockResource.KERNEL32(00000000,?,?,00BE9AC7,00000066), ref: 00BE8C16
                                  • GlobalAlloc.KERNEL32(00000002,00000000,00000000,?,?,?,00BE9AC7,00000066), ref: 00BE8C34
                                  • GlobalLock.KERNEL32(00000000), ref: 00BE8C41
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00BE8C61
                                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00BE8C9C
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00BE8CB1
                                  • GlobalFree.KERNEL32(00000000), ref: 00BE8CB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                  • String ID: PNG
                                  • API String ID: 3656887471-364855578
                                  • Opcode ID: cce7da01ba37c66fe9e407b97747302bb7eecd70e6ca8a12a4516917b6ca4497
                                  • Instruction ID: d934b087b34b23d8fa26148ded5faa83d21520c5542fa0ac3223b1d8f7deec33
                                  • Opcode Fuzzy Hash: cce7da01ba37c66fe9e407b97747302bb7eecd70e6ca8a12a4516917b6ca4497
                                  • Instruction Fuzzy Hash: D6216171502B41AFC7219F22DD49B2FBBE8EF46751F224568F94A96260DF31DC00CAA1
                                  Function 00BEB9A9 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 621 beb9a9-beb9c1 call becec0 624 bebc0d-bebc15 621->624 625 beb9c7-beb9d3 call bf20a3 621->625 625->624 628 beb9d9-beba01 call bede40 625->628 631 beba0b-beba18 628->631 632 beba03 628->632 633 beba1c-beba25 631->633 634 beba1a 631->634 632->631 635 beba5d 633->635 636 beba27-beba29 633->636 634->633 638 beba61-beba63 635->638 637 beba31-beba34 636->637 639 beba3a-beba42 637->639 640 bebbc1-bebbc6 637->640 641 beba6a-beba6c 638->641 642 beba65-beba68 638->642 643 bebbda-bebbe2 639->643 644 beba48-beba4e 639->644 645 bebbbb-bebbbf 640->645 646 bebbc8 640->646 647 beba7f-beba91 call bdb0ec 641->647 648 beba6e-beba75 641->648 642->641 642->647 651 bebbea-bebbf2 643->651 652 bebbe4-bebbe6 643->652 644->643 649 beba54-beba5b 644->649 645->640 650 bebbcd-bebbd1 645->650 646->650 656 bebaaa-bebab5 call bd9e4f 647->656 657 beba93-bebaa0 call be0b00 647->657 648->647 653 beba77 648->653 649->635 649->637 650->643 651->638 652->651 653->647 663 bebab7-bebace call bdae70 656->663 664 bebad2-bebadf ShellExecuteExW 656->664 657->656 662 bebaa2 657->662 662->656 663->664 666 bebc0b-bebc0c 664->666 667 bebae5-bebaf8 664->667 666->624 669 bebafa-bebb01 667->669 670 bebb0b-bebb0d 667->670 669->670 671 bebb03-bebb09 669->671 672 bebb0f-bebb18 670->672 673 bebb20-bebb3f call bebe68 670->673 671->670 674 bebb76-bebb82 CloseHandle 671->674 672->673 683 bebb1a-bebb1e ShowWindow 672->683 673->674 689 bebb41-bebb49 673->689 676 bebb84-bebb91 call be0b00 674->676 677 bebb93-bebba1 674->677 676->677 690 bebbf7 676->690 681 bebbfe-bebc00 677->681 682 bebba3-bebba5 677->682 681->666 687 bebc02-bebc04 681->687 682->681 684 bebba7-bebbad 682->684 683->673 684->681 688 bebbaf-bebbb9 684->688 687->666 691 bebc06-bebc09 ShowWindow 687->691 688->681 689->674 692 bebb4b-bebb5c GetExitCodeProcess 689->692 690->681 691->666 692->674 693 bebb5e-bebb68 692->693 694 bebb6f 693->694 695 bebb6a 693->695 694->674 695->694
                                  APIs
                                  • ShellExecuteExW.SHELL32(000001C0), ref: 00BEBAD7
                                  • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00BEBB1C
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00BEBB54
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BEBB7A
                                  • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00BEBC09
                                    • Part of subcall function 00BE0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BDAC99,?,?,?,00BDAC48,?,-00000002,?,00000000,?), ref: 00BE0B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                  • String ID: $.exe$.inf
                                  • API String ID: 3686203788-2452507128
                                  • Opcode ID: 638256189532efe0e3958d2f48e2eb1bb6139887441d3dff9545187277b7cdc3
                                  • Instruction ID: 038eca27e60504ecc2279945ee521f5bddfae30c78bd29d7785e529c1da862dd
                                  • Opcode Fuzzy Hash: 638256189532efe0e3958d2f48e2eb1bb6139887441d3dff9545187277b7cdc3
                                  • Instruction Fuzzy Hash: 1451E2315093C09ADB31AF22D950FBFB7E9EF85704F0408ADE5C293194EBB18988CB52
                                  Function 00BDCB1C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 696 bdcb1c-bdcb50 call becdf0 call becec0 call bf00da 703 bdcb83-bdcb8c call bdf160 696->703 704 bdcb52-bdcb81 GetModuleFileNameW call bdb8dc call bdf138 696->704 708 bdcb91-bdcbb5 call bd9451 call bd978d 703->708 704->708 715 bdce08-bdce23 call bd9487 708->715 716 bdcbbb-bdcbc4 708->716 717 bdcbc7-bdcbca 716->717 719 bdccf8-bdcd18 call bd9a30 call bf20c3 717->719 720 bdcbd0-bdcbd6 call bd9b3b 717->720 719->715 730 bdcd1e-bdcd37 call bd995d 719->730 725 bdcbdb-bdcc02 call bd995d 720->725 731 bdcc08-bdcc10 725->731 732 bdccc1-bdccc4 725->732 744 bdcd39-bdcd3e 730->744 745 bdcd40-bdcd52 call bf20c3 730->745 734 bdcc3b-bdcc46 731->734 735 bdcc12-bdcc1a 731->735 736 bdccc7-bdcce9 call bd9a30 732->736 739 bdcc48-bdcc54 734->739 740 bdcc71-bdcc79 734->740 735->734 738 bdcc1c-bdcc36 call bf3650 735->738 736->717 755 bdccef-bdccf2 736->755 761 bdcc38 738->761 762 bdccb7-bdccbf 738->762 739->740 747 bdcc56-bdcc5b 739->747 742 bdcc7b-bdcc83 740->742 743 bdcca5-bdcca9 740->743 742->743 749 bdcc85-bdcc9f call bf3650 742->749 743->732 750 bdccab-bdccae 743->750 751 bdcd77-bdcd7f 744->751 745->715 767 bdcd58-bdcd75 call be06d7 call bf20be 745->767 747->740 754 bdcc5d-bdcc6f call bf3579 747->754 749->715 749->743 750->731 757 bdcd84-bdcd91 751->757 758 bdcd81 751->758 754->740 768 bdccb3 754->768 755->715 755->719 764 bdcdfd-bdce05 757->764 765 bdcd93-bdcd95 757->765 758->757 761->734 762->736 764->715 769 bdcd96-bdcda0 765->769 767->751 768->762 769->764 771 bdcda2-bdcda6 769->771 773 bdcda8-bdcdaf 771->773 774 bdcde0-bdcde3 771->774 779 bdcdd6 773->779 780 bdcdb1-bdcdb4 773->780 777 bdcded-bdcdef 774->777 778 bdcde5-bdcdeb 774->778 782 bdcdf0 777->782 778->777 778->782 781 bdcdd8-bdcdde 779->781 783 bdcdb6-bdcdb9 780->783 784 bdcdd2-bdcdd4 780->784 785 bdcdf4-bdcdfb 781->785 782->785 786 bdcdce-bdcdd0 783->786 787 bdcdbb-bdcdbe 783->787 784->781 785->764 785->769 786->781 788 bdcdca-bdcdcc 787->788 789 bdcdc0-bdcdc4 787->789 788->781 789->782 790 bdcdc6-bdcdc8 789->790 790->781
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BDCB21
                                  • _wcschr.LIBVCRUNTIME ref: 00BDCB3F
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00BDCB03,?), ref: 00BDCB5A
                                    • Part of subcall function 00BE06D7: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00BDB2AB,00000000,?,?,?,?), ref: 00BE06F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
                                  • String ID: *messages***$*messages***$R$a
                                  • API String ID: 803915177-2900423073
                                  • Opcode ID: 70349fc4986f2f334fd52f371ecd004448e86ce2c1fe225768a7608e30e6f9f4
                                  • Instruction ID: f60df64033b7639aac0343772cb2f8bfab355edc582b22aaa77d8c9e41bab3c8
                                  • Opcode Fuzzy Hash: 70349fc4986f2f334fd52f371ecd004448e86ce2c1fe225768a7608e30e6f9f4
                                  • Instruction Fuzzy Hash: 6291E5B290020A9ADB30DF64CC55BAAFFE5EF54300F1445FBE649A7391FA709984CB94
                                  Function 00BF739F Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 791 bf739f-bf73b8 792 bf73ce-bf73d3 791->792 793 bf73ba-bf73ca call bfb9ae 791->793 794 bf73d5-bf73dd 792->794 795 bf73e0-bf7404 MultiByteToWideChar 792->795 793->792 800 bf73cc 793->800 794->795 797 bf740a-bf7416 795->797 798 bf7597-bf75aa call bed763 795->798 801 bf746a 797->801 802 bf7418-bf7429 797->802 800->792 804 bf746c-bf746e 801->804 805 bf742b-bf743a call bff160 802->805 806 bf7448-bf7459 call bf59ec 802->806 808 bf758c 804->808 809 bf7474-bf7487 MultiByteToWideChar 804->809 805->808 818 bf7440-bf7446 805->818 806->808 819 bf745f 806->819 813 bf758e-bf7595 call bf7607 808->813 809->808 812 bf748d-bf749f call bf79fa 809->812 820 bf74a4-bf74a8 812->820 813->798 822 bf7465-bf7468 818->822 819->822 820->808 823 bf74ae-bf74b5 820->823 822->804 824 bf74ef-bf74fb 823->824 825 bf74b7-bf74bc 823->825 827 bf74fd-bf750e 824->827 828 bf7547 824->828 825->813 826 bf74c2-bf74c4 825->826 826->808 829 bf74ca-bf74e4 call bf79fa 826->829 831 bf7529-bf753a call bf59ec 827->831 832 bf7510-bf751f call bff160 827->832 830 bf7549-bf754b 828->830 829->813 846 bf74ea 829->846 835 bf754d-bf7566 call bf79fa 830->835 836 bf7585-bf758b call bf7607 830->836 831->836 845 bf753c 831->845 832->836 844 bf7521-bf7527 832->844 835->836 849 bf7568-bf756f 835->849 836->808 848 bf7542-bf7545 844->848 845->848 846->808 848->830 850 bf75ab-bf75b1 849->850 851 bf7571-bf7572 849->851 852 bf7573-bf7583 WideCharToMultiByte 850->852 851->852 852->836 853 bf75b3-bf75ba call bf7607 852->853 853->813
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BF2FB2,00BF2FB2,?,?,?,00BF75F0,00000001,00000001,F5E85006), ref: 00BF73F9
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BF75F0,00000001,00000001,F5E85006,?,?,?), ref: 00BF747F
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BF7579
                                  • __freea.LIBCMT ref: 00BF7586
                                    • Part of subcall function 00BF59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF239A,?,0000015D,?,?,?,?,00BF2F19,000000FF,00000000,?,?), ref: 00BF5A1E
                                  • __freea.LIBCMT ref: 00BF758F
                                  • __freea.LIBCMT ref: 00BF75B4
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: fdd2c6d3877fa5876a3a6c777a0b8543e76f9bb6927f4fda7e0ebc4809def12e
                                  • Instruction ID: 0bb56e218ac8e414c1f8c8488f74091a473a95cdcf416fe18915b3b02ba2bfdf
                                  • Opcode Fuzzy Hash: fdd2c6d3877fa5876a3a6c777a0b8543e76f9bb6927f4fda7e0ebc4809def12e
                                  • Instruction Fuzzy Hash: 8651CF7264421AABDB258F64CC81EBF7AE9EB54750F2546E8FE04D7140EF34DC48C6A0
                                  Function 00BE8FC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 856 be8fc7-be8fe6 GetClassNameW 857 be900e-be9010 856->857 858 be8fe8-be8ffd call be0b00 856->858 860 be901b-be901f 857->860 861 be9012-be9014 857->861 863 be8fff-be900b FindWindowExW 858->863 864 be900d 858->864 861->860 863->864 864->857
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000050), ref: 00BE8FDE
                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 00BE9015
                                    • Part of subcall function 00BE0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BDAC99,?,?,?,00BDAC48,?,-00000002,?,00000000,?), ref: 00BE0B16
                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00BE9005
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                  • String ID: @UJu$EDIT
                                  • API String ID: 4243998846-1013725496
                                  • Opcode ID: f5b396c61085e1ed4c5f317ea19246638f7d372ab20702d30d34857d0ba733ed
                                  • Instruction ID: ae968bfb24c121d1e329ec1d4c8a986da649acb5bcdb06dfd836096ac3fdd22d
                                  • Opcode Fuzzy Hash: f5b396c61085e1ed4c5f317ea19246638f7d372ab20702d30d34857d0ba733ed
                                  • Instruction Fuzzy Hash: 96F08232B017287BEB3056669C09FDF76ACEF4AB11F4504A5BE01E21C1D7A09945CAF6
                                  Function 00BDDF05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 865 bddf05-bddf0c 866 bddf0e-bddf1c call bdf35b 865->866 867 bddf41-bddf42 865->867 870 bddf3d 866->870 871 bddf1e-bddf3a GetProcAddress * 2 866->871 870->867 871->870
                                  APIs
                                    • Part of subcall function 00BDF35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BDF376
                                    • Part of subcall function 00BDF35B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00BDDF18,Crypt32.dll,?,00BDDF9C,?,00BDDF7E,?,?,?,?), ref: 00BDF398
                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BDDF24
                                  • GetProcAddress.KERNEL32(00C11E58,CryptUnprotectMemory), ref: 00BDDF34
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                  • API String ID: 2141747552-1753850145
                                  • Opcode ID: 93be5b1f8b396f52ba08b960cd540d3c5102df04fc817b6644aa6351142219eb
                                  • Instruction ID: 7ff1e207894061c6c91abbfe8a3fd46bbc7fefdaa0d70a0b0377ecd9d83149f2
                                  • Opcode Fuzzy Hash: 93be5b1f8b396f52ba08b960cd540d3c5102df04fc817b6644aa6351142219eb
                                  • Instruction Fuzzy Hash: B1E04FB0504B43AEDB405B349848B04FFA5BB90714F2681A6F49AC2280EFB5D0A4CB50
                                  Function 00BDFA23 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00BDFDB7: ResetEvent.KERNEL32(?,00DD4050,00BDFA45,00C11E74,00DD4050,?,-00000001,00BFF605,000000FF,?,00BDFC7B,?,?,00BDA5F0,?), ref: 00BDFDD7
                                    • Part of subcall function 00BDFDB7: ReleaseSemaphore.KERNEL32(?,?,00000000,?,-00000001,00BFF605,000000FF,?,00BDFC7B,?,?,00BDA5F0,?), ref: 00BDFDEB
                                  • ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00BDFA57
                                  • CloseHandle.KERNEL32(00DD4054), ref: 00BDFA71
                                  • DeleteCriticalSection.KERNEL32(00DD41F0), ref: 00BDFA8A
                                  • CloseHandle.KERNEL32(?), ref: 00BDFA96
                                  • CloseHandle.KERNEL32(?), ref: 00BDFAA2
                                    • Part of subcall function 00BDFB19: WaitForSingleObject.KERNEL32(?,000000FF,00BDFCF9,?,?,00BDFD6E,?,?,?,?,?,00BDFD58), ref: 00BDFB1F
                                    • Part of subcall function 00BDFB19: GetLastError.KERNEL32(?,?,00BDFD6E,?,?,?,?,?,00BDFD58), ref: 00BDFB2B
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                  • String ID:
                                  • API String ID: 1868215902-0
                                  • Opcode ID: 7ba5cd570891efb53228e4bf3d0900047365961462dfb03d2bd4d98b04d42da5
                                  • Instruction ID: aaeea4cedeb2f7ef5dcabf26fd08b7ff7e725e472b04d6493de2c59488bc3f46
                                  • Opcode Fuzzy Hash: 7ba5cd570891efb53228e4bf3d0900047365961462dfb03d2bd4d98b04d42da5
                                  • Instruction Fuzzy Hash: B2018C32004A44EBCB219B68DD48BDABBEAFB45B14F11456AF29B92661DB712800CB60
                                  Function 00BE9035 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00BDF35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BDF376
                                    • Part of subcall function 00BDF35B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00BDDF18,Crypt32.dll,?,00BDDF9C,?,00BDDF7E,?,?,?,?), ref: 00BDF398
                                  • OleInitialize.OLE32(00000000), ref: 00BE904E
                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00BE9085
                                  • SHGetMalloc.SHELL32(00C120E8), ref: 00BE908F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                  • String ID: riched20.dll
                                  • API String ID: 3498096277-3360196438
                                  • Opcode ID: 3409eacbd83b67f3db70b4111751f9339729c5d124ef23276cfadfe7ec91b6cf
                                  • Instruction ID: a836e2dac90fcdadb6925fa5dea5f3f400388a562a1f70bedae1594408034ff4
                                  • Opcode Fuzzy Hash: 3409eacbd83b67f3db70b4111751f9339729c5d124ef23276cfadfe7ec91b6cf
                                  • Instruction Fuzzy Hash: 90F0FFB5D00209ABC710AF9ADC49AEEFFFCEF84711F00416AE815E2250D7B85645CFA1
                                  Function 00BEBE09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 912 bebe09-bebe3d call becec0 SetEnvironmentVariableW call bdef59 917 bebe3f-bebe43 912->917 918 bebe61-bebe65 912->918 919 bebe4c-bebe53 call bdf050 917->919 922 bebe45-bebe4b 919->922 923 bebe55-bebe5b SetEnvironmentVariableW 919->923 922->919 923->918
                                  APIs
                                  • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00BEBE1F
                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00BEBE5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: EnvironmentVariable
                                  • String ID: sfxcmd$sfxpar
                                  • API String ID: 1431749950-3493335439
                                  • Opcode ID: 37792b329d02968575a9005d7a0352fd8e4ce71e6b1f800adc3cda413cdbcff5
                                  • Instruction ID: f25ed7d20ee8c0b1ad6a50f7bdbb4cab2ac76d25e51213f741b6582771c3fff1
                                  • Opcode Fuzzy Hash: 37792b329d02968575a9005d7a0352fd8e4ce71e6b1f800adc3cda413cdbcff5
                                  • Instruction Fuzzy Hash: 8CF0A772401265AAD7252BD29C09FFBBBD8DF04B42F0500A6FD4856252EB648840C6A1
                                  Function 00BD978D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,00BD777A,?,00000005,?,00000011), ref: 00BD980D
                                  • GetLastError.KERNEL32(?,?,00BD777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BD981A
                                  • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00BD777A,?,00000005,?), ref: 00BD984F
                                  • GetLastError.KERNEL32(?,?,00BD777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BD9857
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CreateErrorFileLast
                                  • String ID:
                                  • API String ID: 1214770103-0
                                  • Opcode ID: 036fe4c3a2c07d2f91ea1480115eda851526204f2f75ead86d65917bea42af51
                                  • Instruction ID: 5fe3574a0924882ec99f2d0baa162656591d1da36219f28b1ec8b1c19fb6c8ad
                                  • Opcode Fuzzy Hash: 036fe4c3a2c07d2f91ea1480115eda851526204f2f75ead86d65917bea42af51
                                  • Instruction Fuzzy Hash: D43134718407556BD3209F24CC45BEAFAE4FB49368F10472AF9A0873D1E3769888DB90
                                  Function 00BD9663 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 00BD9673
                                  • ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 00BD968B
                                  • GetLastError.KERNEL32 ref: 00BD96BD
                                  • GetLastError.KERNEL32 ref: 00BD96DC
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLast$FileHandleRead
                                  • String ID:
                                  • API String ID: 2244327787-0
                                  • Opcode ID: 7186ddb2cf9f00119e9ddf3115435ba9c09f5842a7e4fb112c8b26d71655555c
                                  • Instruction ID: 7696d067a57f6687ee845199c8501ff213600fb0bbe96f24b43ecf59136b2ae8
                                  • Opcode Fuzzy Hash: 7186ddb2cf9f00119e9ddf3115435ba9c09f5842a7e4fb112c8b26d71655555c
                                  • Instruction Fuzzy Hash: EE113974900214EBDF20AF60C984B6ABBEDEB15325F10C5ABF96A86390E735CD40DF52
                                  Function 00BF77C2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BF2203,00000000,00000000,?,00BF7769,00BF2203,00000000,00000000,00000000,?,00BF7966,00000006,FlsSetValue), ref: 00BF77F4
                                  • GetLastError.KERNEL32(?,00BF7769,00BF2203,00000000,00000000,00000000,?,00BF7966,00000006,FlsSetValue,00C03768,00C03770,00000000,00000364,?,00BF63E0), ref: 00BF7800
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BF7769,00BF2203,00000000,00000000,00000000,?,00BF7966,00000006,FlsSetValue,00C03768,00C03770,00000000), ref: 00BF780E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 8d878c3a5521ac0f61af678c21437e7654138e4e6d22e9c4575bd06bf862b5e4
                                  • Instruction ID: 616c452b4ca80a0c72b4524de5ff8811e0c26064283f99ef1b0e288c8eeb6bf7
                                  • Opcode Fuzzy Hash: 8d878c3a5521ac0f61af678c21437e7654138e4e6d22e9c4575bd06bf862b5e4
                                  • Instruction Fuzzy Hash: 9D01AC326952269BC7614A6A9C48F7E77D8EF15BE1F2205A0FB06D7140DF20DC15C7E0
                                  Function 00BE991D Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BE992E
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BE993F
                                  • TranslateMessage.USER32(?), ref: 00BE9949
                                  • DispatchMessageW.USER32(?), ref: 00BE9953
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 4217535847-0
                                  • Opcode ID: 8325ef9b5cd55660924dafdc35f23451ae61ebffba363e2ebcdcd0362b1b363d
                                  • Instruction ID: 0fbda4c46625794d58ef2989062da610024222f09b06354d6188c848c73f0c21
                                  • Opcode Fuzzy Hash: 8325ef9b5cd55660924dafdc35f23451ae61ebffba363e2ebcdcd0362b1b363d
                                  • Instruction Fuzzy Hash: B5E0ED72D0222EA7CB20ABE6AC4CFDF7F6CEE0A2657014055B519D2000D6689505CBF1
                                  Function 00BDDF86 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BDDF05: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00BDDF24
                                    • Part of subcall function 00BDDF05: GetProcAddress.KERNEL32(00C11E58,CryptUnprotectMemory), ref: 00BDDF34
                                  • GetCurrentProcessId.KERNEL32(?,?,?,00BDDF7E), ref: 00BDE007
                                  Strings
                                  • CryptProtectMemory failed, xrefs: 00BDDFC7
                                  • CryptUnprotectMemory failed, xrefs: 00BDDFFF
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressProc$CurrentProcess
                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                  • API String ID: 2190909847-396321323
                                  • Opcode ID: 91ba6a7a4f1b7d98e47c7497cb1984a607175e2eb3093092c8474d06af03ed57
                                  • Instruction ID: 5293dd253a88e079c86f304fcea74b5e6ecbaba0db62aea4e5fca49cb023a324
                                  • Opcode Fuzzy Hash: 91ba6a7a4f1b7d98e47c7497cb1984a607175e2eb3093092c8474d06af03ed57
                                  • Instruction Fuzzy Hash: 061138303042016BDB25AB28DC52B6EB7DAEF85754F0840ABF9118B291FBA0EC01C290
                                  Function 00BDFBBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00010000,Function_0000FD4F,?,00000000,00000000), ref: 00BDFBE1
                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 00BDFC28
                                    • Part of subcall function 00BD6D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD6DAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                  • String ID: CreateThread failed
                                  • API String ID: 2655393344-3849766595
                                  • Opcode ID: 45c71d109cd58449e87077abbe019ac4bc659b384f23858dcab17134e1b57255
                                  • Instruction ID: ec5b98732ccac0e8329fd205297ad710b200292f3650075a66f1d4799580328a
                                  • Opcode Fuzzy Hash: 45c71d109cd58449e87077abbe019ac4bc659b384f23858dcab17134e1b57255
                                  • Instruction Fuzzy Hash: 4401D67534830A6BD2246F68AC86F76B3D9EB41755F24057FFA42962C0EAA16841C770
                                  Function 00BD9C18 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,?,?,00BDC8A3,00000001,?,?,?,00000000,00BE420A,?,?,?,?,?,00BE3CAF), ref: 00BD9C33
                                  • WriteFile.KERNEL32(?,00000000,?,00BE3EB7,00000000,?,?,00000000,00BE420A,?,?,?,?,?,00BE3CAF,?), ref: 00BD9C73
                                  • WriteFile.KERNEL32(?,00000000,?,00BE3EB7,00000000,?,00000001,?,?,00BDC8A3,00000001,?,?,?,00000000,00BE420A), ref: 00BD9CA0
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileWrite$Handle
                                  • String ID:
                                  • API String ID: 4209713984-0
                                  • Opcode ID: 78da0ecc5fa8a28a02e42a4570a32622398a90e345b8af0527246d6cedcb7b6d
                                  • Instruction ID: e8329ee00f9b0b0fdd9c93ea532b19bc4e01d7a9486d936c1f8a5331fd72c444
                                  • Opcode Fuzzy Hash: 78da0ecc5fa8a28a02e42a4570a32622398a90e345b8af0527246d6cedcb7b6d
                                  • Instruction Fuzzy Hash: A9315472158609AFDB209F14DC48BAAFBE9FB51300F18426BF595933C0E774E848CBA1
                                  Function 00BD9ED6 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00BD9DE2,?,00000001,00000000,?,?), ref: 00BD9EFD
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00BD9DE2,?,00000001,00000000,?,?), ref: 00BD9F30
                                  • GetLastError.KERNEL32(?,?,?,?,00BD9DE2,?,00000001,00000000,?,?), ref: 00BD9F4D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$ErrorLast
                                  • String ID:
                                  • API String ID: 2485089472-0
                                  • Opcode ID: 9628550a965f47a0bf60df5b47e0d2a2db7c332add644028acd0e6036e0ee1d2
                                  • Instruction ID: eae90cb9b12c324da306b4c1806953b5363681286eb9252e043db015a6a31511
                                  • Opcode Fuzzy Hash: 9628550a965f47a0bf60df5b47e0d2a2db7c332add644028acd0e6036e0ee1d2
                                  • Instruction Fuzzy Hash: 9B01B132104259A6EB21AB644C86FFEB7DCDF06B41F1844D3F845E6281FB64F980D7A1
                                  Function 00BD3A90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: 76b2b7ab3ac8833944eadb160bf26eb0b7f7505ce90f42e08e4cda35ac02afc8
                                  • Instruction ID: ab0f500f547ebe2982dad96649ffed7e26fb3ebe249d31d88ab7ff24196f53b8
                                  • Opcode Fuzzy Hash: 76b2b7ab3ac8833944eadb160bf26eb0b7f7505ce90f42e08e4cda35ac02afc8
                                  • Instruction Fuzzy Hash: 68619F71505F44AADB21DB34CC81AE7FBE8EB14701F4449AFE5AB87242E7326A48CF51
                                  Function 00BF82B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00BF82D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Info
                                  • String ID:
                                  • API String ID: 1807457897-3916222277
                                  • Opcode ID: 244fabd0d1fdc34eb553694629f1a59cc59046eb98ffa58b398659a7f4266eb1
                                  • Instruction ID: 63f7485cf67dd3124e2e102f8dd85809829ae7f18f9803ba96cb9164b5c4bb1e
                                  • Opcode Fuzzy Hash: 244fabd0d1fdc34eb553694629f1a59cc59046eb98ffa58b398659a7f4266eb1
                                  • Instruction Fuzzy Hash: F3411B7050838C9BDF228F288C84BFABBF9EB55704F1404EDE68A87152D635A949DF64
                                  Function 00BD1DD2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD1DD7
                                    • Part of subcall function 00BD3A90: __EH_prolog.LIBCMT ref: 00BD3A95
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: 44281cc2feb1ac09648eedb56c3219b527c8a577d0157d248ae2092ceb0bdaa5
                                  • Instruction ID: c6afe2b6655697a643c0a84033a98f6bac574e23b42a44eed5966ab04d05f520
                                  • Opcode Fuzzy Hash: 44281cc2feb1ac09648eedb56c3219b527c8a577d0157d248ae2092ceb0bdaa5
                                  • Instruction Fuzzy Hash: 00216876900209AFCB11EF98C9419EEFBF6FF58300F1005AAE845A3252DB326E51DB60
                                  Function 00BD192C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: 198ff32032b46a27270afcebd75478c9bedc64ddd37f9f29589fe886b77d616e
                                  • Instruction ID: 9ab83e6bbb18fb22b4959a9a4f2f45dc3b3b373e215b1ba201d0c51505963e6b
                                  • Opcode Fuzzy Hash: 198ff32032b46a27270afcebd75478c9bedc64ddd37f9f29589fe886b77d616e
                                  • Instruction Fuzzy Hash: 0D11D671A00205BFCB04DF69C4A19BEF7EAFF44300F0448ABE84597341EB359852DB50
                                  Function 00BF79FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00BF7A6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: String
                                  • String ID: LCMapStringEx
                                  • API String ID: 2568140703-3893581201
                                  • Opcode ID: d225d0763d81ad1eb8c72f4851bf43848d4c494e0afcb2f2110cbd8f9247e4a3
                                  • Instruction ID: b762a8351bf388992e1d1ef5b6cd6a578bdf4c44b07d845ae9cb94a2becfdad4
                                  • Opcode Fuzzy Hash: d225d0763d81ad1eb8c72f4851bf43848d4c494e0afcb2f2110cbd8f9247e4a3
                                  • Instruction Fuzzy Hash: AC01487654020DBBCF02AF94DD45EEE7FA6EF08750F124195FE1826160DA72CA31EB80
                                  Function 00BF7998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00BF708B), ref: 00BF79E3
                                  Strings
                                  • InitializeCriticalSectionEx, xrefs: 00BF79B3
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CountCriticalInitializeSectionSpin
                                  • String ID: InitializeCriticalSectionEx
                                  • API String ID: 2593887523-3084827643
                                  • Opcode ID: 9144a7cf6fa0e00d245d7280042604fd8ffc3b7aede0a4d9dd42d30f3384a27a
                                  • Instruction ID: c45f7c7bf895746bc3bd68fbb5959589752426383b12249177d51bc36fcff850
                                  • Opcode Fuzzy Hash: 9144a7cf6fa0e00d245d7280042604fd8ffc3b7aede0a4d9dd42d30f3384a27a
                                  • Instruction Fuzzy Hash: DBF0B47568521CBBCF016F55DD05EAEBFA5DB04720F1141A5FD1457160DEB14E10DBD0
                                  Function 00BF783D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Alloc
                                  • String ID: FlsAlloc
                                  • API String ID: 2773662609-671089009
                                  • Opcode ID: 855e7f823cfc057310fc7b8ee353f9cb08842c1bd165744436195b7715c5fdca
                                  • Instruction ID: 1a38c526bf6053c07f512b460d3e2730eeb38dd50aa7a8beb2becb199262b5a4
                                  • Opcode Fuzzy Hash: 855e7f823cfc057310fc7b8ee353f9cb08842c1bd165744436195b7715c5fdca
                                  • Instruction Fuzzy Hash: ECE0E570B85318BBC704BB65AD4AB7EBBD8CB44B60F5200E9FE0567280DEB14E00C6D5
                                  Function 00BF1D87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • try_get_function.LIBVCRUNTIME ref: 00BF1D9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: try_get_function
                                  • String ID: FlsAlloc
                                  • API String ID: 2742660187-671089009
                                  • Opcode ID: 9d8c15ea424a82051de58a305bf3f26402b8b97556e4947b514e89c2f3f4e77a
                                  • Instruction ID: e972c547d9c84d62c3bef6bdc27a03b4e151ca63c56beaeb3b7a8318616d1a9d
                                  • Opcode Fuzzy Hash: 9d8c15ea424a82051de58a305bf3f26402b8b97556e4947b514e89c2f3f4e77a
                                  • Instruction Fuzzy Hash: 3AD01235B8222866D51077959C02AADBAC4CA00BB1F4904B1FF086628197914950E5D1
                                  Function 00BD6551 Relevance: 3.2, APIs: 2, Instructions: 187COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _memcmp_strlen
                                  • String ID:
                                  • API String ID: 2682527083-0
                                  • Opcode ID: 34014315e53433bc50b9aca7c081bf968f22ce7fbf4c8ab8bd2f833f69c526e1
                                  • Instruction ID: 4a4f6a5d058b69acf667e1a5f09a8f29183fba7282577ab11a1b75cc9b3b14ae
                                  • Opcode Fuzzy Hash: 34014315e53433bc50b9aca7c081bf968f22ce7fbf4c8ab8bd2f833f69c526e1
                                  • Instruction Fuzzy Hash: F951C6B2504348ABD720EF60DC89FDBB3ECEB88304F04096AF989D7156EA75E544C7A1
                                  Function 00BF8609 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BF81DC: GetOEMCP.KERNEL32(00000000,?,?,00BF8465,?), ref: 00BF8207
                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BF84AA,?,00000000), ref: 00BF867D
                                  • GetCPInfo.KERNEL32(00000000,00BF84AA,?,?,?,00BF84AA,?,00000000), ref: 00BF8690
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CodeInfoPageValid
                                  • String ID:
                                  • API String ID: 546120528-0
                                  • Opcode ID: a9f5ead2a00322cb1049519bea9e03f1081d695bb2ad86dda8f9f11cfd25a2cd
                                  • Instruction ID: c5ae93c0e14d15add6dfe9e06d9dd34b3f20b9f89578d008205edee17ac571b1
                                  • Opcode Fuzzy Hash: a9f5ead2a00322cb1049519bea9e03f1081d695bb2ad86dda8f9f11cfd25a2cd
                                  • Instruction Fuzzy Hash: A1513470A003099EDB25AF71C8857BBBBE5EF41310F2440AED2868B251EF74DD4ACB91
                                  Function 00BD13B4 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD13B4
                                    • Part of subcall function 00BD5F9E: __EH_prolog.LIBCMT ref: 00BD5FA3
                                    • Part of subcall function 00BDC463: __EH_prolog.LIBCMT ref: 00BDC468
                                    • Part of subcall function 00BDC463: new.LIBCMT ref: 00BDC4AB
                                    • Part of subcall function 00BDC463: new.LIBCMT ref: 00BDC4CF
                                  • new.LIBCMT ref: 00BD142C
                                    • Part of subcall function 00BDACB6: __EH_prolog.LIBCMT ref: 00BDACBB
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: bd0ddef05e7d35735cd7469fe0da24301da50f6633848eec413c6a8e256611a0
                                  • Instruction ID: cac3efecf01566badf04e1e3ffbc1b4c5f90dd5b0acd7555cdd0e968e83f83b4
                                  • Opcode Fuzzy Hash: bd0ddef05e7d35735cd7469fe0da24301da50f6633848eec413c6a8e256611a0
                                  • Instruction Fuzzy Hash: E94114B0805B40DED720CF798895AE6FBE5FB28310F5049AEE5EE87382DB726554CB11
                                  Function 00BD13AF Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD13B4
                                    • Part of subcall function 00BD5F9E: __EH_prolog.LIBCMT ref: 00BD5FA3
                                    • Part of subcall function 00BDC463: __EH_prolog.LIBCMT ref: 00BDC468
                                    • Part of subcall function 00BDC463: new.LIBCMT ref: 00BDC4AB
                                    • Part of subcall function 00BDC463: new.LIBCMT ref: 00BDC4CF
                                  • new.LIBCMT ref: 00BD142C
                                    • Part of subcall function 00BDACB6: __EH_prolog.LIBCMT ref: 00BDACBB
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: b1ee8fa8b789121efd69932af227f0cb287d9db68901eedeb12f9a56632174fc
                                  • Instruction ID: edcbfc3b9627efd01da26e6e6d0c1dba84093ae6fa32e49555a14d6e81abcd87
                                  • Opcode Fuzzy Hash: b1ee8fa8b789121efd69932af227f0cb287d9db68901eedeb12f9a56632174fc
                                  • Instruction Fuzzy Hash: 944125B0805B40DED720CF798485AE6FBE5FF28300F5049AED5EE83282DB726554CB11
                                  Function 00BF8448 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BF630E: GetLastError.KERNEL32(?,00C0CBE8,00BF2664,00C0CBE8,?,?,00BF2203,?,?,00C0CBE8), ref: 00BF6312
                                    • Part of subcall function 00BF630E: _free.LIBCMT ref: 00BF6345
                                    • Part of subcall function 00BF630E: SetLastError.KERNEL32(00000000,?,00C0CBE8), ref: 00BF6386
                                    • Part of subcall function 00BF630E: _abort.LIBCMT ref: 00BF638C
                                    • Part of subcall function 00BF8567: _abort.LIBCMT ref: 00BF8599
                                    • Part of subcall function 00BF8567: _free.LIBCMT ref: 00BF85CD
                                    • Part of subcall function 00BF81DC: GetOEMCP.KERNEL32(00000000,?,?,00BF8465,?), ref: 00BF8207
                                  • _free.LIBCMT ref: 00BF84C0
                                  • _free.LIBCMT ref: 00BF84F6
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorLast_abort
                                  • String ID:
                                  • API String ID: 2991157371-0
                                  • Opcode ID: faa6a9a374a1663b2d9349f5664b26625137cd59db67b0260d6c293781ac3d8c
                                  • Instruction ID: 394bdc647a0195bc805f9fd14a246c0e9346376625bf2882f36ab9416d4a8ccc
                                  • Opcode Fuzzy Hash: faa6a9a374a1663b2d9349f5664b26625137cd59db67b0260d6c293781ac3d8c
                                  • Instruction Fuzzy Hash: 6D316D3190420DAFDB24EBA8D441BBD77E5EF41320F2541D9EA049B3A1EF769E48CB50
                                  Function 00BD9541 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00BD9BD7,?,?,00BD7735), ref: 00BD95C9
                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00BD9BD7,?,?,00BD7735), ref: 00BD95FE
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 40971719a6aa629204e31b65095f8a21968346a14ed628bb2d8955311a7ddbf9
                                  • Instruction ID: 4e92c7d444496c92d2eada7d454bd8ddee66887ed658949bc1d3c8d6015262f6
                                  • Opcode Fuzzy Hash: 40971719a6aa629204e31b65095f8a21968346a14ed628bb2d8955311a7ddbf9
                                  • Instruction Fuzzy Hash: 4F2128B1404348AFE3308F64DC85BA7BBE8EB15768F004A6EF1E5822D1D374AC498B61
                                  Function 00BD9A62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00BD7436,?,?,?), ref: 00BD9A7C
                                  • SetFileTime.KERNEL32(?,?,?,?), ref: 00BD9B2C
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$BuffersFlushTime
                                  • String ID:
                                  • API String ID: 1392018926-0
                                  • Opcode ID: 33e9aa85779a989ce7280fc273ac145d7fecce5f980ccfe31e3a8a26e7762c79
                                  • Instruction ID: 2ade607958f4f0f372ffc3026284be6e12f7652597cc96c5bb2142d669f2401b
                                  • Opcode Fuzzy Hash: 33e9aa85779a989ce7280fc273ac145d7fecce5f980ccfe31e3a8a26e7762c79
                                  • Instruction Fuzzy Hash: 0221B432259386ABC714DF24C491ABAFBD4EB96704F48099EF8D587341E329DD48C751
                                  Function 00BF7726 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00BF7786
                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BF7793
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressProc__crt_fast_encode_pointer
                                  • String ID:
                                  • API String ID: 2279764990-0
                                  • Opcode ID: aea7436767c109e9dd4976dd4d950ff4f0a4ec84ab720dc261d9b61483c64a29
                                  • Instruction ID: 1369990f44a8efe192552ae4b721dbcaa5905e4e0e18b8fe743e68a4af4c87fb
                                  • Opcode Fuzzy Hash: aea7436767c109e9dd4976dd4d950ff4f0a4ec84ab720dc261d9b61483c64a29
                                  • Instruction Fuzzy Hash: 9D1127376542289BEB21AE2CDC80A7E73D5EB84720B1642E0EE14AB254DF31DC0587D1
                                  Function 00BD9B3B Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00BD9B71
                                  • GetLastError.KERNEL32 ref: 00BD9B7D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer
                                  • String ID:
                                  • API String ID: 2976181284-0
                                  • Opcode ID: 1965aba8aaecbd0a3f1d79d658d62b8bf598bb2110320fb8f6dddaede7e352c2
                                  • Instruction ID: 7fb7efa8b3447f177599e5cf2805b5dc6b26e7f714aa7a8290e3329b6d4afbdd
                                  • Opcode Fuzzy Hash: 1965aba8aaecbd0a3f1d79d658d62b8bf598bb2110320fb8f6dddaede7e352c2
                                  • Instruction Fuzzy Hash: 7D018C707006046BDB349A69EC84B6AF7D9EB84319F164ABFB152C2780EA75D808C621
                                  Function 00BD98E7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNEL32(000000FF,?,?,?), ref: 00BD993B
                                  • GetLastError.KERNEL32 ref: 00BD9948
                                    • Part of subcall function 00BD96FA: __EH_prolog.LIBCMT ref: 00BD96FF
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorFileH_prologLastPointer
                                  • String ID:
                                  • API String ID: 4236474358-0
                                  • Opcode ID: 6646346805b300480cfed5075feb6e5df06503b0d8df04d61fbbdd2dce02f708
                                  • Instruction ID: 6e13258255a1d122cdf26f6372c4e8529f727b61e93e47fe23c4e7ed790061a4
                                  • Opcode Fuzzy Hash: 6646346805b300480cfed5075feb6e5df06503b0d8df04d61fbbdd2dce02f708
                                  • Instruction Fuzzy Hash: 4C01B5322011059B8F188E599CA87AFB7D9FF5132071542AFF929DB394F734EC019760
                                  Function 00BF5ADA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00BF5AFB
                                    • Part of subcall function 00BF59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF239A,?,0000015D,?,?,?,?,00BF2F19,000000FF,00000000,?,?), ref: 00BF5A1E
                                  • RtlReAllocateHeap.NTDLL(00000000,?,00200000,?,?,00C0CBE8,00BD17D2,?,?,?,?,00000000,?,00BD13A9,?,?), ref: 00BF5B37
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AllocateHeap$_free
                                  • String ID:
                                  • API String ID: 1482568997-0
                                  • Opcode ID: 730e67350465082474aad92be049b8d8131e4e8a9c36e7951af67db93bcfe89a
                                  • Instruction ID: a4581f92c90138d1787439e4a018c0598e2f01321fcc7b2e1335f33c1b6ac0e3
                                  • Opcode Fuzzy Hash: 730e67350465082474aad92be049b8d8131e4e8a9c36e7951af67db93bcfe89a
                                  • Instruction Fuzzy Hash: 94F0C231611D1D6ADB312E25AC41F7B37DCCF82771B114199FB14971A2EA309D098170
                                  Function 00BDFC94 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?), ref: 00BDFCA1
                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00BDFCA8
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Process$AffinityCurrentMask
                                  • String ID:
                                  • API String ID: 1231390398-0
                                  • Opcode ID: ffe5491db238452a780cd04bad008b3de945ae07a243f39f9ed4cb486712c3b7
                                  • Instruction ID: f4ce1d89f9591ef8c4e1070e827e27c6653830bfc879410670958e4fdb0cc67b
                                  • Opcode Fuzzy Hash: ffe5491db238452a780cd04bad008b3de945ae07a243f39f9ed4cb486712c3b7
                                  • Instruction Fuzzy Hash: 11E06D36A6810F678B0886A89C05ABFB2EDDB14205B2945BBAC0BD3304F924DD5146A4
                                  Function 00BF4E74 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BF89A0: GetEnvironmentStringsW.KERNEL32 ref: 00BF89A9
                                    • Part of subcall function 00BF89A0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF89CC
                                    • Part of subcall function 00BF89A0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BF89F2
                                    • Part of subcall function 00BF89A0: _free.LIBCMT ref: 00BF8A05
                                    • Part of subcall function 00BF89A0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BF8A14
                                  • _free.LIBCMT ref: 00BF4EBA
                                  • _free.LIBCMT ref: 00BF4EC1
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                  • String ID:
                                  • API String ID: 400815659-0
                                  • Opcode ID: b5f041d931675e9191987ac63c13767a94993f6966c6c104895b412ce1f9beb2
                                  • Instruction ID: 51e61f4e98a97e0dc7ae0bb59ab1e9d2c9ad81b53d2c8a308781049183adbbb0
                                  • Opcode Fuzzy Hash: b5f041d931675e9191987ac63c13767a94993f6966c6c104895b412ce1f9beb2
                                  • Instruction Fuzzy Hash: 4BE0E532A4681993AB39B2793C02A3B01C5ABC1334B1203D6FB20872D2CF90880E4197
                                  Function 00BDA113 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00BD9F49,?,?,?,00BD9DE2,?,00000001,00000000,?,?), ref: 00BDA127
                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BD9F49,?,?,?,00BD9DE2,?,00000001,00000000,?,?), ref: 00BDA158
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: f2b86dd36598198b982144bde457932171e6230218e1071ca741fad2f7b16399
                                  • Instruction ID: 13197253b53cc650450fab5e0fce607c7d03dff46b855c1d38abab6f5b11f6bf
                                  • Opcode Fuzzy Hash: f2b86dd36598198b982144bde457932171e6230218e1071ca741fad2f7b16399
                                  • Instruction Fuzzy Hash: 71F03031240109ABDF115F60DC41BEF7BADEF05786F448092B988D6160EB36DA99DB50
                                  Function 00BEC0CF Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText_swprintf
                                  • String ID:
                                  • API String ID: 3011073432-0
                                  • Opcode ID: b4dac7a81c663ef0b29be537bb394ae7926a50da2493a0f413dc69b845e1b1b1
                                  • Instruction ID: 4f94fe0e7f7e54876dbaca80c8eb80c18f8c0e869dc87c89288701b42e157df4
                                  • Opcode Fuzzy Hash: b4dac7a81c663ef0b29be537bb394ae7926a50da2493a0f413dc69b845e1b1b1
                                  • Instruction Fuzzy Hash: 18F0EC76540388BBEB21A7618C06FEE3B9DEB04741F0444D6F605931E3E7715A31D7A2
                                  Function 00BD9DFC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNEL32(?,?,?,00BD9661,?,?,00BD94BC), ref: 00BD9E0D
                                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00BD9661,?,?,00BD94BC), ref: 00BD9E3B
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: fe197e1d06fb6542903491df385d15a2a2d0fc2dae2653a8e1d1615a4557aa6d
                                  • Instruction ID: 1425b468e846974930bf3d63d779e9109deb043aeef0e39c481b7deed758abe0
                                  • Opcode Fuzzy Hash: fe197e1d06fb6542903491df385d15a2a2d0fc2dae2653a8e1d1615a4557aa6d
                                  • Instruction Fuzzy Hash: 46E09231640249ABDB119F61DC41FEEB7DDEF08781F8440A2BA88C2150EB31DD94DA90
                                  Function 00BD9E63 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNEL32(?,?,?,00BD9E58,?,00BD75A0,?,?,?,?), ref: 00BD9E74
                                  • GetFileAttributesW.KERNEL32(?,?,?,00000800,?,00BD9E58,?,00BD75A0,?,?,?,?), ref: 00BD9EA0
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: a289524e69baae3ebaf337c4d1322f07ce3b91723623d5c2ded19c9d0699bcbb
                                  • Instruction ID: 25fe56ad0867550fe7501329a86ce977ce4f63dc2911fd52ed7c092e422c9536
                                  • Opcode Fuzzy Hash: a289524e69baae3ebaf337c4d1322f07ce3b91723623d5c2ded19c9d0699bcbb
                                  • Instruction Fuzzy Hash: 1AE09B325001585BCB10AB68DC05BEABB9CDB083E2F0141E1FD58E3290DB719D9987D0
                                  Function 00BDF35B Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00BDF376
                                  • LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,00BDDF18,Crypt32.dll,?,00BDDF9C,?,00BDDF7E,?,?,?,?), ref: 00BDF398
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystem
                                  • String ID:
                                  • API String ID: 1175261203-0
                                  • Opcode ID: 5c6d9e83486d3bbb40657c885f6570c8da1842e12e57d2fe5212c9f2a99dc6af
                                  • Instruction ID: 5e0b2b57f688280aa3b06961bbebe758025d469f5b3f4a6b7053c91ed09b1684
                                  • Opcode Fuzzy Hash: 5c6d9e83486d3bbb40657c885f6570c8da1842e12e57d2fe5212c9f2a99dc6af
                                  • Instruction Fuzzy Hash: D3E0127281015CA7DB119BA49C05FEAB7ACEB09391F4540A6B948D2105DB749A90CBB5
                                  Function 00BE8923 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BE8944
                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00BE894B
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: BitmapCreateFromGdipStream
                                  • String ID:
                                  • API String ID: 1918208029-0
                                  • Opcode ID: 956e45bb4f2cc644fa353c467dc449006290d45cab8a37d014cc07ab3ae08d2d
                                  • Instruction ID: daf1b107a22c653c1e9bb31c05779cca84f37b292a7c614a977578c5e466db65
                                  • Opcode Fuzzy Hash: 956e45bb4f2cc644fa353c467dc449006290d45cab8a37d014cc07ab3ae08d2d
                                  • Instruction Fuzzy Hash: ABE06D75800208EFCB20DF9AC9017E9BBE8EB04321F1080AAE84893601D7B16E00EB92
                                  Function 00BE909D Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • GdiplusShutdown.GDIPLUS(?,?,?,00BFF605,000000FF), ref: 00BE90C6
                                  • CoUninitialize.COMBASE(?,?,?,00BFF605,000000FF), ref: 00BE90CB
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: GdiplusShutdownUninitialize
                                  • String ID:
                                  • API String ID: 3856339756-0
                                  • Opcode ID: 72e664810d61a7f6b3d598a6be80ac2784cb734aae11a4a023d5bbd337eb68b7
                                  • Instruction ID: 549f85ff49747c7b009a9ca3f4336a45831e46a45a6ba23a36523b7631201267
                                  • Opcode Fuzzy Hash: 72e664810d61a7f6b3d598a6be80ac2784cb734aae11a4a023d5bbd337eb68b7
                                  • Instruction Fuzzy Hash: 2AE01A36548644EFC311DB48DD05B59BBE9FB09B20F1087A9B91A83B60DB396844CA95
                                  Function 00BF0C46 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BF1D87: try_get_function.LIBVCRUNTIME ref: 00BF1D9C
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF0C64
                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BF0C6F
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                  • String ID:
                                  • API String ID: 806969131-0
                                  • Opcode ID: 11d0914929f0695b6efd23f737fe8b28a967595f4b637bf36efa112ee7028163
                                  • Instruction ID: 3d780aa05d9b91d675ed5caf8d785346982d97fbffc7cd2ec8f68c5a2272413f
                                  • Opcode Fuzzy Hash: 11d0914929f0695b6efd23f737fe8b28a967595f4b637bf36efa112ee7028163
                                  • Instruction Fuzzy Hash: A2D022BC2B830EC8AC0476B8B80257E17C0C9127B47701BD6E720CB4F3EE22804EA416
                                  Function 00BD12C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemShowWindow
                                  • String ID:
                                  • API String ID: 3351165006-0
                                  • Opcode ID: ffd23ba48d05e21f6570202b064970fc40d4b6ab4af7ee2e9ec9b02999ce59cf
                                  • Instruction ID: 01730cd659c11267f72fab1a0053990ee1259b1e681a6e9f6b87bdb8b8ba084a
                                  • Opcode Fuzzy Hash: ffd23ba48d05e21f6570202b064970fc40d4b6ab4af7ee2e9ec9b02999ce59cf
                                  • Instruction Fuzzy Hash: B4C01232058200BFCB010BB0DC09F2EBFAAABA5212F02C908B4A5C00A0C238C020DB12
                                  Function 00BDFC3C Relevance: 2.5, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(00C11E74,?,?,00BDA5F0,?,?,?,?,00BFF605,000000FF), ref: 00BDFC4B
                                  • LeaveCriticalSection.KERNEL32(00C11E74,?,?,00BDA5F0,?,?,?,?,00BFF605,000000FF), ref: 00BDFC89
                                    • Part of subcall function 00BDFA23: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00BDFA57
                                    • Part of subcall function 00BDFA23: CloseHandle.KERNEL32(00DD4054), ref: 00BDFA71
                                    • Part of subcall function 00BDFA23: DeleteCriticalSection.KERNEL32(00DD41F0), ref: 00BDFA8A
                                    • Part of subcall function 00BDFA23: CloseHandle.KERNEL32(?), ref: 00BDFA96
                                    • Part of subcall function 00BDFA23: CloseHandle.KERNEL32(?), ref: 00BDFAA2
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseCriticalHandleSection$DeleteEnterLeaveReleaseSemaphore
                                  • String ID:
                                  • API String ID: 3265325312-0
                                  • Opcode ID: 72a9b6e4da486be408fafe904fe8eeb2364a277f0c534b7f06edaf3cb498295f
                                  • Instruction ID: 3b1ddf8d043fdcc0e07e6b0281a5a19475f04b93c7a622a9b1bc485135efec83
                                  • Opcode Fuzzy Hash: 72a9b6e4da486be408fafe904fe8eeb2364a277f0c534b7f06edaf3cb498295f
                                  • Instruction Fuzzy Hash: 74F02731108211A7C3254710EC08BBEBAE4EF46B15F0DC07BFD0553280E7348C11C790
                                  Function 00BD19E2 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: a005c4ab0a6039ba40ea30dfa96f8a5542a69a476f2df1b85b89d3cf464148de
                                  • Instruction ID: 4f4728a568ea30367c15deebf0c3c31d951453fc4c186fa533ca75c457af5b18
                                  • Opcode Fuzzy Hash: a005c4ab0a6039ba40ea30dfa96f8a5542a69a476f2df1b85b89d3cf464148de
                                  • Instruction Fuzzy Hash: 17B1AF70B04646BEEB28CF7CC484AB9FBE6EF05304F18499BE46597381E7319964CB91
                                  Function 00BD81ED Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD81F2
                                    • Part of subcall function 00BD13AF: __EH_prolog.LIBCMT ref: 00BD13B4
                                    • Part of subcall function 00BD13AF: new.LIBCMT ref: 00BD142C
                                    • Part of subcall function 00BD19E2: __EH_prolog.LIBCMT ref: 00BD19E7
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 1a94b79079f62e48afa1e59755dfb3a219c3ac0ddfda7c228f87c7cec7675faa
                                  • Instruction ID: ecd30a867f13caaaee39d4b0e3c848c7e9d1cdd555ac7ebb2ca7678b5e81e8a5
                                  • Opcode Fuzzy Hash: 1a94b79079f62e48afa1e59755dfb3a219c3ac0ddfda7c228f87c7cec7675faa
                                  • Instruction Fuzzy Hash: 4041A1719406589ADB24EB64C851BFAF7E9AF50710F0404EBF44AA3282EB745EC8DB54
                                  Function 00BE21E5 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: d924bde57b18e6ec8008ffe9c6fe0f141461cc51bd1d246af766073cfd5f0cc4
                                  • Instruction ID: f31174d2886269b134b74e272bd3f5984899a0b7196b99fd29e89313bec82105
                                  • Opcode Fuzzy Hash: d924bde57b18e6ec8008ffe9c6fe0f141461cc51bd1d246af766073cfd5f0cc4
                                  • Instruction Fuzzy Hash: FC21B9B1E402555BDB149FBA8C41A6A77ECEF08314F0446BAE605EB681D7749D40C6A4
                                  Function 00BE9484 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BE9489
                                    • Part of subcall function 00BD13AF: __EH_prolog.LIBCMT ref: 00BD13B4
                                    • Part of subcall function 00BD13AF: new.LIBCMT ref: 00BD142C
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: be2f1b444d6a98279e1a8a5b54450d9f379c8ee85c75f8206c66c0c124a577b9
                                  • Instruction ID: 645475c566c7f556c708c01b0435f6608a195b80ee88d5eefa8f891d1d28aec5
                                  • Opcode Fuzzy Hash: be2f1b444d6a98279e1a8a5b54450d9f379c8ee85c75f8206c66c0c124a577b9
                                  • Instruction Fuzzy Hash: 9A213071C05289AACF15DF59D9519EDFBF4EF19300F1004EAE409A7202D735AE09DB60
                                  Function 00BD9120 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 079896a06899519a28fa9f46874dff6eed664e97b12b98ba9eb9928006646325
                                  • Instruction ID: 8f98d33cfa9ca611a0e23293742633324b4657ae10077608fecb2119a628368e
                                  • Opcode Fuzzy Hash: 079896a06899519a28fa9f46874dff6eed664e97b12b98ba9eb9928006646325
                                  • Instruction Fuzzy Hash: D8117373D0052A6BCB11AE58CC519DEFBB5EF48750F0045A6F805B7311EA358D108794
                                  Function 00BF59EC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF239A,?,0000015D,?,?,?,?,00BF2F19,000000FF,00000000,?,?), ref: 00BF5A1E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 0f17107ff1a5d9c6d4d05b753ce6548fd2a1c1b3a1f808b3bfa5997fc75143cf
                                  • Instruction ID: 6c261ef5916ab546b014cb6de6bf4aee2376b0137db9c3546817a0bc09e3724d
                                  • Opcode Fuzzy Hash: 0f17107ff1a5d9c6d4d05b753ce6548fd2a1c1b3a1f808b3bfa5997fc75143cf
                                  • Instruction Fuzzy Hash: 61E0E531120E2C5AE73126659C817BA37C8DF053B1F1603E4AF05938A0FB50CD2885A0
                                  Function 00BD5B05 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD5B0A
                                    • Part of subcall function 00BDACB6: __EH_prolog.LIBCMT ref: 00BDACBB
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 685511e23f0c608c5d8ba13d9e81809ad9bcd40108bbd1dcaff57a6ee799ead5
                                  • Instruction ID: c6abc3ade2ab6e13c54e083ad03c559545943020877c639f5b2d6986afcd2b9a
                                  • Opcode Fuzzy Hash: 685511e23f0c608c5d8ba13d9e81809ad9bcd40108bbd1dcaff57a6ee799ead5
                                  • Instruction Fuzzy Hash: 1F01623450568ADAC714E7A4C4157EDF7E4DF15300F0080DEA86A73382EBB41B08C7A2
                                  Function 00BDA195 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 00BDA1C4
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: ac7d7fdbe3c5e832ecbfcb56a8c2bce1c58b1d36d9ace4b3f757404e520e358a
                                  • Instruction ID: b61e5c0f5da180a203c9ced9e11442b1973b006e07bd919dfbe86c4a516edede
                                  • Opcode Fuzzy Hash: ac7d7fdbe3c5e832ecbfcb56a8c2bce1c58b1d36d9ace4b3f757404e520e358a
                                  • Instruction Fuzzy Hash: 25F0E235408780EFCA225BB48804BCBFBD0AF16331F008A8BF0FD123D2D27514998722
                                  Function 00BD1EBF Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD1EC4
                                    • Part of subcall function 00BD1927: __EH_prolog.LIBCMT ref: 00BD192C
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: ce79a9da99a126c2a488e2458391cc156eda8947ce2f34822351a70d8b670946
                                  • Instruction ID: d21adf9b63d5656ae952fc722e8c0b310b2c959421aef60f0d39ae0d16b68c82
                                  • Opcode Fuzzy Hash: ce79a9da99a126c2a488e2458391cc156eda8947ce2f34822351a70d8b670946
                                  • Instruction Fuzzy Hash: BCF074B1D002899ECF41DFA885466EEBBF4AB19200F0445BAD519A7202E73556058B91
                                  Function 00BD1EC4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD1EC4
                                    • Part of subcall function 00BD1927: __EH_prolog.LIBCMT ref: 00BD192C
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
                                  • Instruction ID: 173df2273900744fa8e1b180b008bf73020254f1696674577608b78ca7a5a023
                                  • Opcode Fuzzy Hash: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
                                  • Instruction Fuzzy Hash: FDF092B1C002889ECF41DFA8C946AEEFBF4AB19200F0445BBD409A7202EB3956058B91
                                  Function 00BDF944 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 00BDF979
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ExecutionStateThread
                                  • String ID:
                                  • API String ID: 2211380416-0
                                  • Opcode ID: 79656f8bd1ea9a41e08c03182908f4de0b2a2fadc30ed399438880a5e982f472
                                  • Instruction ID: c315382404ad2184c0d9d884c9948b5e78b978e72aa642a5c671a5de2906bfa0
                                  • Opcode Fuzzy Hash: 79656f8bd1ea9a41e08c03182908f4de0b2a2fadc30ed399438880a5e982f472
                                  • Instruction Fuzzy Hash: 82D0C210B1405126DA15332C384ABBD27D64FC1314F0D00F6B046663C2CB994882E272
                                  Function 00BE8B64 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipAlloc.GDIPLUS(00000010), ref: 00BE8B6A
                                    • Part of subcall function 00BE8923: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00BE8944
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Gdip$AllocBitmapCreateFromStream
                                  • String ID:
                                  • API String ID: 1915507550-0
                                  • Opcode ID: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
                                  • Instruction ID: c892445b85b3644e39489b090982863ffc6d88e919792911db4072ffda0a774c
                                  • Opcode Fuzzy Hash: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
                                  • Instruction Fuzzy Hash: CBD0A77060054C7BDF416B72AC0297E7AD8EB05350F0081B5FC08C5161FF73CD106251
                                  Function 00BD976A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNEL32(000000FF,00BD969C), ref: 00BD9776
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: 64007b61f8b01d750cbe1ee53fe7e07ac856f0d2b1cd754a7da902a3bbf9074e
                                  • Instruction ID: 46dee49a6e7cb32e48182fe95a40a246b26145ded6e965de57d4d4fdcda66f04
                                  • Opcode Fuzzy Hash: 64007b61f8b01d750cbe1ee53fe7e07ac856f0d2b1cd754a7da902a3bbf9074e
                                  • Instruction Fuzzy Hash: DCD01230021200558E660E349D49159AA91DB833AAB38CAE9E025C41B1EB22CC43F540
                                  Function 00BEBF76 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00BEBF9B
                                    • Part of subcall function 00BE991D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BE992E
                                    • Part of subcall function 00BE991D: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BE993F
                                    • Part of subcall function 00BE991D: TranslateMessage.USER32(?), ref: 00BE9949
                                    • Part of subcall function 00BE991D: DispatchMessageW.USER32(?), ref: 00BE9953
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Message$DispatchItemPeekSendTranslate
                                  • String ID:
                                  • API String ID: 4142818094-0
                                  • Opcode ID: 2c56b7eb15da42702827d142a15fbdee9989f56bc68038e8761551793cdd734a
                                  • Instruction ID: a49239ba90978c9649f4ec5f9c6327f89eb26c840c0322d04d96c5c0e38ad60a
                                  • Opcode Fuzzy Hash: 2c56b7eb15da42702827d142a15fbdee9989f56bc68038e8761551793cdd734a
                                  • Instruction Fuzzy Hash: D4D09E35144300ABDB112B52CE06F0EBAE3BF88B04F404998B244340B1C6629D30EB02
                                  Function 00BDDE2A Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FreeLibrary
                                  • String ID:
                                  • API String ID: 3664257935-0
                                  • Opcode ID: ec7ec75973f60482ef44b75c4e6b1ab1d30237552baae88458a9def25a68326f
                                  • Instruction ID: 1bdad03fc07166281ae86dee0f1217a05f53e49650867cbf75a6697a245ddadd
                                  • Opcode Fuzzy Hash: ec7ec75973f60482ef44b75c4e6b1ab1d30237552baae88458a9def25a68326f
                                  • Instruction Fuzzy Hash: 82D0CA70410622CFD7B09F29E804782BBE0FF28312B22886E90CAC2224E6708880CF40
                                  Function 00BECD5B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BECD6D
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: f2315ae2f309d187e008defb4c44177673ce5301af6c9477b68ec12faaf3faa7
                                  • Instruction ID: 19ba2f3b8cc0a904f224ecee3e827e9c7514e0f0e25e556ace229c864787254d
                                  • Opcode Fuzzy Hash: f2315ae2f309d187e008defb4c44177673ce5301af6c9477b68ec12faaf3faa7
                                  • Instruction Fuzzy Hash: 39B012E1358140BD7114921A6E0AC3B094CC1C0F11330D0BBF401D00C4F9410C47D032
                                  Function 00BEC7BF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC798
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 736467ab0bf88acd29e74b5f02f75d04a6c4356743106f8d0a82a8ddcfd3a0cb
                                  • Instruction ID: 1feb0739cf50bc05c6aae1d00e73f7db1b3429965f525ef6410cd25070a234c9
                                  • Opcode Fuzzy Hash: 736467ab0bf88acd29e74b5f02f75d04a6c4356743106f8d0a82a8ddcfd3a0cb
                                  • Instruction Fuzzy Hash: B3B012E127C1406D7104D1572D06D36058DC1C4F10330C07BF400C11C0DA400C4F4136
                                  Function 00BEC7B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC798
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: cbfcc5aa15c807b8cde72ed8f9b4a96be082ba99f9aa09be7aecb0c55c5f2dc9
                                  • Instruction ID: ddd061ea7eb5faee46d543f21599de9845be94d0ea05b1c624dd06b1f1028864
                                  • Opcode Fuzzy Hash: cbfcc5aa15c807b8cde72ed8f9b4a96be082ba99f9aa09be7aecb0c55c5f2dc9
                                  • Instruction Fuzzy Hash: 53B012E12782446D7104E1472C46C36058CC1C4F10330C07BF400C01C0DA400C07423A
                                  Function 00BEC786 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC798
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 0e14af2af59fd5dbf79ee040204ca8bdee650bea02c07c6f08b9f1b1ab9cf30a
                                  • Instruction ID: 873096a7c1f56ee18789e18aa188f7de14ccddf5ac91d28adbbdcac7b56bd861
                                  • Opcode Fuzzy Hash: 0e14af2af59fd5dbf79ee040204ca8bdee650bea02c07c6f08b9f1b1ab9cf30a
                                  • Instruction Fuzzy Hash: 81B012F12783407D7104D1532C46D36094DC1C1F10330C07BF800C00C0DA401C0B403A
                                  Function 00BEC725 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 37774f5d1e7afd319129dd7866ffe1b067f0e50116fe556f77bfaf4223638d95
                                  • Instruction ID: cd887a5dda63f5fd42431941b0c3304400edeca4ac48f63b0bb571c159730498
                                  • Opcode Fuzzy Hash: 37774f5d1e7afd319129dd7866ffe1b067f0e50116fe556f77bfaf4223638d95
                                  • Instruction Fuzzy Hash: 32B012D13587417C7508A1022D86C36054CC1C5F20330C1BBF400C00C4DA400C4BD932
                                  Function 00BEC75E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 5fe8a3e3e04279d7f77050d00de0722045a489289b7e140ef63161560c49cb27
                                  • Instruction ID: 9283ae173f06a2d3288fc30d33f9b15f5b583e58ac8d638088fca0b43765d4ed
                                  • Opcode Fuzzy Hash: 5fe8a3e3e04279d7f77050d00de0722045a489289b7e140ef63161560c49cb27
                                  • Instruction Fuzzy Hash: 6FB012D13587416D7108E1063F46C37058CC1C5F10330C0BBF404C01C0DA400C0BD932
                                  Function 00BEC74A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: b0f563d11589e12e732e6289d085fbf343e66ec60330a8950b8b4f5f7073a783
                                  • Instruction ID: ffeb6a6a283dbee50163844105f5b37abd612a67e95d0c0503f23e24218e6766
                                  • Opcode Fuzzy Hash: b0f563d11589e12e732e6289d085fbf343e66ec60330a8950b8b4f5f7073a783
                                  • Instruction Fuzzy Hash: 27B012D13686416C7108E5062D46C36058CC1C1F20330C0BBF844C01C0DA400C0BD932
                                  Function 00BEC740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 8ccf075f4b76d82fcd26f5d9df252c03d05f91403addbb4c762bc63118ef574c
                                  • Instruction ID: 96ab843c83b7efc6230434235296522bdaf5d51367f01e024d13a710c65b7b3f
                                  • Opcode Fuzzy Hash: 8ccf075f4b76d82fcd26f5d9df252c03d05f91403addbb4c762bc63118ef574c
                                  • Instruction Fuzzy Hash: 6AB012D13685416C7108E1066D06C3B058CC1C1F10330C1BBF405C01C0DA400C0BD532
                                  Function 00BEC7B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC798
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 6d92a7ead28164858fd668799fb9b1ec75cc6f0ce83d0caf2c077bd6fe018d9f
                                  • Instruction ID: 50399ce22ce8c867bcbceb3120cefa083aa1e5e756d7ca4ed948ffa134690bfa
                                  • Opcode Fuzzy Hash: 6d92a7ead28164858fd668799fb9b1ec75cc6f0ce83d0caf2c077bd6fe018d9f
                                  • Instruction Fuzzy Hash: 4AA001E62B9586BC7108A2936D4AC3A0A9CC5C9F61331D9AAF852C4185AA801C4B5539
                                  Function 00BEC7A6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC798
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 6ebc98923209c2ae19a33793737ecbc94dc1c28b5b4ad216de238ac8938fa806
                                  • Instruction ID: 50399ce22ce8c867bcbceb3120cefa083aa1e5e756d7ca4ed948ffa134690bfa
                                  • Opcode Fuzzy Hash: 6ebc98923209c2ae19a33793737ecbc94dc1c28b5b4ad216de238ac8938fa806
                                  • Instruction Fuzzy Hash: 4AA001E62B9586BC7108A2936D4AC3A0A9CC5C9F61331D9AAF852C4185AA801C4B5539
                                  Function 00BEC781 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 77c60281f330ba86a0d571ba1a57ca8d86626b2b645563c519869b4058fb6d18
                                  • Instruction ID: 42b36beaf6a1445e52bb022b065a143f62cb1939d80c949b84264256116adb23
                                  • Opcode Fuzzy Hash: 77c60281f330ba86a0d571ba1a57ca8d86626b2b645563c519869b4058fb6d18
                                  • Instruction Fuzzy Hash: 47A001E62A9996BC7108A6526D4AC3A0A9CC5C6FA1730D9AAF846C4185EA801C4B9531
                                  Function 00BEC777 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: d9ea012a5a300171b8e1dcc12a7e4443eebfcbb0c969760e64da1e1b4bfb5d42
                                  • Instruction ID: 42b36beaf6a1445e52bb022b065a143f62cb1939d80c949b84264256116adb23
                                  • Opcode Fuzzy Hash: d9ea012a5a300171b8e1dcc12a7e4443eebfcbb0c969760e64da1e1b4bfb5d42
                                  • Instruction Fuzzy Hash: 47A001E62A9996BC7108A6526D4AC3A0A9CC5C6FA1730D9AAF846C4185EA801C4B9531
                                  Function 00BEC76D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: c4e23760464bdfc8ddda6622ee86b8e6ce6292aad38894e260519c483ae1f92e
                                  • Instruction ID: 42b36beaf6a1445e52bb022b065a143f62cb1939d80c949b84264256116adb23
                                  • Opcode Fuzzy Hash: c4e23760464bdfc8ddda6622ee86b8e6ce6292aad38894e260519c483ae1f92e
                                  • Instruction Fuzzy Hash: 47A001E62A9996BC7108A6526D4AC3A0A9CC5C6FA1730D9AAF846C4185EA801C4B9531
                                  Function 00BEC759 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 00BEC737
                                    • Part of subcall function 00BECABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00BECB38
                                    • Part of subcall function 00BECABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00BECB49
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 7da354aa94536cc8348c2144a6eeba225643bbc32a0dbadba78d4e267b8fab5c
                                  • Instruction ID: 42b36beaf6a1445e52bb022b065a143f62cb1939d80c949b84264256116adb23
                                  • Opcode Fuzzy Hash: 7da354aa94536cc8348c2144a6eeba225643bbc32a0dbadba78d4e267b8fab5c
                                  • Instruction Fuzzy Hash: 47A001E62A9996BC7108A6526D4AC3A0A9CC5C6FA1730D9AAF846C4185EA801C4B9531
                                  Function 00BD94F3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNEL32(000000FF,?,?,00BD94C3), ref: 00BD950E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 89e6db8fffba4654f5e2add5daf76fd6e8aed950655ea8cd3a13bf241e14374b
                                  • Instruction ID: 8c9b26b604dccea6b64e5fd41db3ae1950acf4fd43cc581346198c3c818b648e
                                  • Opcode Fuzzy Hash: 89e6db8fffba4654f5e2add5daf76fd6e8aed950655ea8cd3a13bf241e14374b
                                  • Instruction Fuzzy Hash: 85F05EB0582B448FDB319A24E559792F7E49B21729F048BAF94E643AE0A361A849CF10

                                  Non-executed Functions

                                  Function 00BEA536 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BD12E7: GetDlgItem.USER32(00000000,00003021), ref: 00BD132B
                                    • Part of subcall function 00BD12E7: SetWindowTextW.USER32(00000000,00C002E4), ref: 00BD1341
                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00BEA5C7
                                  • EndDialog.USER32(?,00000006), ref: 00BEA5DA
                                  • GetDlgItem.USER32(?,0000006C), ref: 00BEA5F6
                                  • SetFocus.USER32(00000000), ref: 00BEA5FD
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 00BEA63D
                                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00BEA670
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00BEA686
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BEA6A4
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BEA6B4
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BEA6D1
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BEA6EF
                                    • Part of subcall function 00BDD192: LoadStringW.USER32(?,?,00000200,?), ref: 00BDD1D7
                                    • Part of subcall function 00BDD192: LoadStringW.USER32(?,?,00000200,?), ref: 00BDD1ED
                                  • _swprintf.LIBCMT ref: 00BEA71F
                                    • Part of subcall function 00BD3F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD3F3E
                                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00BEA732
                                  • FindClose.KERNEL32(00000000), ref: 00BEA735
                                  • _swprintf.LIBCMT ref: 00BEA790
                                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 00BEA7A3
                                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00BEA7B9
                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00BEA7D9
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BEA7E9
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00BEA803
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00BEA81B
                                  • _swprintf.LIBCMT ref: 00BEA84C
                                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00BEA85F
                                  • _swprintf.LIBCMT ref: 00BEA8AF
                                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 00BEA8C2
                                    • Part of subcall function 00BE932E: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00BE9354
                                    • Part of subcall function 00BE932E: GetNumberFormatW.KERNEL32(00000400,00000000,?,00C0A154,?,?), ref: 00BE93A3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                  • API String ID: 3227067027-1840816070
                                  • Opcode ID: e3b8d39898868f7bc27ebf24c32b334688fcfc775709b48da24d37d2b53edb3e
                                  • Instruction ID: 65a1e8ba2a4bb82e6c7ddb888beedea77d64d8de4d47ae3a4020e50a2c4f8192
                                  • Opcode Fuzzy Hash: e3b8d39898868f7bc27ebf24c32b334688fcfc775709b48da24d37d2b53edb3e
                                  • Instruction Fuzzy Hash: 17918172548348BBE2219BA1CC89FFFB7ECEB49700F054859B645D21C1E775AA05CB63
                                  Function 00BD7070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD7075
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00BD71D5
                                  • CloseHandle.KERNEL32(00000000), ref: 00BD71E5
                                    • Part of subcall function 00BD7A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BD7AAC
                                    • Part of subcall function 00BD7A9D: GetLastError.KERNEL32 ref: 00BD7AF2
                                    • Part of subcall function 00BD7A9D: CloseHandle.KERNEL32(?), ref: 00BD7B01
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00BD71F0
                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00BD72FE
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00BD732A
                                  • CloseHandle.KERNEL32(?), ref: 00BD733C
                                  • GetLastError.KERNEL32(00000015,00000000,?), ref: 00BD734C
                                  • RemoveDirectoryW.KERNEL32(?), ref: 00BD7398
                                  • DeleteFileW.KERNEL32(?), ref: 00BD73C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                  • API String ID: 3935142422-3508440684
                                  • Opcode ID: 1551f64d387497bd0a663bcd6728eae89694b43a5f6ffb4ba5511bf1512d2bdc
                                  • Instruction ID: 234a52ea1dc80aff5847dfbb62f9ed635cb642ef452ada0c75497738cf41c0d6
                                  • Opcode Fuzzy Hash: 1551f64d387497bd0a663bcd6728eae89694b43a5f6ffb4ba5511bf1512d2bdc
                                  • Instruction Fuzzy Hash: 6CB1C171944218ABDB20DF64CC85BEEB7F8EF04704F1445AAF919E7242FB34AA45CB64
                                  Function 00BF957E Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 00BF95C2
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF917A
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF918C
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF919E
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF91B0
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF91C2
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF91D4
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF91E6
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF91F8
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF920A
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF921C
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF922E
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF9240
                                    • Part of subcall function 00BF915D: _free.LIBCMT ref: 00BF9252
                                  • _free.LIBCMT ref: 00BF95B7
                                    • Part of subcall function 00BF59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?), ref: 00BF59C8
                                    • Part of subcall function 00BF59B2: GetLastError.KERNEL32(?,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?,?), ref: 00BF59DA
                                  • _free.LIBCMT ref: 00BF95D9
                                  • _free.LIBCMT ref: 00BF95EE
                                  • _free.LIBCMT ref: 00BF95F9
                                  • _free.LIBCMT ref: 00BF961B
                                  • _free.LIBCMT ref: 00BF962E
                                  • _free.LIBCMT ref: 00BF963C
                                  • _free.LIBCMT ref: 00BF9647
                                  • _free.LIBCMT ref: 00BF967F
                                  • _free.LIBCMT ref: 00BF9686
                                  • _free.LIBCMT ref: 00BF96A3
                                  • _free.LIBCMT ref: 00BF96BB
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 1f6a156f3f8ef5fcde367bb81289a45ddf22febb8818c5bb22caf2cf7dab34f7
                                  • Instruction ID: d6491da451eeeb85f1b3a65489a52c1b79566380066a017e578fe760f5ff55c9
                                  • Opcode Fuzzy Hash: 1f6a156f3f8ef5fcde367bb81289a45ddf22febb8818c5bb22caf2cf7dab34f7
                                  • Instruction Fuzzy Hash: C9311B71601708EFEB35AA79D845B76B3E9EF00320F108499E699D7291DB71AD88CB50
                                  Function 00BEB8BB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindow.USER32(?,00000005), ref: 00BEB8DC
                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 00BEB90B
                                    • Part of subcall function 00BE0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BDAC99,?,?,?,00BDAC48,?,-00000002,?,00000000,?), ref: 00BE0B16
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00BEB929
                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00BEB940
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00BEB953
                                    • Part of subcall function 00BE8B21: GetDC.USER32(00000000), ref: 00BE8B2D
                                    • Part of subcall function 00BE8B21: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE8B3C
                                    • Part of subcall function 00BE8B21: ReleaseDC.USER32(00000000,00000000), ref: 00BE8B4A
                                    • Part of subcall function 00BE8ADE: GetDC.USER32(00000000), ref: 00BE8AEA
                                    • Part of subcall function 00BE8ADE: GetDeviceCaps.GDI32(00000000,00000058), ref: 00BE8AF9
                                    • Part of subcall function 00BE8ADE: ReleaseDC.USER32(00000000,00000000), ref: 00BE8B07
                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00BEB97A
                                  • DeleteObject.GDI32(00000000), ref: 00BEB981
                                  • GetWindow.USER32(00000000,00000002), ref: 00BEB98A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                  • String ID: STATIC
                                  • API String ID: 1444658586-1882779555
                                  • Opcode ID: e8bf651c86c7779f13d6d3856c576c5bc003879ce54f80906e6cfab72a8ad282
                                  • Instruction ID: 519baff6d612f0da0fcf91ca76d1cbf544b6a5b192e101d9bbc25152d0b76285
                                  • Opcode Fuzzy Hash: e8bf651c86c7779f13d6d3856c576c5bc003879ce54f80906e6cfab72a8ad282
                                  • Instruction Fuzzy Hash: 4E2105726007A47BEB206B66CC4AFEF76ADEF04710F0140A1FB05A60D2CB745D41DAB6
                                  Function 00BF621A Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00BF622E
                                    • Part of subcall function 00BF59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?), ref: 00BF59C8
                                    • Part of subcall function 00BF59B2: GetLastError.KERNEL32(?,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?,?), ref: 00BF59DA
                                  • _free.LIBCMT ref: 00BF623A
                                  • _free.LIBCMT ref: 00BF6245
                                  • _free.LIBCMT ref: 00BF6250
                                  • _free.LIBCMT ref: 00BF625B
                                  • _free.LIBCMT ref: 00BF6266
                                  • _free.LIBCMT ref: 00BF6271
                                  • _free.LIBCMT ref: 00BF627C
                                  • _free.LIBCMT ref: 00BF6287
                                  • _free.LIBCMT ref: 00BF6295
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 9ab5be2026e3c6628e943f3851ac702eb0f0ba44f511c0cd8402db659eec5433
                                  • Instruction ID: 560b46ea8d4c60613abb5367ef81d7b1909b2a529e5031812178c37d012ca4e8
                                  • Opcode Fuzzy Hash: 9ab5be2026e3c6628e943f3851ac702eb0f0ba44f511c0cd8402db659eec5433
                                  • Instruction Fuzzy Hash: 5311637651150CFFDF15EF94C942CE93BB5FF04360B5180A5BB898B222DA71DB949B80
                                  Function 00BD20D3 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;%u$x%u$xc%u
                                  • API String ID: 0-2277559157
                                  • Opcode ID: 6133c67067248b7e2e754f532feed3c9e544104123e88df348c3b7d3cf08db9d
                                  • Instruction ID: 3dadff09a764c0b81af845087e0f6c0656588e890045ae1eb6ec0ab3d5f25c3e
                                  • Opcode Fuzzy Hash: 6133c67067248b7e2e754f532feed3c9e544104123e88df348c3b7d3cf08db9d
                                  • Instruction Fuzzy Hash: 26F1F6716043C15ADB25EB248895BAEFBD5AFA1300F0844EFFD859B383FA649C45C762
                                  Function 00BE995E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BD12E7: GetDlgItem.USER32(00000000,00003021), ref: 00BD132B
                                    • Part of subcall function 00BD12E7: SetWindowTextW.USER32(00000000,00C002E4), ref: 00BD1341
                                  • EndDialog.USER32(?,00000001), ref: 00BE99AE
                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 00BE99DB
                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00BE99F0
                                  • SetWindowTextW.USER32(?,?), ref: 00BE9A01
                                  • GetDlgItem.USER32(?,00000065), ref: 00BE9A0A
                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00BE9A1E
                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00BE9A30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: MessageSend$Item$TextWindow$Dialog
                                  • String ID: LICENSEDLG
                                  • API String ID: 3214253823-2177901306
                                  • Opcode ID: ab47a3a962ef5f3408173dc9472846f0df1c8085418a987a3264cfc1c57b4b62
                                  • Instruction ID: eae1f787966602a7614a09e562bd47bf40e370365d86f0aeadccfee07e46022f
                                  • Opcode Fuzzy Hash: ab47a3a962ef5f3408173dc9472846f0df1c8085418a987a3264cfc1c57b4b62
                                  • Instruction Fuzzy Hash: 6F21C4322043447FE621AB76ED85F7F7BEDEB4AB84F014058F601A25E1CB629C05E676
                                  Function 00BD927D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD9282
                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00BD92A5
                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00BD92C4
                                    • Part of subcall function 00BE0B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00BDAC99,?,?,?,00BDAC48,?,-00000002,?,00000000,?), ref: 00BE0B16
                                  • _swprintf.LIBCMT ref: 00BD9360
                                    • Part of subcall function 00BD3F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD3F3E
                                  • MoveFileW.KERNEL32(?,?), ref: 00BD93D5
                                  • MoveFileW.KERNEL32(?,?), ref: 00BD9411
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                  • String ID: rtmp%d
                                  • API String ID: 2111052971-3303766350
                                  • Opcode ID: f3b924c97287bc74f7d8b9fc828567a5b4a0c937cbbab2587c37802e3bd54af1
                                  • Instruction ID: 2002b9c19c8da35931927aca96d849ef51b71ba898151d747713becde87b2250
                                  • Opcode Fuzzy Hash: f3b924c97287bc74f7d8b9fc828567a5b4a0c937cbbab2587c37802e3bd54af1
                                  • Instruction Fuzzy Hash: B8417D71911159AADF20BBA08D54FEAB7BCAF44341F4040E7B909A3342FA349B46CF60
                                  Function 00BE7EE4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00BE8704,?), ref: 00BE7FB9
                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00BE7FDA
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00BE8001
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Global$AllocByteCharCreateMultiStreamWide
                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                  • API String ID: 4094277203-4209811716
                                  • Opcode ID: 4319112bfd21a13644d9b3ca529ff63f370987661651ce8d0b42c7a58f411f75
                                  • Instruction ID: 72561f79ffd7e19a6ca77ba06d8a852d35f1648134fe18910960bd5ed532db85
                                  • Opcode Fuzzy Hash: 4319112bfd21a13644d9b3ca529ff63f370987661651ce8d0b42c7a58f411f75
                                  • Instruction Fuzzy Hash: 063135320483857AD729AB31DC06FAFB7D8DF52720F144599F610971C2EF709909C7A5
                                  Function 00BE7D95 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00BE7DAE
                                  • GetTickCount.KERNEL32 ref: 00BE7DCC
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BE7DE2
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BE7DF6
                                  • TranslateMessage.USER32(?), ref: 00BE7E01
                                  • DispatchMessageW.USER32(?), ref: 00BE7E0C
                                  • ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00BE7EBC
                                  • SetWindowTextW.USER32(?,00000000), ref: 00BE7EC6
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
                                  • String ID:
                                  • API String ID: 4150546248-0
                                  • Opcode ID: cc04a46f98b67324281d94fff603b69f16973b16b819cb4b3f6a9619571bfe19
                                  • Instruction ID: dd190db322ce13ba516fb38f42518f94d596db6bb920681e6be06a605e794a72
                                  • Opcode Fuzzy Hash: cc04a46f98b67324281d94fff603b69f16973b16b819cb4b3f6a9619571bfe19
                                  • Instruction Fuzzy Hash: 1C412871248346AFD710DF66D888E2BBBEDEF88704B0148ADB646C6250DB71EC45CB62
                                  Function 00BDFE0E Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __aulldiv.LIBCMT ref: 00BDFE21
                                    • Part of subcall function 00BDA930: GetVersionExW.KERNEL32(?), ref: 00BDA955
                                  • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00BDFE4A
                                  • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 00BDFE5C
                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00BDFE69
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BDFE7F
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BDFE8B
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BDFEC1
                                  • __aullrem.LIBCMT ref: 00BDFF4B
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                  • String ID:
                                  • API String ID: 1247370737-0
                                  • Opcode ID: 2f73bde6ec4e41dfcec77992402290a97e7f89f2741ae44312f918664f0bbdc6
                                  • Instruction ID: 903e9a52fdac47b365d905ea4c0e66098490cf7b50ac7b09f35fd6fd1d289229
                                  • Opcode Fuzzy Hash: 2f73bde6ec4e41dfcec77992402290a97e7f89f2741ae44312f918664f0bbdc6
                                  • Instruction Fuzzy Hash: 464115B24083169FC314DF65C880AAFFBF8FB88714F104A2EF59692650E779E548DB52
                                  Function 00BFC56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00BFCCE2,00000000,00000000,00000000,00000000,00000000,00BF2C3E), ref: 00BFC5AF
                                  • __fassign.LIBCMT ref: 00BFC62A
                                  • __fassign.LIBCMT ref: 00BFC645
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00BFC66B
                                  • WriteFile.KERNEL32(?,00000000,00000000,00BFCCE2,00000000,?,?,?,?,?,?,?,?,?,00BFCCE2,00000000), ref: 00BFC68A
                                  • WriteFile.KERNEL32(?,00000000,00000001,00BFCCE2,00000000,?,?,?,?,?,?,?,?,?,00BFCCE2,00000000), ref: 00BFC6C3
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: 1b6a7c3a9519ff6782c2ef0e922cb9d897f49118f403d5a468ae0ef22afcd914
                                  • Instruction ID: 23700f41c277106314b08f7039b2c06580704d3295719e084e6cd8e815915812
                                  • Opcode Fuzzy Hash: 1b6a7c3a9519ff6782c2ef0e922cb9d897f49118f403d5a468ae0ef22afcd914
                                  • Instruction Fuzzy Hash: 7151C1B090420DAFCB14CFA8D985BEEBBF4FF18300F15419AEA51E7251E730A985CB65
                                  Function 00BEB0D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000800,?), ref: 00BEB0EE
                                  • _swprintf.LIBCMT ref: 00BEB122
                                    • Part of subcall function 00BD3F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD3F3E
                                  • SetDlgItemTextW.USER32(?,00000066,00C13122), ref: 00BEB142
                                  • _wcschr.LIBVCRUNTIME ref: 00BEB175
                                  • EndDialog.USER32(?,00000001), ref: 00BEB256
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                  • String ID: %s%s%u
                                  • API String ID: 2892007947-1360425832
                                  • Opcode ID: 5df237474b69ab203d2e99a94256f680384fb552bb2962d01188deae1f3ec01a
                                  • Instruction ID: 1872f86960743cfb9ef5dbec06e3d3daff5d5a91b4911de194578bb19870ef2d
                                  • Opcode Fuzzy Hash: 5df237474b69ab203d2e99a94256f680384fb552bb2962d01188deae1f3ec01a
                                  • Instruction Fuzzy Hash: 48415C71900299AEEF25DB61CD85FEFB7FCEB09304F1040E6E509E6191EB709A848F65
                                  Function 00BDC96F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _strlen$_swprintf_wcschr_wcsrchr
                                  • String ID: %08x
                                  • API String ID: 1593746830-3682738293
                                  • Opcode ID: 361af390cbcb339a6575928dd309fc17104dc69f0d13d3264b669bc8fe15d0e3
                                  • Instruction ID: 871ac2f02c2e26c1eaef2b1393ac6cecfd810a99cc144cfd872401fb6ed0b685
                                  • Opcode Fuzzy Hash: 361af390cbcb339a6575928dd309fc17104dc69f0d13d3264b669bc8fe15d0e3
                                  • Instruction Fuzzy Hash: A8411572904346AAD735E620CC89FBBBBDDEB84310F1105ABF94497386EA759D04C2A1
                                  Function 00BE859B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000), ref: 00BE85B4
                                  • GetWindowRect.USER32(?,?), ref: 00BE85D9
                                  • ShowWindow.USER32(?,00000005,?), ref: 00BE8670
                                  • SetWindowTextW.USER32(?,00000000), ref: 00BE8678
                                  • ShowWindow.USER32(00000000,00000005), ref: 00BE868E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$Show$RectText
                                  • String ID: RarHtmlClassName
                                  • API String ID: 3937224194-1658105358
                                  • Opcode ID: 40e547ff2c0bd58357a641af898cf76a32e2c220e9fa361043606a9d5f9e7d53
                                  • Instruction ID: 679142268b78e3a97874522ee2c1c3b639c8e4eabd9e783277482defb0ee96d0
                                  • Opcode Fuzzy Hash: 40e547ff2c0bd58357a641af898cf76a32e2c220e9fa361043606a9d5f9e7d53
                                  • Instruction Fuzzy Hash: 64317C32105354AFC7229F659D49B1FBFE8EB48B11F054499FE49AA192DB30D900CBA2
                                  Function 00BF9300 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BF92C4: _free.LIBCMT ref: 00BF92ED
                                  • _free.LIBCMT ref: 00BF934E
                                    • Part of subcall function 00BF59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?), ref: 00BF59C8
                                    • Part of subcall function 00BF59B2: GetLastError.KERNEL32(?,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?,?), ref: 00BF59DA
                                  • _free.LIBCMT ref: 00BF9359
                                  • _free.LIBCMT ref: 00BF9364
                                  • _free.LIBCMT ref: 00BF93B8
                                  • _free.LIBCMT ref: 00BF93C3
                                  • _free.LIBCMT ref: 00BF93CE
                                  • _free.LIBCMT ref: 00BF93D9
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
                                  • Instruction ID: 46ce674f75ba78e95d5faf4e608446dcfaee20f60cbb54c6ebe0fab9f7341030
                                  • Opcode Fuzzy Hash: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
                                  • Instruction Fuzzy Hash: E1113D71542B0CFAEA30BBB0CC47FEB77DC9F40724F408955B7A967092DA65A54C4650
                                  Function 00BF0BB4 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00BF0BAB,00BEE602), ref: 00BF0BC2
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BF0BD0
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BF0BE9
                                  • SetLastError.KERNEL32(00000000,?,00BF0BAB,00BEE602), ref: 00BF0C3B
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 722e261e7a6bb1d583d1be7d1843b81af6f09ec01317c65ee44b4ffab8bf5fe7
                                  • Instruction ID: 4e64f18dfa835a4644ff94eec068b7f8b6598b7c309b36c38d31963a3f9f4087
                                  • Opcode Fuzzy Hash: 722e261e7a6bb1d583d1be7d1843b81af6f09ec01317c65ee44b4ffab8bf5fe7
                                  • Instruction Fuzzy Hash: BF01B13216971A9EE62436B8AC8573E2AD4EB153B9F3107AAF710431F3EB514819D540
                                  Function 00BEC7FC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                  • API String ID: 0-1718035505
                                  • Opcode ID: e6e2abeb34d05fa89bdfd892a36fe2761c247278a9a75aabf381643489cd2262
                                  • Instruction ID: a36361a7bd77ecf0979efb6c8518096bd13e47ef98c9795d8588ba45bd4165ed
                                  • Opcode Fuzzy Hash: e6e2abeb34d05fa89bdfd892a36fe2761c247278a9a75aabf381643489cd2262
                                  • Instruction Fuzzy Hash: 52017D717412A18B9F301F736DC47BA1FC8DB0235532652BAE851C3180EB20C883E7A0
                                  Function 00BE003E Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE009C
                                    • Part of subcall function 00BDA930: GetVersionExW.KERNEL32(?), ref: 00BDA955
                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BE00BE
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BE00D8
                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00BE00E9
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE00F9
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BE0105
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion
                                  • String ID:
                                  • API String ID: 2092733347-0
                                  • Opcode ID: 6ec33618796f38623aacaac7c251862407309c99c9531c7dae8e4f661d526fcb
                                  • Instruction ID: c61a98d73e6097730aaa3c690fe2539b2379d923272135048f7452b343789d53
                                  • Opcode Fuzzy Hash: 6ec33618796f38623aacaac7c251862407309c99c9531c7dae8e4f661d526fcb
                                  • Instruction Fuzzy Hash: 4131F57A1183459BC700EFA5C880AABB7F8FF98704F05491EF999D3210E774D549CB2A
                                  Function 00BE820D Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID:
                                  • API String ID: 2931989736-0
                                  • Opcode ID: 291e901cc9d50128a0e1134112c42979b5016f3f1d5a4544199c2e527805fce2
                                  • Instruction ID: a4f014aba2e10f555a1fbe05f7ddf8bdfe0f2132cadee4d2111dad49daeb2cb3
                                  • Opcode Fuzzy Hash: 291e901cc9d50128a0e1134112c42979b5016f3f1d5a4544199c2e527805fce2
                                  • Instruction Fuzzy Hash: 7521C57160098AAFDB019A12DC82E7BB7ECEF50788F1481B8FD089A151E730ED45D691
                                  Function 00BF630E Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,00C0CBE8,00BF2664,00C0CBE8,?,?,00BF2203,?,?,00C0CBE8), ref: 00BF6312
                                  • _free.LIBCMT ref: 00BF6345
                                  • _free.LIBCMT ref: 00BF636D
                                  • SetLastError.KERNEL32(00000000,?,00C0CBE8), ref: 00BF637A
                                  • SetLastError.KERNEL32(00000000,?,00C0CBE8), ref: 00BF6386
                                  • _abort.LIBCMT ref: 00BF638C
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 378883f84cc90115d2b6b78c4bd7dc08be2c3726076017eb08995e5c84eccdbd
                                  • Instruction ID: 2d73e87dc9954530e94c6cc9e1c8c6fd2f160a72fdd9de74074c9fbf0a767764
                                  • Opcode Fuzzy Hash: 378883f84cc90115d2b6b78c4bd7dc08be2c3726076017eb08995e5c84eccdbd
                                  • Instruction Fuzzy Hash: 37F0AF36145A0877C72227796C0AF7E23E9DBD1771F3202A4FF2893192FF7588198169
                                  Function 00BEB81F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BD12E7: GetDlgItem.USER32(00000000,00003021), ref: 00BD132B
                                    • Part of subcall function 00BD12E7: SetWindowTextW.USER32(00000000,00C002E4), ref: 00BD1341
                                  • EndDialog.USER32(?,00000001), ref: 00BEB86A
                                  • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 00BEB880
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 00BEB89A
                                  • SetDlgItemTextW.USER32(?,00000066), ref: 00BEB8A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: RENAMEDLG
                                  • API String ID: 445417207-3299779563
                                  • Opcode ID: 858308e0fd0ce337c0f98ed04b717d4730d0c669ed7507dc6c9a8dd8076946d0
                                  • Instruction ID: b10551caf8d5b7a2f53f283f44f1e7c98a27ed33533d1fc47276b47acd97aa8e
                                  • Opcode Fuzzy Hash: 858308e0fd0ce337c0f98ed04b717d4730d0c669ed7507dc6c9a8dd8076946d0
                                  • Instruction Fuzzy Hash: E5012833A403117AD1655E669E88F3B7BACE786F40F000459F341B26E0C3A69C05EBB2
                                  Function 00BF4A7F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BF4A30,?,?,00BF49D0,?,00C07F60,0000000C,00BF4B27,?,00000002), ref: 00BF4A9F
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BF4AB2
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00BF4A30,?,?,00BF49D0,?,00C07F60,0000000C,00BF4B27,?,00000002,00000000), ref: 00BF4AD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 866c02a67e3931f27d49c73620bcba9c0092c4ae7e2171303ba2939aecb28e4f
                                  • Instruction ID: 6f748572f70158a4341859115d4aad403838b9ce998b86cb074eddfd872f1bc2
                                  • Opcode Fuzzy Hash: 866c02a67e3931f27d49c73620bcba9c0092c4ae7e2171303ba2939aecb28e4f
                                  • Instruction Fuzzy Hash: 87F04930A40219BBCB159F90DC09BAEBFF8EF04715F1641A8F905A31A0DB758E44CB94
                                  Function 00BF52C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 0831d0139ed31fa40432d82c46021f9c16f5d809183072dcae209a51c3d50fea
                                  • Instruction ID: e5d0851ddd586f61eb4768d8458061cd7cf9774bc9f238fc0a317f9bcd3610dc
                                  • Opcode Fuzzy Hash: 0831d0139ed31fa40432d82c46021f9c16f5d809183072dcae209a51c3d50fea
                                  • Instruction Fuzzy Hash: 74419232A00608EBCB24DF7CC881A6DB7F5EF88314F1545A9E756EB391DA71AD05CB81
                                  Function 00BF89A0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 00BF89A9
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BF89CC
                                    • Part of subcall function 00BF59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF239A,?,0000015D,?,?,?,?,00BF2F19,000000FF,00000000,?,?), ref: 00BF5A1E
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BF89F2
                                  • _free.LIBCMT ref: 00BF8A05
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BF8A14
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 48c0b174f67ce50262bcdc20ab768051e28a0e3f15ddd84da312c679f2cad2a7
                                  • Instruction ID: 7ac9699b7829b2eb5e1c71b1b64295744a3c5bf2866115b73f56debc78f42723
                                  • Opcode Fuzzy Hash: 48c0b174f67ce50262bcdc20ab768051e28a0e3f15ddd84da312c679f2cad2a7
                                  • Instruction Fuzzy Hash: 9C01A77260265D7F672156BA6C8DE7F6AEDDEC6FA132601AAFB04D3101EE608C05C1B1
                                  Function 00BF6392 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,00BF5E33,00BF5ACF,?,00BF633C,00000001,00000364,?,00BF2203,?,?,00C0CBE8), ref: 00BF6397
                                  • _free.LIBCMT ref: 00BF63CC
                                  • _free.LIBCMT ref: 00BF63F3
                                  • SetLastError.KERNEL32(00000000,?,00C0CBE8), ref: 00BF6400
                                  • SetLastError.KERNEL32(00000000,?,00C0CBE8), ref: 00BF6409
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 645deb1cb95a3c624417305d0168af8cf5057a45f257ead4d24632c2ff6385f5
                                  • Instruction ID: f902ead83935ca25fe8b8268bae4c4856e19fee5827b4781089d2b19f1029f01
                                  • Opcode Fuzzy Hash: 645deb1cb95a3c624417305d0168af8cf5057a45f257ead4d24632c2ff6385f5
                                  • Instruction Fuzzy Hash: F701D1721456187BC71237696C85B3B23E9DBD0375B3242A8FF1493292EEB4C80D8125
                                  Function 00BF925B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00BF9273
                                    • Part of subcall function 00BF59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?), ref: 00BF59C8
                                    • Part of subcall function 00BF59B2: GetLastError.KERNEL32(?,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?,?), ref: 00BF59DA
                                  • _free.LIBCMT ref: 00BF9285
                                  • _free.LIBCMT ref: 00BF9297
                                  • _free.LIBCMT ref: 00BF92A9
                                  • _free.LIBCMT ref: 00BF92BB
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 784f2c5c6fc70be208908b9557beb7e7ab93ee5f69ad594ac5c81a598571e685
                                  • Instruction ID: d9455e1083572d06a62c6538ba434ecd00b09b0280ff16fd8e153dd6e82a5b96
                                  • Opcode Fuzzy Hash: 784f2c5c6fc70be208908b9557beb7e7ab93ee5f69ad594ac5c81a598571e685
                                  • Instruction Fuzzy Hash: D5F01232506708FBDA34EB58E882E2A77E9EA007207658985F748D7641CB74FD84CA51
                                  Function 00BF5513 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00BF5531
                                    • Part of subcall function 00BF59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?), ref: 00BF59C8
                                    • Part of subcall function 00BF59B2: GetLastError.KERNEL32(?,?,00BF92F2,?,00000000,?,00000000,?,00BF9319,?,00000007,?,?,00BF9716,?,?), ref: 00BF59DA
                                  • _free.LIBCMT ref: 00BF5543
                                  • _free.LIBCMT ref: 00BF5556
                                  • _free.LIBCMT ref: 00BF5567
                                  • _free.LIBCMT ref: 00BF5578
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: fae0b4701e71779c1b644144db9c8e5b4acd3237f0a8d2a8af503c5459edc4b1
                                  • Instruction ID: 6026afb620b5d358f5624985ccc5af3ba2179826682d750cb403480aa112de5d
                                  • Opcode Fuzzy Hash: fae0b4701e71779c1b644144db9c8e5b4acd3237f0a8d2a8af503c5459edc4b1
                                  • Instruction Fuzzy Hash: C2F030B08326149BDB35AF58BD0171D3BF1F7147203458286F61453A71DB794D57DB82
                                  Function 00BF4B7A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe,00000104), ref: 00BF4BBA
                                  • _free.LIBCMT ref: 00BF4C85
                                  • _free.LIBCMT ref: 00BF4C8F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Users\user\AppData\Local\Temp\dfbzdfb.sfx.exe
                                  • API String ID: 2506810119-2124623071
                                  • Opcode ID: f881b3942156f91171d6ee99781446206a19592cd849e0599d9a0733adb63350
                                  • Instruction ID: e8e5d12e51330334a0a3ef69f49eca1f28648288906ea106d3b8cadbf3e96436
                                  • Opcode Fuzzy Hash: f881b3942156f91171d6ee99781446206a19592cd849e0599d9a0733adb63350
                                  • Instruction Fuzzy Hash: 8D316271A0525CEFDB21DB999981ABFBBFCEB85710F1040E6FA0497211DB708E49DB90
                                  Function 00BD7463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD7468
                                    • Part of subcall function 00BD3A90: __EH_prolog.LIBCMT ref: 00BD3A95
                                  • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 00BD752E
                                    • Part of subcall function 00BD7A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00BD7AAC
                                    • Part of subcall function 00BD7A9D: GetLastError.KERNEL32 ref: 00BD7AF2
                                    • Part of subcall function 00BD7A9D: CloseHandle.KERNEL32(?), ref: 00BD7B01
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                  • API String ID: 3813983858-639343689
                                  • Opcode ID: 6fe1a479a61fc9c7fe982fb4a0572e810fcafa9aa31cae8193c03c833f10a611
                                  • Instruction ID: 3ea1d8b379b36dd61f80a329597dcc9d2ed4184ca83a002e35a3e35bf673b58c
                                  • Opcode Fuzzy Hash: 6fe1a479a61fc9c7fe982fb4a0572e810fcafa9aa31cae8193c03c833f10a611
                                  • Instruction Fuzzy Hash: 6C31B371944248ABDF10EF64EC42BEEBBE8EF54314F0140A6F449A7382FB744A44CB62
                                  Function 00BEA8D3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperW.USER32(?,?,?,?,00001000), ref: 00BEA92B
                                  • CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00BEA952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CharUpper
                                  • String ID: -
                                  • API String ID: 9403516-2547889144
                                  • Opcode ID: 01b66e73a218d0e2fe65d63f102b1bdc796a31816df18d01c43970a62a3078e8
                                  • Instruction ID: 092e6801cc6fe1e5ff7c060505a83ea26053e5f2be27f312f735a999dea3cf9c
                                  • Opcode Fuzzy Hash: 01b66e73a218d0e2fe65d63f102b1bdc796a31816df18d01c43970a62a3078e8
                                  • Instruction Fuzzy Hash: 1C213E7A0043C5A5D321AB6B8808B7BE6ECE795310F1544ABF595C2543E7B8E8C4E363
                                  Function 00BE9122 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BD12E7: GetDlgItem.USER32(00000000,00003021), ref: 00BD132B
                                    • Part of subcall function 00BD12E7: SetWindowTextW.USER32(00000000,00C002E4), ref: 00BD1341
                                  • EndDialog.USER32(?,00000001), ref: 00BE91AA
                                  • GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 00BE91BF
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 00BE91D4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: ASKNEXTVOL
                                  • API String ID: 445417207-3402441367
                                  • Opcode ID: 5cc6a1155b4de90a45842626999d9cb5fb19c9eb91a0f3b949d52242ce345e83
                                  • Instruction ID: 3739f2d4c02cc53e6c4d349f0862da21fad960751458e018efe0817db1a3c331
                                  • Opcode Fuzzy Hash: 5cc6a1155b4de90a45842626999d9cb5fb19c9eb91a0f3b949d52242ce345e83
                                  • Instruction Fuzzy Hash: F5110B32340282BFD615AFA6DD4DF5A7BE9EF46701F014091F600B75A1C3629C4ADB27
                                  Function 00BE9645 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BD12E7: GetDlgItem.USER32(00000000,00003021), ref: 00BD132B
                                    • Part of subcall function 00BD12E7: SetWindowTextW.USER32(00000000,00C002E4), ref: 00BD1341
                                  • EndDialog.USER32(?,00000001), ref: 00BE9693
                                  • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 00BE96AB
                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 00BE96D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: GETPASSWORD1
                                  • API String ID: 445417207-3292211884
                                  • Opcode ID: c50a4ca4e39cd5dc28b375f270e2f9d069fc84104b1d724ca006f10a1a18ed5f
                                  • Instruction ID: 11170902ada124f734cc1dbf8d601e11947e23e14d451117e77ffeeeb4b15f01
                                  • Opcode Fuzzy Hash: c50a4ca4e39cd5dc28b375f270e2f9d069fc84104b1d724ca006f10a1a18ed5f
                                  • Instruction Fuzzy Hash: 591108326002187BDB21AE759D4AFFB77ACEB09710F010092FA04F71C0C3A59D44DAB5
                                  Function 00BDB150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • _swprintf.LIBCMT ref: 00BDB177
                                    • Part of subcall function 00BD3F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD3F3E
                                  • _wcschr.LIBVCRUNTIME ref: 00BDB195
                                  • _wcschr.LIBVCRUNTIME ref: 00BDB1A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                                  • String ID: %c:\
                                  • API String ID: 525462905-3142399695
                                  • Opcode ID: 6894a409383bdfb4daa593734646be6833fb08efc296046a70bac6f84412fd54
                                  • Instruction ID: 1e685e555ed20f5b9a5b7a3c132ef7143855fa8f196fed927a62902b78370d9b
                                  • Opcode Fuzzy Hash: 6894a409383bdfb4daa593734646be6833fb08efc296046a70bac6f84412fd54
                                  • Instruction Fuzzy Hash: 0901D267510311F9DA30AB358C82D6BE7ECEE96760751449BFD48E3682FB30D854C2A1
                                  Function 00BDF982 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSection.KERNEL32(000001A0,00000000,00C11E74,?,?,00BDFB9D,00000020,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?), ref: 00BDF9BB
                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?,?,?,00BE3AFE), ref: 00BDF9C5
                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?,?,?,00BE3AFE), ref: 00BDF9D5
                                  Strings
                                  • Thread pool initialization failed., xrefs: 00BDF9ED
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                  • String ID: Thread pool initialization failed.
                                  • API String ID: 3340455307-2182114853
                                  • Opcode ID: 8b00ab5be6bde953049fe2e6f540ef195c9b07c2ddc4ee0a990a88bca53276ad
                                  • Instruction ID: 856448d75fb82335699edb680c3791e85e5610be6814954bdb35d4a52c156bc9
                                  • Opcode Fuzzy Hash: 8b00ab5be6bde953049fe2e6f540ef195c9b07c2ddc4ee0a990a88bca53276ad
                                  • Instruction Fuzzy Hash: 931170B1644705AFD3305F659899BABFBECFB95359F21487FE2DE82240EA716840CB10
                                  Function 00BEBEE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                  • API String ID: 0-56093855
                                  • Opcode ID: 6f02a24fbe06368129df4777cebdf1d4d0bb5b78353c5fea07a3ddf2cbadc2a3
                                  • Instruction ID: bf3a35a047cbfc61fe5e9d450426f48d1bcc1ef611ea06201221ecb71a31a738
                                  • Opcode Fuzzy Hash: 6f02a24fbe06368129df4777cebdf1d4d0bb5b78353c5fea07a3ddf2cbadc2a3
                                  • Instruction Fuzzy Hash: 1C01B176619241BFC720DB2AED80F6BBBD8F74A380F0546AAF54192230D3219C15EFA1
                                  Function 00BDCE98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00BDCEA7
                                  • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00BDCEB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FindHandleModuleResource
                                  • String ID: LTR$RTL
                                  • API String ID: 3537982541-719208805
                                  • Opcode ID: 7ca59c9501e4090b7f836545fc6ffb5aab15b44bb4d17e4305890ea492a12b0a
                                  • Instruction ID: ba56652242e4e3c87ade407f7d32ddeb7db533a9633d591376d632fb3181c6e8
                                  • Opcode Fuzzy Hash: 7ca59c9501e4090b7f836545fc6ffb5aab15b44bb4d17e4305890ea492a12b0a
                                  • Instruction Fuzzy Hash: EEF08B7160420467E62056745C0AFA73BECE780B00F20029EB606971C0DFA1950CC7B0
                                  Function 00BF6541 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
                                  • Instruction ID: 9f1401d021d3d87c4e29ec75ad89921b4964d8d6856c47daa13c181a5c8e0c7d
                                  • Opcode Fuzzy Hash: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
                                  • Instruction Fuzzy Hash: BAA1377290028E9FDB21DF18C8917BEBBE5EF65354F1841EEEE859B241C6388D49C750
                                  Function 00BD9F7A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00BD7F55,?,?,?), ref: 00BDA020
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00BD7F55,?,?), ref: 00BDA064
                                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00BD7F55,?,?,?,?,?,?,?,?), ref: 00BDA0E5
                                  • CloseHandle.KERNEL32(?,?,00000000,?,00BD7F55,?,?,?,?,?,?,?,?,?,?,?), ref: 00BDA0EC
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$Create$CloseHandleTime
                                  • String ID:
                                  • API String ID: 2287278272-0
                                  • Opcode ID: 076d031028f1ec2490965767d79b86f89280389d418daac078632626d6ca0d88
                                  • Instruction ID: a8f6ff80a8021362dbea3e8cd5ed9c9e7f7b636ae3cfa0bf6491b8f965448c29
                                  • Opcode Fuzzy Hash: 076d031028f1ec2490965767d79b86f89280389d418daac078632626d6ca0d88
                                  • Instruction Fuzzy Hash: A741A3311483815AD731DF24DC46BAEFBE4AB85700F14095EB5D5D32C1E674AA48D753
                                  Function 00BF93E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,00BF2784,00000000,00000000,00BF2FB2,?,00BF2FB2,?,00000001,00BF2784,F5E85006,00000001,00BF2FB2,00BF2FB2), ref: 00BF9431
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BF94BA
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BF94CC
                                  • __freea.LIBCMT ref: 00BF94D5
                                    • Part of subcall function 00BF59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BF239A,?,0000015D,?,?,?,?,00BF2F19,000000FF,00000000,?,?), ref: 00BF5A1E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                  • String ID:
                                  • API String ID: 2652629310-0
                                  • Opcode ID: 4ae7b7ce20bfc26d3d786ac642836aea7f674fab347709ce8d6b1e6f9346ff5a
                                  • Instruction ID: 4840ffbe15ab8484f5c573bec49e3403dab2fe492c48c75fd9188c6551c1a8b2
                                  • Opcode Fuzzy Hash: 4ae7b7ce20bfc26d3d786ac642836aea7f674fab347709ce8d6b1e6f9346ff5a
                                  • Instruction Fuzzy Hash: BC31B932A0020AABDF258F64CC81ABE3BA5EB50710F1501A8FD14D7291E735CD99CBA0
                                  Function 00BE9A75 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadBitmapW.USER32(00000065), ref: 00BE9A85
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00BE9AA6
                                  • DeleteObject.GDI32(00000000), ref: 00BE9ACE
                                  • DeleteObject.GDI32(00000000), ref: 00BE9AED
                                    • Part of subcall function 00BE8BCF: FindResourceW.KERNEL32(00000066,PNG,?,?,00BE9AC7,00000066), ref: 00BE8BE0
                                    • Part of subcall function 00BE8BCF: SizeofResource.KERNEL32(00000000,75755780,?,?,00BE9AC7,00000066), ref: 00BE8BF8
                                    • Part of subcall function 00BE8BCF: LoadResource.KERNEL32(00000000,?,?,00BE9AC7,00000066), ref: 00BE8C0B
                                    • Part of subcall function 00BE8BCF: LockResource.KERNEL32(00000000,?,?,00BE9AC7,00000066), ref: 00BE8C16
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                  • String ID:
                                  • API String ID: 142272564-0
                                  • Opcode ID: a269ac9b06ac4f097425e487d5f9a8c0ed90176b58b42e660b02b13ef5c91933
                                  • Instruction ID: 9b3363cfb7c0ccdb1bf49a57537c504cb607102e125685c4b64afc13e67dc1b2
                                  • Opcode Fuzzy Hash: a269ac9b06ac4f097425e487d5f9a8c0ed90176b58b42e660b02b13ef5c91933
                                  • Instruction Fuzzy Hash: 050176326406502BC610737A8C42FBF72EEEF84B21F0A00A0FE08A7291DF628C15D2A1
                                  Function 00BF0FD6 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00BF0FED
                                    • Part of subcall function 00BF1625: ___AdjustPointer.LIBCMT ref: 00BF166F
                                  • _UnwindNestedFrames.LIBCMT ref: 00BF1004
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00BF1016
                                  • CallCatchBlock.LIBVCRUNTIME ref: 00BF103A
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
                                  • Instruction ID: 16c6575b17b61b861cd0693a21a8efdd71600a6c6254e62dbda5c4366d614980
                                  • Opcode Fuzzy Hash: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
                                  • Instruction Fuzzy Hash: B001293200014DFBCF226F59CC01EEA3BBAEF58754F044854FA1866121D776E8A5EBA0
                                  Function 00BDFB54 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BDFB59
                                  • EnterCriticalSection.KERNEL32(00C11E74,?,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?,?,?,00BE3AFE,?,00008000), ref: 00BDFB66
                                  • new.LIBCMT ref: 00BDFB82
                                    • Part of subcall function 00BDF982: InitializeCriticalSection.KERNEL32(000001A0,00000000,00C11E74,?,?,00BDFB9D,00000020,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?), ref: 00BDF9BB
                                    • Part of subcall function 00BDF982: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?,?,?,00BE3AFE), ref: 00BDF9C5
                                    • Part of subcall function 00BDF982: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?,?,?,00BE3AFE), ref: 00BDF9D5
                                  • LeaveCriticalSection.KERNEL32(00C11E74,?,00BDA812,?,00BDC79B,?,00000000,?,00000001,?,?,?,00BE3AFE,?,00008000,?), ref: 00BDFBA3
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Create$EnterEventH_prologInitializeLeaveSemaphore
                                  • String ID:
                                  • API String ID: 3780591329-0
                                  • Opcode ID: 93cd7d95c91cafa0ec2ebe5beb8d4e7ef1b01f766a182b7241333dae31eb5c08
                                  • Instruction ID: 9e5740a45658562c5e270c8dc2da28f09181d431508034522ba6a7038982dc59
                                  • Opcode Fuzzy Hash: 93cd7d95c91cafa0ec2ebe5beb8d4e7ef1b01f766a182b7241333dae31eb5c08
                                  • Instruction Fuzzy Hash: C2F06D35A016169BDB089FA8EC15BFDBBE4FF4A304F0080BAED0AD3350EB7588008B54
                                  Function 00BF0B06 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00BF0B06
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00BF0B0B
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00BF0B10
                                    • Part of subcall function 00BF1BDE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00BF1BEF
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00BF0B25
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
                                  • Instruction ID: 81f7411b637c5633b010a756595607b22ec616a660f494f2c27abfe83a599447
                                  • Opcode Fuzzy Hash: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
                                  • Instruction Fuzzy Hash: C0C04C1466029DD41C243BB921462FD13C09C627CC7D01DC1EF501B5275A46040F6033
                                  Function 00BE8CF2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BE8BA4: GetDC.USER32(00000000), ref: 00BE8BA8
                                    • Part of subcall function 00BE8BA4: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BE8BB3
                                    • Part of subcall function 00BE8BA4: ReleaseDC.USER32(00000000,00000000), ref: 00BE8BBE
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00BE8D23
                                    • Part of subcall function 00BE8EE9: GetDC.USER32(00000000), ref: 00BE8EF2
                                    • Part of subcall function 00BE8EE9: GetObjectW.GDI32(?,00000018,?), ref: 00BE8F21
                                    • Part of subcall function 00BE8EE9: ReleaseDC.USER32(00000000,?), ref: 00BE8FB5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ObjectRelease$CapsDevice
                                  • String ID: (
                                  • API String ID: 1061551593-3887548279
                                  • Opcode ID: 9f387e836fde609447b5a31121babf0e305f8ea87e47352c90662aba4d734537
                                  • Instruction ID: a8db52381dcc4677cabdf0fcce38314586ac96d45e38cf163cc95a520d17a86e
                                  • Opcode Fuzzy Hash: 9f387e836fde609447b5a31121babf0e305f8ea87e47352c90662aba4d734537
                                  • Instruction Fuzzy Hash: F76114B1208740AFD214DF65C884E6BBBE9FF89704F1049ADF599CB260CB71E905CB62
                                  Function 00BE01CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _swprintf
                                  • String ID: %ls$%s: %s
                                  • API String ID: 589789837-2259941744
                                  • Opcode ID: 26446982fc88d10c575526e3a19a84ab446aec982fc7ca379e09cd3088809235
                                  • Instruction ID: bcaa16584e3559bdc85b5a70d48d83eeb681b91f437606ae3df723688e96866c
                                  • Opcode Fuzzy Hash: 26446982fc88d10c575526e3a19a84ab446aec982fc7ca379e09cd3088809235
                                  • Instruction Fuzzy Hash: 5051D6311A8381F6E6213A928DCAF3577E5AB05B00F2085C6F7DA784D1C7E1A8D0B61B
                                  Function 00BF7BD9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00BF7D45
                                    • Part of subcall function 00BF5D1D: IsProcessorFeaturePresent.KERNEL32(00000017,00BF5D0C,0000002C,00C080C8,00BF8D62,00000000,00000000,00BF6391,?,?,00BF5D19,00000000,00000000,00000000,00000000,00000000), ref: 00BF5D1F
                                    • Part of subcall function 00BF5D1D: GetCurrentProcess.KERNEL32(C0000417,00C080C8,0000002C,00BF5A4A,00000016,00BF6391), ref: 00BF5D41
                                    • Part of subcall function 00BF5D1D: TerminateProcess.KERNEL32(00000000), ref: 00BF5D48
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                  • String ID: *?$.
                                  • API String ID: 2667617558-3972193922
                                  • Opcode ID: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
                                  • Instruction ID: d7f8431dcc335713d753baff4b072d4f2119d8060849243053b706584556559f
                                  • Opcode Fuzzy Hash: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
                                  • Instruction Fuzzy Hash: 8951A175E4420DAFDF14CFA8C881ABDBBF5EF48314F2441E9EA54E7300EA719A058B50
                                  Function 00BD7619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00BD761E
                                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00BD7799
                                    • Part of subcall function 00BDA113: SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00BD9F49,?,?,?,00BD9DE2,?,00000001,00000000,?,?), ref: 00BDA127
                                    • Part of subcall function 00BDA113: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00BD9F49,?,?,?,00BD9DE2,?,00000001,00000000,?,?), ref: 00BDA158
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$Attributes$H_prologTime
                                  • String ID: :
                                  • API String ID: 1861295151-336475711
                                  • Opcode ID: a68e333079cab8ba8bc395942199f897437d3838d18a570a0f58b238e278a368
                                  • Instruction ID: 336b5a2b62c0b4a016e762e211015971becaf27917171365405aea462279274b
                                  • Opcode Fuzzy Hash: a68e333079cab8ba8bc395942199f897437d3838d18a570a0f58b238e278a368
                                  • Instruction Fuzzy Hash: AB417F71905658AADB24EB60CC55EEEB7FCEF45340F0044EBB605A2282FB749F85CB61
                                  Function 00BDB2C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UNC$\\?\
                                  • API String ID: 0-253988292
                                  • Opcode ID: 05dbd341e5e586b479fbca728834b0611e3269b9175edd965d1a8aec2828c749
                                  • Instruction ID: 63217aba6cea117884de3c1c9e74ab8afd822d2f112fe735d325c38f9b72c669
                                  • Opcode Fuzzy Hash: 05dbd341e5e586b479fbca728834b0611e3269b9175edd965d1a8aec2828c749
                                  • Instruction Fuzzy Hash: 4141803240025AEACB21EF61CC41EEEF7E9EF01350F5684A7F854A2342F7B09990DE90
                                  Function 00BE802C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Shell.Explorer$about:blank
                                  • API String ID: 0-874089819
                                  • Opcode ID: 7ae5d8308efd0ee8099b7bd6d9bb73790ec134e4e738b484ff52630437425561
                                  • Instruction ID: aeb321ac49030dd23394c6d69f9b931921334ef49d54b776b6f856bc5f928dbf
                                  • Opcode Fuzzy Hash: 7ae5d8308efd0ee8099b7bd6d9bb73790ec134e4e738b484ff52630437425561
                                  • Instruction Fuzzy Hash: C221A175300B46AFD7049F62C890E2BB7E9FF84710B1486A9F5098B292CF71EC44CBA1
                                  Function 00BD12E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00BDCF27: GetWindowRect.USER32(?,?), ref: 00BDCF5E
                                    • Part of subcall function 00BDCF27: GetClientRect.USER32(?,?), ref: 00BDCF6A
                                    • Part of subcall function 00BDCF27: GetWindowLongW.USER32(?,000000F0), ref: 00BDD00B
                                    • Part of subcall function 00BDCF27: GetWindowRect.USER32(?,?), ref: 00BDD038
                                    • Part of subcall function 00BDCF27: GetWindowTextW.USER32(?,?,00000400), ref: 00BDD057
                                  • GetDlgItem.USER32(00000000,00003021), ref: 00BD132B
                                  • SetWindowTextW.USER32(00000000,00C002E4), ref: 00BD1341
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$Rect$Text$ClientItemLong
                                  • String ID: 0
                                  • API String ID: 660763476-4108050209
                                  • Opcode ID: fea0651c38afcb7a282bc6d29763d872439a2acccc08dc35fb81f4c1c719281c
                                  • Instruction ID: 1d1277f51c166d0929bdff383fd0ec1a61e9de185be4d50909c66e25f07ab594
                                  • Opcode Fuzzy Hash: fea0651c38afcb7a282bc6d29763d872439a2acccc08dc35fb81f4c1c719281c
                                  • Instruction Fuzzy Hash: 80F0AFB1540348BBEF251F648C09BE9BFDAEB04764F084896FD44946E1E774C8A4EB18
                                  Function 00BDFB19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,00BDFCF9,?,?,00BDFD6E,?,?,?,?,?,00BDFD58), ref: 00BDFB1F
                                  • GetLastError.KERNEL32(?,?,00BDFD6E,?,?,?,?,?,00BDFD58), ref: 00BDFB2B
                                    • Part of subcall function 00BD6D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00BD6DAD
                                  Strings
                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00BDFB34
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.1461449379.0000000000BD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00BD0000, based on PE: true
                                  • Associated: 00000004.00000002.1461415010.0000000000BD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461499206.0000000000C00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C0E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461567083.0000000000C2A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000004.00000002.1461671956.0000000000C2C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_bd0000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                  • API String ID: 1091760877-2248577382
                                  • Opcode ID: 8f511d2727cce935553634a36bdf226837f387adcf4193f6d52d1bccad734926
                                  • Instruction ID: 24a7de8958ab69fb8ad2ad544738fb3a9799f0b62574fca7499977a6ea9e8449
                                  • Opcode Fuzzy Hash: 8f511d2727cce935553634a36bdf226837f387adcf4193f6d52d1bccad734926
                                  • Instruction Fuzzy Hash: 99D05E7160843177CA012328AC1AFBEBB45AB52775F3607A6F23AA53E1DA200C41C6A1

                                  Execution Graph

                                  Execution Coverage:10.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:1466
                                  Total number of Limit Nodes:22
                                  execution_graph 23901 6a0e6a 48 API calls 23881 698962 GdipDisposeImage GdipFree pre_c_initialization 23832 681067 75 API calls pre_c_initialization 23933 6a4b7a 52 API calls 2 library calls 23905 6a4e74 55 API calls _free 23935 6ad774 IsProcessorFeaturePresent 22838 69b076 22840 69b07b 22838->22840 22852 69aa98 _wcsrchr 22838->22852 22840->22852 22864 69b9a9 22840->22864 22842 69b641 22844 69ad85 SetWindowTextW 22844->22852 22850 69ab76 SetFileAttributesW 22851 69ac31 GetFileAttributesW 22850->22851 22860 69ab69 ___scrt_fastfail 22850->22860 22854 69ac3f DeleteFileW 22851->22854 22851->22860 22852->22842 22852->22844 22855 69af4f GetDlgItem SetWindowTextW SendMessageW 22852->22855 22858 69af91 SendMessageW 22852->22858 22852->22860 22863 690b00 CompareStringW 22852->22863 22887 6996eb 22852->22887 22891 698b8d GetCurrentDirectoryW 22852->22891 22892 68a1f9 7 API calls 22852->22892 22895 68a182 FindClose 22852->22895 22896 699843 69 API calls new 22852->22896 22897 6a20ce 22852->22897 22854->22860 22855->22852 22857 683f2b _swprintf 51 API calls 22859 69ac74 GetFileAttributesW 22857->22859 22858->22852 22859->22860 22861 69ac85 MoveFileW 22859->22861 22860->22850 22860->22851 22860->22852 22860->22857 22893 68b150 52 API calls 2 library calls 22860->22893 22894 68a1f9 7 API calls 22860->22894 22861->22860 22862 69ac9d MoveFileExW 22861->22862 22862->22860 22863->22852 22865 69b9b3 ___scrt_fastfail 22864->22865 22866 69ba9e 22865->22866 22872 69bc0b 22865->22872 22913 690b00 CompareStringW 22865->22913 22910 689e4f 22866->22910 22870 69bad2 ShellExecuteExW 22870->22872 22878 69bae5 22870->22878 22872->22852 22873 69baca 22873->22870 22874 69bb20 22915 69be68 WaitForSingleObject PeekMessageW WaitForSingleObject 22874->22915 22875 69bb76 CloseHandle 22876 69bb8f 22875->22876 22877 69bb84 22875->22877 22876->22872 22883 69bc06 ShowWindow 22876->22883 22916 690b00 CompareStringW 22877->22916 22878->22874 22878->22875 22880 69bb1a ShowWindow 22878->22880 22880->22874 22882 69bb38 22882->22875 22884 69bb4b GetExitCodeProcess 22882->22884 22883->22872 22884->22875 22885 69bb5e 22884->22885 22885->22875 22888 6996f5 22887->22888 22889 6997cb 22888->22889 22890 6997a8 ExpandEnvironmentStringsW 22888->22890 22889->22852 22890->22889 22891->22852 22892->22852 22893->22860 22894->22860 22895->22852 22896->22852 22898 6a5ada 22897->22898 22899 6a5af2 22898->22899 22900 6a5ae7 22898->22900 22902 6a5afa 22899->22902 22908 6a5b03 pre_c_initialization 22899->22908 22901 6a59ec __vswprintf_c_l 21 API calls 22900->22901 22906 6a5aef 22901->22906 22903 6a59b2 _free 20 API calls 22902->22903 22903->22906 22904 6a5b08 22925 6a5e2e 20 API calls __dosmaperr 22904->22925 22905 6a5b2d RtlReAllocateHeap 22905->22906 22905->22908 22906->22852 22908->22904 22908->22905 22926 6a4689 7 API calls 2 library calls 22908->22926 22917 689e63 22910->22917 22913->22866 22914 68ae70 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 22914->22873 22915->22882 22916->22876 22918 69cec0 22917->22918 22919 689e70 GetFileAttributesW 22918->22919 22920 689e58 22919->22920 22921 689e81 22919->22921 22920->22870 22920->22914 22922 68b2c5 2 API calls 22921->22922 22923 689e95 22922->22923 22923->22920 22924 689e99 GetFileAttributesW 22923->22924 22924->22920 22925->22906 22926->22908 23836 68604b 73 API calls 23906 6a6a4e 40 API calls __vswprintf_c_l 22939 699b4e 22940 699b58 __EH_prolog 22939->22940 23099 6812e7 22940->23099 22943 699b9a 22947 699c10 22943->22947 22948 699ba7 22943->22948 23003 699b86 22943->23003 22944 69a22f 23172 69b8bb 22944->23172 22953 699caf GetDlgItemTextW 22947->22953 22957 699c2a 22947->22957 22949 699bac 22948->22949 22950 699be3 22948->22950 22958 68d192 54 API calls 22949->22958 22949->23003 22959 699c04 EndDialog 22950->22959 22950->23003 22951 69a25b 22955 69a275 GetDlgItem SendMessageW 22951->22955 22956 69a264 SendDlgItemMessageW 22951->22956 22952 69a24d SendMessageW 22952->22951 22953->22950 22954 699ce6 22953->22954 22961 699cfe GetDlgItem 22954->22961 23097 699cef 22954->23097 23190 698b8d GetCurrentDirectoryW 22955->23190 22956->22955 22962 68d192 54 API calls 22957->22962 22966 699bc6 22958->22966 22959->23003 22963 699d38 SetFocus 22961->22963 22964 699d12 SendMessageW SendMessageW 22961->22964 22965 699c4c SetDlgItemTextW 22962->22965 22969 699d48 22963->22969 22983 699d54 22963->22983 22964->22963 22968 699c5a 22965->22968 23210 681227 SHGetMalloc 22966->23210 22967 69a2a7 GetDlgItem 22971 69a2c0 22967->22971 22972 69a2c6 SetWindowTextW 22967->22972 22978 699c67 GetMessageW 22968->22978 22991 699c8d TranslateMessage DispatchMessageW 22968->22991 22968->23003 22974 68d192 54 API calls 22969->22974 22971->22972 23191 698fc7 GetClassNameW 22972->23191 22979 699d52 22974->22979 22975 699bcd 22980 699bd1 SetDlgItemTextW 22975->22980 22975->23003 22976 69a1cf 22981 68d192 54 API calls 22976->22981 22978->22968 22978->23003 23109 69b70d GetDlgItem 22979->23109 22980->23003 22984 69a1df SetDlgItemTextW 22981->22984 22989 68d192 54 API calls 22983->22989 22986 69a1f3 22984->22986 22990 68d192 54 API calls 22986->22990 22988 699da9 23117 689d1e 22988->23117 22993 699d86 22989->22993 22994 69a21c 22990->22994 22991->22968 22992 69a311 22997 69a341 22992->22997 23001 68d192 54 API calls 22992->23001 22998 683f2b _swprintf 51 API calls 22993->22998 22999 68d192 54 API calls 22994->22999 22996 69aa44 91 API calls 22996->22992 23002 69aa44 91 API calls 22997->23002 23028 69a3f9 22997->23028 22998->22979 22999->23003 23007 69a324 SetDlgItemTextW 23001->23007 23008 69a35c 23002->23008 23004 69a4a9 23009 69a4bb 23004->23009 23010 69a4b2 EnableWindow 23004->23010 23005 699de5 23123 699022 SetCurrentDirectoryW 23005->23123 23006 699dde GetLastError 23006->23005 23012 68d192 54 API calls 23007->23012 23016 69a36e 23008->23016 23038 69a393 23008->23038 23013 69a4d8 23009->23013 23219 6812a4 GetDlgItem EnableWindow 23009->23219 23010->23009 23015 69a338 SetDlgItemTextW 23012->23015 23021 69a4ff 23013->23021 23025 69a4f7 SendMessageW 23013->23025 23014 699dfb 23019 699e0e 23014->23019 23020 699e04 GetLastError 23014->23020 23015->22997 23217 69859b 6 API calls 23016->23217 23017 69a3ec 23022 69aa44 91 API calls 23017->23022 23030 699e99 23019->23030 23031 699e26 GetTickCount 23019->23031 23075 699e89 23019->23075 23020->23019 23021->23003 23026 68d192 54 API calls 23021->23026 23022->23028 23024 69a4ce 23220 6812a4 GetDlgItem EnableWindow 23024->23220 23025->23021 23033 69a518 SetDlgItemTextW 23026->23033 23027 69a387 23027->23038 23028->23004 23032 69a487 23028->23032 23045 68d192 54 API calls 23028->23045 23035 699eb1 GetModuleFileNameW 23030->23035 23042 69a06d 23030->23042 23036 683f2b _swprintf 51 API calls 23031->23036 23218 69859b 6 API calls 23032->23218 23033->23003 23034 69a0d2 23132 6812c2 GetDlgItem ShowWindow 23034->23132 23211 68decc 73 API calls 23035->23211 23043 699e43 23036->23043 23038->23017 23046 69aa44 91 API calls 23038->23046 23040 69a0e2 23133 6812c2 GetDlgItem ShowWindow 23040->23133 23042->22950 23050 68d192 54 API calls 23042->23050 23124 689541 23043->23124 23044 69a4a6 23044->23004 23045->23028 23047 69a3c1 23046->23047 23047->23017 23051 69a3ca DialogBoxParamW 23047->23051 23049 699edb 23053 683f2b _swprintf 51 API calls 23049->23053 23054 69a081 23050->23054 23051->22950 23051->23017 23052 69a0ec 23055 68d192 54 API calls 23052->23055 23056 699efd CreateFileMappingW 23053->23056 23057 683f2b _swprintf 51 API calls 23054->23057 23059 69a0f6 SetDlgItemTextW 23055->23059 23060 699f5f GetCommandLineW 23056->23060 23091 699fdc __vswprintf_c_l 23056->23091 23061 69a09f 23057->23061 23134 6812c2 GetDlgItem ShowWindow 23059->23134 23065 699f70 23060->23065 23074 68d192 54 API calls 23061->23074 23062 699e69 23066 699e77 23062->23066 23067 699e70 GetLastError 23062->23067 23063 699fe7 ShellExecuteExW 23089 69a004 23063->23089 23212 6997e3 SHGetMalloc 23065->23212 23070 689487 72 API calls 23066->23070 23067->23066 23068 69a10a SetDlgItemTextW GetDlgItem 23071 69a13b 23068->23071 23072 69a123 GetWindowLongW SetWindowLongW 23068->23072 23070->23075 23135 69aa44 23071->23135 23072->23071 23073 699f8c 23213 6997e3 SHGetMalloc 23073->23213 23074->22950 23075->23030 23075->23034 23079 699f98 23214 6997e3 SHGetMalloc 23079->23214 23080 69a047 23080->23042 23085 69a05d UnmapViewOfFile CloseHandle 23080->23085 23081 69aa44 91 API calls 23083 69a157 23081->23083 23160 69bc77 23083->23160 23084 699fa4 23215 68e030 73 API calls ___scrt_fastfail 23084->23215 23085->23042 23088 699fbb MapViewOfFile 23088->23091 23089->23080 23092 69a033 Sleep 23089->23092 23091->23063 23092->23080 23092->23089 23097->22950 23097->22976 23100 681349 23099->23100 23102 6812f0 23099->23102 23239 68cf00 GetWindowLongW SetWindowLongW 23100->23239 23103 681356 23102->23103 23221 68cf27 23102->23221 23103->22943 23103->22944 23103->23003 23106 681325 GetDlgItem 23106->23103 23107 681335 23106->23107 23107->23103 23108 68133b SetWindowTextW 23107->23108 23108->23103 23110 69b769 SendMessageW SendMessageW 23109->23110 23111 69b739 23109->23111 23112 69b7a1 23110->23112 23113 69b7c0 SendMessageW SendMessageW SendMessageW 23110->23113 23114 69b744 ShowWindow SendMessageW SendMessageW 23111->23114 23112->23113 23115 69b7eb SendMessageW 23113->23115 23116 69b80a SendMessageW 23113->23116 23114->23110 23115->23116 23116->22988 23120 689d28 23117->23120 23118 689de2 23118->23005 23118->23006 23119 689db9 23119->23118 23121 689ed6 9 API calls 23119->23121 23120->23118 23120->23119 23243 689ed6 23120->23243 23121->23118 23123->23014 23125 68954b 23124->23125 23126 6895b5 CreateFileW 23125->23126 23127 6895a9 23125->23127 23126->23127 23128 689607 23127->23128 23129 68b2c5 2 API calls 23127->23129 23128->23062 23130 6895ee 23129->23130 23130->23128 23131 6895f2 CreateFileW 23130->23131 23131->23128 23132->23040 23133->23052 23134->23068 23136 69aa4e __EH_prolog 23135->23136 23137 69a149 23136->23137 23138 6996eb ExpandEnvironmentStringsW 23136->23138 23137->23081 23144 69aa85 _wcsrchr 23138->23144 23140 6996eb ExpandEnvironmentStringsW 23140->23144 23141 69ad85 SetWindowTextW 23141->23144 23144->23137 23144->23140 23144->23141 23145 6a20ce 22 API calls 23144->23145 23152 69af4f GetDlgItem SetWindowTextW SendMessageW 23144->23152 23155 69af91 SendMessageW 23144->23155 23157 69ab69 ___scrt_fastfail 23144->23157 23264 690b00 CompareStringW 23144->23264 23265 698b8d GetCurrentDirectoryW 23144->23265 23266 68a1f9 7 API calls 23144->23266 23269 68a182 FindClose 23144->23269 23270 699843 69 API calls new 23144->23270 23145->23144 23148 69ab76 SetFileAttributesW 23149 69ac31 GetFileAttributesW 23148->23149 23148->23157 23151 69ac3f DeleteFileW 23149->23151 23149->23157 23151->23157 23152->23144 23154 683f2b _swprintf 51 API calls 23156 69ac74 GetFileAttributesW 23154->23156 23155->23144 23156->23157 23158 69ac85 MoveFileW 23156->23158 23157->23144 23157->23148 23157->23149 23157->23154 23267 68b150 52 API calls 2 library calls 23157->23267 23268 68a1f9 7 API calls 23157->23268 23158->23157 23159 69ac9d MoveFileExW 23158->23159 23159->23157 23161 69bc81 __EH_prolog 23160->23161 23271 68f1b7 69 API calls 23161->23271 23163 69bcb2 23272 685b87 69 API calls 23163->23272 23165 69bcd0 23273 687b10 73 API calls 2 library calls 23165->23273 23167 69bd14 23274 687c84 23167->23274 23169 69bd23 23283 687ba0 23169->23283 23173 69b8c8 23172->23173 23174 698abf 6 API calls 23173->23174 23175 69b8cd 23174->23175 23176 69b8d5 GetWindow 23175->23176 23179 69a235 23175->23179 23177 69b8f1 23176->23177 23176->23179 23178 69b8fe GetClassNameW 23177->23178 23177->23179 23181 69b987 GetWindow 23177->23181 23182 69b926 GetWindowLongW 23177->23182 23769 690b00 CompareStringW 23178->23769 23179->22951 23179->22952 23181->23177 23181->23179 23182->23181 23183 69b936 SendMessageW 23182->23183 23183->23181 23184 69b94c GetObjectW 23183->23184 23770 698b21 GetDC GetDeviceCaps ReleaseDC 23184->23770 23186 69b961 23771 698ade GetDC GetDeviceCaps ReleaseDC 23186->23771 23772 698cf2 8 API calls ___scrt_fastfail 23186->23772 23189 69b971 SendMessageW DeleteObject 23189->23181 23190->22967 23192 698fe8 23191->23192 23193 69900d 23191->23193 23773 690b00 CompareStringW 23192->23773 23197 699484 23193->23197 23195 698ffb 23195->23193 23196 698fff FindWindowExW 23195->23196 23196->23193 23198 69948e __EH_prolog 23197->23198 23199 6813af 75 API calls 23198->23199 23200 6994b0 23199->23200 23774 681f0e 23200->23774 23203 6994d9 23206 681927 126 API calls 23203->23206 23204 6994ca 23205 68165f 79 API calls 23204->23205 23207 6994d5 23205->23207 23208 6994fb __vswprintf_c_l new 23206->23208 23207->22992 23207->22996 23209 68165f 79 API calls 23208->23209 23209->23207 23210->22975 23211->23049 23212->23073 23213->23079 23214->23084 23215->23088 23217->23027 23218->23044 23219->23024 23220->23013 23240 68c8de 23221->23240 23223 68cf4d GetWindowRect GetClientRect 23224 68d042 23223->23224 23225 68cfa7 23223->23225 23226 68d04c GetWindowTextW 23224->23226 23227 68d084 GetSystemMetrics GetWindow 23224->23227 23225->23227 23231 68d008 GetWindowLongW 23225->23231 23228 68c96f 52 API calls 23226->23228 23237 68d0a4 23227->23237 23230 68d078 SetWindowTextW 23228->23230 23229 681312 23229->23103 23229->23106 23230->23227 23233 68d032 GetWindowRect 23231->23233 23232 68d0b0 GetWindowTextW 23232->23237 23233->23224 23234 68c96f 52 API calls 23238 68d0e3 SetWindowTextW 23234->23238 23235 68d16b GetWindow 23235->23229 23235->23237 23236 68d0f6 GetWindowRect 23236->23235 23237->23229 23237->23232 23237->23234 23237->23235 23237->23236 23238->23237 23239->23103 23241 68c96f 52 API calls 23240->23241 23242 68c906 _wcschr 23241->23242 23242->23223 23244 689ee3 23243->23244 23245 689f07 23244->23245 23247 689efa CreateDirectoryW 23244->23247 23246 689e4f 4 API calls 23245->23246 23249 689f0d 23246->23249 23247->23245 23248 689f3a 23247->23248 23253 689f49 23248->23253 23256 68a113 23248->23256 23250 689f4d GetLastError 23249->23250 23251 68b2c5 2 API calls 23249->23251 23250->23253 23254 689f23 23251->23254 23253->23120 23254->23250 23255 689f27 CreateDirectoryW 23254->23255 23255->23248 23255->23250 23257 69cec0 23256->23257 23258 68a120 SetFileAttributesW 23257->23258 23259 68a163 23258->23259 23260 68a136 23258->23260 23259->23253 23261 68b2c5 2 API calls 23260->23261 23262 68a14a 23261->23262 23262->23259 23263 68a14e SetFileAttributesW 23262->23263 23263->23259 23264->23144 23265->23144 23266->23144 23267->23157 23268->23157 23269->23144 23270->23144 23271->23163 23272->23165 23273->23167 23275 687c8e 23274->23275 23280 687cf8 23275->23280 23309 68a195 23275->23309 23277 687da4 23277->23169 23279 687d62 23279->23277 23315 68135c 67 API calls 23279->23315 23280->23279 23281 68a195 8 API calls 23280->23281 23287 6881ed 23280->23287 23281->23280 23284 687bae 23283->23284 23286 687bb5 23283->23286 23285 690e0f 79 API calls 23284->23285 23285->23286 23288 6881f7 __EH_prolog 23287->23288 23316 6813af 23288->23316 23290 688212 23324 689bf2 23290->23324 23296 688241 23444 68165f 23296->23444 23297 6882dc 23343 688385 23297->23343 23300 68833c 23347 681ebf 23300->23347 23303 68823d 23303->23296 23303->23297 23307 68a195 8 API calls 23303->23307 23448 68b71b CompareStringW 23303->23448 23305 688347 23305->23296 23351 683a0d 23305->23351 23361 6883eb 23305->23361 23307->23303 23310 68a1aa 23309->23310 23314 68a1ae 23310->23314 23757 68a2c3 23310->23757 23312 68a1be 23313 68a1c3 FindClose 23312->23313 23312->23314 23313->23314 23314->23275 23315->23277 23317 6813b4 __EH_prolog 23316->23317 23450 68c463 23317->23450 23319 6813eb 23323 681444 ___scrt_fastfail 23319->23323 23456 69cdac 23319->23456 23322 68acb6 75 API calls 23322->23323 23323->23290 23325 689bfd 23324->23325 23326 688228 23325->23326 23465 686e22 67 API calls 23325->23465 23326->23296 23328 6819e2 23326->23328 23329 6819ec __EH_prolog 23328->23329 23330 681a2e 23329->23330 23342 681a15 23329->23342 23466 68138d 23329->23466 23332 681b57 23330->23332 23333 681b47 23330->23333 23330->23342 23335 683a0d 90 API calls 23332->23335 23332->23342 23469 68135c 67 API calls 23333->23469 23336 681b9e 23335->23336 23337 681be8 23336->23337 23339 683a0d 90 API calls 23336->23339 23341 681c1b 23337->23341 23337->23342 23470 68135c 67 API calls 23337->23470 23339->23336 23340 683a0d 90 API calls 23340->23341 23341->23340 23341->23342 23342->23303 23344 688392 23343->23344 23488 68ffa6 GetSystemTime SystemTimeToFileTime 23344->23488 23346 6882f6 23346->23300 23449 6906b6 65 API calls 23346->23449 23348 681ec4 __EH_prolog 23347->23348 23349 681ef8 23348->23349 23490 681927 23348->23490 23349->23305 23352 683a19 23351->23352 23353 683a1d 23351->23353 23352->23305 23354 683a4a 23353->23354 23355 683a3c 23353->23355 23698 682759 90 API calls 3 library calls 23354->23698 23357 683a7c 23355->23357 23697 6831f0 78 API calls 3 library calls 23355->23697 23357->23305 23359 683a48 23359->23357 23699 681fbf 67 API calls 23359->23699 23362 6883f5 __EH_prolog 23361->23362 23363 68842e 23362->23363 23392 688432 23362->23392 23723 6977e6 93 API calls 23362->23723 23364 688457 23363->23364 23369 6884e0 23363->23369 23363->23392 23365 688479 23364->23365 23364->23392 23724 687a2f 150 API calls 23364->23724 23365->23392 23725 6977e6 93 API calls 23365->23725 23369->23392 23700 685d68 23369->23700 23371 68856b 23371->23392 23708 6880da 23371->23708 23374 6886cf 23375 68a195 8 API calls 23374->23375 23378 688734 23374->23378 23375->23378 23377 68c5cd 73 API calls 23381 68878f _memcmp 23377->23381 23712 687c11 23378->23712 23379 6888b9 23380 68898c 23379->23380 23386 688908 23379->23386 23385 6889e7 23380->23385 23396 688997 23380->23396 23381->23377 23381->23379 23382 6888b2 23381->23382 23381->23392 23726 6880a6 75 API calls 23381->23726 23727 68135c 67 API calls 23381->23727 23728 68135c 67 API calls 23382->23728 23395 688979 23385->23395 23731 687f88 89 API calls 23385->23731 23389 689e4f 4 API calls 23386->23389 23386->23395 23387 6889e5 23390 689487 72 API calls 23387->23390 23388 689487 72 API calls 23388->23392 23393 688940 23389->23393 23390->23392 23392->23305 23393->23395 23729 6891b1 89 API calls 23393->23729 23394 688a52 23398 68976a GetFileType 23394->23398 23407 688abd 23394->23407 23440 689005 23394->23440 23395->23387 23395->23394 23396->23387 23730 687dc4 93 API calls pre_c_initialization 23396->23730 23397 68a6f9 8 API calls 23400 688b0c 23397->23400 23402 688a95 23398->23402 23403 68a6f9 8 API calls 23400->23403 23402->23407 23732 686f5f 67 API calls 23402->23732 23421 688b22 23403->23421 23405 688aab 23733 686f23 68 API calls 23405->23733 23407->23397 23408 688be5 23409 688c40 23408->23409 23410 688d46 23408->23410 23411 688cb2 23409->23411 23412 688c50 23409->23412 23414 688d58 23410->23414 23415 688d6c 23410->23415 23432 688c70 23410->23432 23413 6880da CharUpperW 23411->23413 23417 688c96 23412->23417 23425 688c5e 23412->23425 23418 688ccd 23413->23418 23419 689120 119 API calls 23414->23419 23416 691fa8 68 API calls 23415->23416 23420 688d85 23416->23420 23417->23432 23736 6877d4 101 API calls 23417->23736 23427 688cfd 23418->23427 23428 688cf6 23418->23428 23418->23432 23419->23432 23423 691c3f 119 API calls 23420->23423 23421->23408 23734 6898b9 SetFilePointer GetLastError SetEndOfFile 23421->23734 23423->23432 23735 686f5f 67 API calls 23425->23735 23738 68905e 85 API calls __EH_prolog 23427->23738 23737 687586 77 API calls pre_c_initialization 23428->23737 23431 688e94 23434 688f2b 23431->23434 23431->23440 23740 689bba SetEndOfFile 23431->23740 23432->23431 23739 686f5f 67 API calls 23432->23739 23718 689a62 23434->23718 23437 688f85 23438 6894f3 68 API calls 23437->23438 23439 688f90 23438->23439 23439->23440 23441 68a113 4 API calls 23439->23441 23440->23388 23442 688fef 23441->23442 23442->23440 23741 686f5f 67 API calls 23442->23741 23445 681671 23444->23445 23756 68c506 79 API calls 23445->23756 23448->23303 23449->23300 23451 68c46d __EH_prolog 23450->23451 23452 69cdac new 8 API calls 23451->23452 23453 68c4b0 23452->23453 23454 69cdac new 8 API calls 23453->23454 23455 68c4d4 23454->23455 23455->23319 23457 69cdb1 new 23456->23457 23458 681431 23457->23458 23462 6a4689 7 API calls 2 library calls 23457->23462 23463 69d7dc RaiseException CallUnexpected new 23457->23463 23464 69d7bf RaiseException Concurrency::cancel_current_task CallUnexpected 23457->23464 23458->23322 23458->23323 23462->23457 23465->23326 23471 681736 23466->23471 23468 6813a9 23468->23330 23469->23342 23470->23341 23472 68174c 23471->23472 23483 6817a4 __vswprintf_c_l 23471->23483 23473 681775 23472->23473 23484 686d8f 67 API calls __vswprintf_c_l 23472->23484 23474 6817cb 23473->23474 23480 681791 new 23473->23480 23476 6a20ce 22 API calls 23474->23476 23478 6817d2 23476->23478 23477 68176b 23485 686dc7 68 API calls 23477->23485 23478->23483 23487 686dc7 68 API calls 23478->23487 23480->23483 23486 686dc7 68 API calls 23480->23486 23483->23468 23484->23477 23485->23473 23486->23483 23487->23483 23489 68ffd6 __vswprintf_c_l 23488->23489 23489->23346 23492 68192c __EH_prolog 23490->23492 23491 681940 23491->23349 23492->23491 23493 681965 23492->23493 23495 681995 23492->23495 23494 683a0d 90 API calls 23493->23494 23494->23491 23499 683e39 23495->23499 23503 683e42 23499->23503 23500 683a0d 90 API calls 23500->23503 23501 6819b1 23501->23491 23504 681dd2 23501->23504 23503->23500 23503->23501 23516 68f944 23503->23516 23505 681ddc __EH_prolog 23504->23505 23524 683a90 23505->23524 23507 681e05 23508 681736 69 API calls 23507->23508 23510 681e8c 23507->23510 23509 681e1c 23508->23509 23554 6818ad 69 API calls 23509->23554 23510->23491 23512 681e34 23514 681e40 23512->23514 23555 6906d7 MultiByteToWideChar 23512->23555 23556 6818ad 69 API calls 23514->23556 23517 68f94b 23516->23517 23518 68f966 23517->23518 23522 686d8a RaiseException CallUnexpected 23517->23522 23520 68f977 SetThreadExecutionState 23518->23520 23523 686d8a RaiseException CallUnexpected 23518->23523 23520->23503 23522->23518 23523->23520 23525 683a9a __EH_prolog 23524->23525 23526 683acc 23525->23526 23527 683ab0 23525->23527 23528 683d0c 23526->23528 23532 683af8 23526->23532 23593 68135c 67 API calls 23527->23593 23612 68135c 67 API calls 23528->23612 23531 683abb 23531->23507 23532->23531 23557 690bce 23532->23557 23534 683b30 23561 691fa8 23534->23561 23536 683b79 23537 683c04 23536->23537 23553 683b70 23536->23553 23596 68c5cd 23536->23596 23574 68a6f9 23537->23574 23538 683b75 23538->23536 23595 681fa5 69 API calls 23538->23595 23540 683b47 23540->23536 23540->23538 23541 683b65 23540->23541 23594 68135c 67 API calls 23541->23594 23546 683c17 23547 683c88 23546->23547 23548 683c92 23546->23548 23578 689120 23547->23578 23602 691c3f 23548->23602 23551 683c90 23551->23553 23611 686f5f 67 API calls 23551->23611 23589 690e0f 23553->23589 23554->23512 23555->23514 23556->23510 23558 690bd8 __EH_prolog 23557->23558 23613 68fb54 23558->23613 23560 690cd8 23560->23534 23562 691fb7 23561->23562 23564 691fc1 23561->23564 23624 686dc7 68 API calls 23562->23624 23565 692001 23564->23565 23566 692006 new 23564->23566 23573 69205f ___scrt_fastfail 23564->23573 23626 6a006c RaiseException 23565->23626 23567 692116 23566->23567 23569 69203b 23566->23569 23566->23573 23627 6a006c RaiseException 23567->23627 23625 691ec9 68 API calls 3 library calls 23569->23625 23571 692139 23573->23540 23573->23573 23575 68a706 23574->23575 23577 68a710 23574->23577 23576 69cdac new 8 API calls 23575->23576 23576->23577 23577->23546 23579 68912a __EH_prolog 23578->23579 23628 687c6b 23579->23628 23582 68138d 69 API calls 23583 68913c 23582->23583 23631 68c6a8 23583->23631 23585 689196 23585->23551 23587 68c6a8 114 API calls 23588 68914e 23587->23588 23588->23585 23588->23587 23640 68c860 90 API calls __vswprintf_c_l 23588->23640 23590 690e31 23589->23590 23647 68fc3c 23590->23647 23592 690e4a 23592->23531 23593->23531 23594->23553 23595->23536 23597 68c5ee 23596->23597 23598 68c600 23596->23598 23661 686182 73 API calls 23597->23661 23662 686182 73 API calls 23598->23662 23601 68c5f8 23601->23537 23603 691c48 23602->23603 23604 691c71 23602->23604 23605 691c67 23603->23605 23607 691c5d 23603->23607 23610 691c65 23603->23610 23604->23610 23677 69421c 119 API calls 2 library calls 23604->23677 23676 694f34 114 API calls 23605->23676 23663 695983 23607->23663 23610->23551 23611->23553 23612->23531 23622 69cdf0 23613->23622 23615 68fb5e EnterCriticalSection 23616 68fb7d 23615->23616 23617 68fba2 LeaveCriticalSection 23615->23617 23618 69cdac new 8 API calls 23616->23618 23617->23560 23619 68fb87 23618->23619 23620 68fb9d 23619->23620 23623 68f982 71 API calls 23619->23623 23620->23617 23622->23615 23623->23620 23624->23564 23625->23573 23626->23567 23627->23571 23629 68a930 GetVersionExW 23628->23629 23630 687c70 23629->23630 23630->23582 23634 68c6bd __vswprintf_c_l 23631->23634 23632 68c807 23633 68c82f 23632->23633 23641 68c647 23632->23641 23636 68f944 2 API calls 23633->23636 23634->23632 23637 68c7fe 23634->23637 23645 68a7e1 84 API calls 23634->23645 23646 6977e6 93 API calls 23634->23646 23636->23637 23637->23588 23640->23588 23642 68c6a1 23641->23642 23643 68c650 23641->23643 23642->23633 23643->23642 23644 69066e PeekMessageW GetMessageW TranslateMessage DispatchMessageW SendDlgItemMessageW 23643->23644 23644->23642 23645->23634 23646->23634 23648 68fc91 23647->23648 23649 68fc43 EnterCriticalSection 23647->23649 23648->23592 23650 68fc88 LeaveCriticalSection 23649->23650 23651 68fc5d 23649->23651 23650->23648 23651->23650 23654 68fa23 23651->23654 23653 68fc7b 23653->23650 23655 68fdb7 72 API calls 23654->23655 23656 68fa45 ReleaseSemaphore 23655->23656 23657 68fa83 DeleteCriticalSection CloseHandle CloseHandle 23656->23657 23658 68fa65 23656->23658 23657->23653 23659 68fb19 70 API calls 23658->23659 23660 68fa6f CloseHandle 23659->23660 23660->23657 23660->23658 23661->23601 23662->23601 23678 6921e5 23663->23678 23665 68c6a8 114 API calls 23670 695994 ___BuildCatchObject __vswprintf_c_l 23665->23670 23666 695d66 23696 693ef0 91 API calls __vswprintf_c_l 23666->23696 23668 695d76 __vswprintf_c_l 23668->23610 23670->23665 23670->23666 23682 68fab9 23670->23682 23688 692b39 114 API calls 23670->23688 23689 695db8 114 API calls 23670->23689 23690 68fdb7 23670->23690 23694 692592 91 API calls __vswprintf_c_l 23670->23694 23695 6963f1 119 API calls __vswprintf_c_l 23670->23695 23676->23610 23677->23610 23680 6921ef __EH_prolog ___scrt_fastfail new 23678->23680 23679 6922da 23679->23670 23680->23679 23681 686dc7 68 API calls 23680->23681 23681->23680 23683 68faca 23682->23683 23684 68fac5 23682->23684 23685 68fae3 23683->23685 23687 68fdb7 72 API calls 23683->23687 23686 68fbbd 77 API calls 23684->23686 23685->23670 23686->23683 23687->23685 23688->23670 23689->23670 23691 68fdfc 23690->23691 23692 68fdd1 ResetEvent ReleaseSemaphore 23690->23692 23691->23670 23693 68fb19 70 API calls 23692->23693 23693->23691 23694->23670 23695->23670 23696->23668 23697->23359 23698->23359 23699->23357 23701 685d76 23700->23701 23742 685c95 23701->23742 23704 685da9 23705 685dea 23704->23705 23706 685de1 23704->23706 23747 68a9a0 CharUpperW CompareStringW CompareStringW 23704->23747 23705->23706 23748 68f133 CompareStringW 23705->23748 23706->23371 23709 6880f8 23708->23709 23710 688199 CharUpperW 23709->23710 23711 6881ac 23710->23711 23711->23374 23713 687c20 23712->23713 23714 687c60 23713->23714 23754 686f05 67 API calls 23713->23754 23714->23381 23716 687c58 23755 68135c 67 API calls 23716->23755 23719 689a73 23718->23719 23721 689a82 23718->23721 23720 689a79 FlushFileBuffers 23719->23720 23719->23721 23720->23721 23722 689afb SetFileTime 23721->23722 23722->23437 23723->23363 23724->23365 23725->23392 23726->23381 23727->23381 23728->23379 23729->23395 23730->23387 23731->23395 23732->23405 23733->23407 23734->23408 23735->23432 23736->23432 23737->23432 23738->23432 23739->23431 23740->23434 23741->23440 23749 685b92 23742->23749 23744 685cb6 23744->23704 23746 685b92 3 API calls 23746->23744 23747->23704 23748->23706 23752 685b9c 23749->23752 23750 685c84 23750->23744 23750->23746 23752->23750 23753 68a9a0 CharUpperW CompareStringW CompareStringW 23752->23753 23753->23752 23754->23716 23755->23714 23758 68a2cd 23757->23758 23759 68a2eb FindFirstFileW 23758->23759 23760 68a35d FindNextFileW 23758->23760 23763 68a341 23759->23763 23764 68a304 23759->23764 23761 68a368 GetLastError 23760->23761 23762 68a37c 23760->23762 23761->23762 23762->23763 23763->23312 23765 68b2c5 2 API calls 23764->23765 23766 68a31d 23765->23766 23767 68a321 FindFirstFileW 23766->23767 23768 68a336 GetLastError 23766->23768 23767->23763 23767->23768 23768->23763 23769->23177 23770->23186 23771->23186 23772->23189 23773->23195 23775 689bf2 67 API calls 23774->23775 23776 681f1a 23775->23776 23777 681f1e 23776->23777 23778 6819e2 90 API calls 23776->23778 23777->23203 23777->23204 23779 681f2b 23778->23779 23779->23777 23781 68135c 67 API calls 23779->23781 23781->23777 23907 699645 92 API calls 23937 69d759 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 23809 69cd5b 23810 69cd65 23809->23810 23811 69cabb ___delayLoadHelper2@8 19 API calls 23810->23811 23812 69cd72 23811->23812 23885 69995e 104 API calls 23886 69955e 71 API calls 23938 69e750 51 API calls 2 library calls 23939 6a1f50 RtlUnwind 23888 690d28 26 API calls std::bad_exception::bad_exception 23911 68de2a FreeLibrary 23940 69d72a 28 API calls 2 library calls 22003 68192c 126 API calls __EH_prolog 23844 6af820 DeleteCriticalSection 23889 699122 73 API calls 22006 69c725 19 API calls ___delayLoadHelper2@8 23890 69d533 46 API calls 5 library calls 23891 69a536 93 API calls _swprintf 23892 6a550a 8 API calls ___vcrt_uninitialize 23852 69d002 38 API calls ___FrameUnwindToState 23941 6ac301 21 API calls __vswprintf_c_l 23915 6a7207 21 API calls 23795 689c18 23796 689c2b 23795->23796 23800 689c24 23795->23800 23797 689c31 GetStdHandle 23796->23797 23805 689c3c 23796->23805 23797->23805 23798 689c91 WriteFile 23798->23805 23799 689c61 WriteFile 23802 689c5c 23799->23802 23799->23805 23802->23799 23802->23805 23803 689d04 23807 686f23 68 API calls 23803->23807 23805->23798 23805->23799 23805->23800 23805->23802 23805->23803 23806 686d16 56 API calls 23805->23806 23806->23805 23807->23800 23854 681019 29 API calls pre_c_initialization 23856 69b81f 72 API calls 23942 6a1b10 5 API calls 2 library calls 23919 6aee16 CloseHandle 23943 681714 79 API calls 23814 6a6417 23822 6a783d 23814->23822 23818 6a6440 23819 6a6433 23819->23818 23830 6a6443 11 API calls 23819->23830 23821 6a642b 23823 6a7726 pre_c_initialization 5 API calls 23822->23823 23824 6a7864 23823->23824 23825 6a787c TlsAlloc 23824->23825 23826 6a786d 23824->23826 23825->23826 23827 69d763 CatchGuardHandler 5 API calls 23826->23827 23828 6a6421 23827->23828 23828->23821 23829 6a6392 20 API calls 2 library calls 23828->23829 23829->23819 23830->23821 23944 69d716 20 API calls 23945 69c3e9 19 API calls ___delayLoadHelper2@8 23858 6a88ec GetCommandLineA GetCommandLineW 23861 6ac0e4 51 API calls 22065 69d5f1 22066 69d5fd ___FrameUnwindToState 22065->22066 22091 69d109 22066->22091 22068 69d604 22070 69d62d 22068->22070 22168 69da15 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 22068->22168 22075 69d66c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22070->22075 22102 6a571c 22070->22102 22074 69d64c ___FrameUnwindToState 22081 69d6cc 22075->22081 22169 6a471f 38 API calls 5 library calls 22075->22169 22110 69db30 22081->22110 22086 69d6f8 22088 69d701 22086->22088 22170 6a4b07 28 API calls _abort 22086->22170 22171 69d280 13 API calls 2 library calls 22088->22171 22092 69d112 22091->22092 22172 69d86b IsProcessorFeaturePresent 22092->22172 22094 69d11e 22173 6a0b06 22094->22173 22096 69d123 22097 69d127 22096->22097 22182 6a558a 22096->22182 22097->22068 22100 69d13e 22100->22068 22103 6a5733 22102->22103 22104 69d763 CatchGuardHandler 5 API calls 22103->22104 22105 69d646 22104->22105 22105->22074 22106 6a56c0 22105->22106 22107 6a56ef 22106->22107 22108 69d763 CatchGuardHandler 5 API calls 22107->22108 22109 6a5718 22108->22109 22109->22075 22311 69de40 22110->22311 22112 69db43 GetStartupInfoW 22113 69d6d2 22112->22113 22114 6a566d 22113->22114 22313 6a8549 22114->22313 22116 6a5676 22118 69d6db 22116->22118 22317 6a88d4 38 API calls 22116->22317 22119 69c130 22118->22119 22481 68f3a5 22119->22481 22123 69c14f 22530 699035 22123->22530 22125 69c158 22534 690710 GetCPInfo 22125->22534 22127 69c162 ___scrt_fastfail 22128 69c175 GetCommandLineW 22127->22128 22129 69c202 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 22128->22129 22130 69c184 22128->22130 22537 683f2b 22129->22537 22565 69a8d3 76 API calls 22130->22565 22134 69c18a 22136 69c1fc 22134->22136 22137 69c192 OpenFileMappingW 22134->22137 22567 69be09 SetEnvironmentVariableW SetEnvironmentVariableW 22136->22567 22138 69c1ab MapViewOfFile 22137->22138 22139 69c1f2 CloseHandle 22137->22139 22142 69c1e9 UnmapViewOfFile 22138->22142 22143 69c1bc __vswprintf_c_l 22138->22143 22139->22129 22142->22139 22566 69be09 SetEnvironmentVariableW SetEnvironmentVariableW 22143->22566 22146 69c2b2 22148 69c2c4 DialogBoxParamW 22146->22148 22147 69c1d8 22147->22142 22149 69c2fe 22148->22149 22150 69c310 Sleep 22149->22150 22151 69c317 22149->22151 22150->22151 22153 69c325 22151->22153 22568 699236 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 22151->22568 22154 69c344 DeleteObject 22153->22154 22155 69c35b DeleteObject 22154->22155 22156 69c35e 22154->22156 22155->22156 22157 69c38f 22156->22157 22161 69c3a1 22156->22161 22569 69be68 WaitForSingleObject PeekMessageW WaitForSingleObject 22157->22569 22160 69c395 CloseHandle 22160->22161 22563 69909d 22161->22563 22162 69c3db 22163 6a4a3b GetModuleHandleW 22162->22163 22164 69d6ee 22163->22164 22164->22086 22165 6a4b64 22164->22165 22783 6a48e1 22165->22783 22168->22068 22169->22081 22170->22088 22171->22074 22172->22094 22174 6a0b0b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 22173->22174 22186 6a1bde 22174->22186 22178 6a0b2c 22178->22096 22179 6a0b21 22179->22178 22200 6a1c1a DeleteCriticalSection 22179->22200 22181 6a0b19 22181->22096 22228 6a8ab6 22182->22228 22185 6a0b2f 8 API calls 3 library calls 22185->22097 22187 6a1be7 22186->22187 22189 6a1c10 22187->22189 22190 6a0b15 22187->22190 22201 6a1e72 22187->22201 22206 6a1c1a DeleteCriticalSection 22189->22206 22190->22181 22192 6a0c46 22190->22192 22221 6a1d87 22192->22221 22194 6a0c50 22199 6a0c5b 22194->22199 22226 6a1e35 6 API calls try_get_function 22194->22226 22196 6a0c69 22197 6a0c76 22196->22197 22227 6a0c79 6 API calls ___vcrt_FlsFree 22196->22227 22197->22179 22199->22179 22200->22181 22207 6a1c66 22201->22207 22204 6a1ea9 InitializeCriticalSectionAndSpinCount 22205 6a1e95 22204->22205 22205->22187 22206->22190 22208 6a1c9a 22207->22208 22211 6a1c96 22207->22211 22208->22204 22208->22205 22209 6a1cba 22209->22208 22212 6a1cc6 GetProcAddress 22209->22212 22211->22208 22211->22209 22214 6a1d06 22211->22214 22213 6a1cd6 __crt_fast_encode_pointer 22212->22213 22213->22208 22215 6a1d2e LoadLibraryExW 22214->22215 22216 6a1d23 22214->22216 22217 6a1d4a GetLastError 22215->22217 22220 6a1d62 22215->22220 22216->22211 22218 6a1d55 LoadLibraryExW 22217->22218 22217->22220 22218->22220 22219 6a1d79 FreeLibrary 22219->22216 22220->22216 22220->22219 22222 6a1c66 try_get_function 5 API calls 22221->22222 22223 6a1da1 22222->22223 22224 6a1db9 TlsAlloc 22223->22224 22225 6a1daa 22223->22225 22225->22194 22226->22196 22227->22199 22229 6a8ad3 22228->22229 22232 6a8acf 22228->22232 22229->22232 22234 6a71b1 22229->22234 22230 69d763 CatchGuardHandler 5 API calls 22231 69d130 22230->22231 22231->22100 22231->22185 22232->22230 22235 6a71bd ___FrameUnwindToState 22234->22235 22246 6a76c7 EnterCriticalSection 22235->22246 22237 6a71c4 22247 6a8f84 22237->22247 22239 6a71d3 22240 6a71e2 22239->22240 22260 6a7045 29 API calls 22239->22260 22262 6a71fe LeaveCriticalSection _abort 22240->22262 22243 6a71dd 22261 6a70fb GetStdHandle GetFileType 22243->22261 22244 6a71f3 ___FrameUnwindToState 22244->22229 22246->22237 22248 6a8f90 ___FrameUnwindToState 22247->22248 22249 6a8f9d 22248->22249 22250 6a8fb4 22248->22250 22271 6a5e2e 20 API calls __dosmaperr 22249->22271 22263 6a76c7 EnterCriticalSection 22250->22263 22253 6a8fa2 22272 6a5d0d 26 API calls ___std_exception_copy 22253->22272 22255 6a8fac ___FrameUnwindToState 22255->22239 22256 6a8fec 22273 6a9013 LeaveCriticalSection _abort 22256->22273 22258 6a8fc0 22258->22256 22264 6a8ed5 22258->22264 22260->22243 22261->22240 22262->22244 22263->22258 22274 6a5a7d 22264->22274 22266 6a8ee7 22270 6a8ef4 22266->22270 22281 6a7998 22266->22281 22268 6a8f46 22268->22258 22288 6a59b2 22270->22288 22271->22253 22272->22255 22273->22255 22278 6a5a8a pre_c_initialization 22274->22278 22275 6a5aca 22295 6a5e2e 20 API calls __dosmaperr 22275->22295 22276 6a5ab5 RtlAllocateHeap 22277 6a5ac8 22276->22277 22276->22278 22277->22266 22278->22275 22278->22276 22294 6a4689 7 API calls 2 library calls 22278->22294 22296 6a7726 22281->22296 22284 6a79dd InitializeCriticalSectionAndSpinCount 22286 6a79c8 22284->22286 22285 69d763 CatchGuardHandler 5 API calls 22287 6a79f4 22285->22287 22286->22285 22287->22266 22289 6a59bd RtlFreeHeap 22288->22289 22293 6a59e6 _free 22288->22293 22290 6a59d2 22289->22290 22289->22293 22310 6a5e2e 20 API calls __dosmaperr 22290->22310 22292 6a59d8 GetLastError 22292->22293 22293->22268 22294->22278 22295->22277 22297 6a7756 22296->22297 22299 6a7752 22296->22299 22297->22284 22297->22286 22299->22297 22302 6a7776 22299->22302 22303 6a77c2 22299->22303 22300 6a7782 GetProcAddress 22301 6a7792 __crt_fast_encode_pointer 22300->22301 22301->22297 22302->22297 22302->22300 22304 6a77e3 LoadLibraryExW 22303->22304 22305 6a77d8 22303->22305 22306 6a7800 GetLastError 22304->22306 22307 6a7818 22304->22307 22305->22299 22306->22307 22309 6a780b LoadLibraryExW 22306->22309 22307->22305 22308 6a782f FreeLibrary 22307->22308 22308->22305 22309->22307 22310->22292 22312 69de57 22311->22312 22312->22112 22312->22312 22314 6a8552 22313->22314 22316 6a855b 22313->22316 22318 6a8448 22314->22318 22316->22116 22317->22116 22338 6a630e GetLastError 22318->22338 22320 6a8455 22358 6a8567 22320->22358 22322 6a845d 22367 6a81dc 22322->22367 22325 6a8474 22325->22316 22328 6a84b7 22330 6a59b2 _free 20 API calls 22328->22330 22330->22325 22332 6a84b2 22391 6a5e2e 20 API calls __dosmaperr 22332->22391 22334 6a84fb 22334->22328 22392 6a80b2 26 API calls 22334->22392 22335 6a84cf 22335->22334 22336 6a59b2 _free 20 API calls 22335->22336 22336->22334 22339 6a632a 22338->22339 22340 6a6324 22338->22340 22342 6a5a7d pre_c_initialization 20 API calls 22339->22342 22345 6a6379 SetLastError 22339->22345 22393 6a78e9 11 API calls 2 library calls 22340->22393 22343 6a633c 22342->22343 22344 6a6344 22343->22344 22394 6a793f 11 API calls 2 library calls 22343->22394 22347 6a59b2 _free 20 API calls 22344->22347 22345->22320 22349 6a634a 22347->22349 22348 6a6359 22348->22344 22350 6a6360 22348->22350 22351 6a6385 SetLastError 22349->22351 22395 6a6180 20 API calls pre_c_initialization 22350->22395 22396 6a5a3a 38 API calls _abort 22351->22396 22353 6a636b 22356 6a59b2 _free 20 API calls 22353->22356 22357 6a6372 22356->22357 22357->22345 22357->22351 22359 6a8573 ___FrameUnwindToState 22358->22359 22360 6a630e pre_c_initialization 38 API calls 22359->22360 22365 6a857d 22360->22365 22362 6a8601 ___FrameUnwindToState 22362->22322 22365->22362 22366 6a59b2 _free 20 API calls 22365->22366 22397 6a5a3a 38 API calls _abort 22365->22397 22398 6a76c7 EnterCriticalSection 22365->22398 22399 6a85f8 LeaveCriticalSection _abort 22365->22399 22366->22365 22400 6a2626 22367->22400 22370 6a820f 22372 6a8214 GetACP 22370->22372 22373 6a8226 22370->22373 22371 6a81fd GetOEMCP 22371->22373 22372->22373 22373->22325 22374 6a59ec 22373->22374 22375 6a5a2a 22374->22375 22379 6a59fa pre_c_initialization 22374->22379 22411 6a5e2e 20 API calls __dosmaperr 22375->22411 22377 6a5a15 RtlAllocateHeap 22378 6a5a28 22377->22378 22377->22379 22378->22328 22381 6a8609 22378->22381 22379->22375 22379->22377 22410 6a4689 7 API calls 2 library calls 22379->22410 22382 6a81dc 40 API calls 22381->22382 22383 6a8628 22382->22383 22385 6a8679 IsValidCodePage 22383->22385 22388 6a862f 22383->22388 22390 6a869e ___scrt_fastfail 22383->22390 22384 69d763 CatchGuardHandler 5 API calls 22386 6a84aa 22384->22386 22387 6a868b GetCPInfo 22385->22387 22385->22388 22386->22332 22386->22335 22387->22388 22387->22390 22388->22384 22412 6a82b4 GetCPInfo 22390->22412 22391->22328 22392->22328 22393->22339 22394->22348 22395->22353 22398->22365 22399->22365 22401 6a2643 22400->22401 22407 6a2639 22400->22407 22402 6a630e pre_c_initialization 38 API calls 22401->22402 22401->22407 22403 6a2664 22402->22403 22408 6a645d 38 API calls __fassign 22403->22408 22405 6a267d 22409 6a648a 38 API calls __fassign 22405->22409 22407->22370 22407->22371 22408->22405 22409->22407 22410->22379 22411->22378 22413 6a8398 22412->22413 22418 6a82ee 22412->22418 22415 69d763 CatchGuardHandler 5 API calls 22413->22415 22417 6a8444 22415->22417 22417->22388 22422 6a93e4 22418->22422 22421 6a75bc __vswprintf_c_l 43 API calls 22421->22413 22423 6a2626 __fassign 38 API calls 22422->22423 22424 6a9404 MultiByteToWideChar 22423->22424 22426 6a94da 22424->22426 22427 6a9442 22424->22427 22428 69d763 CatchGuardHandler 5 API calls 22426->22428 22429 6a59ec __vswprintf_c_l 21 API calls 22427->22429 22432 6a9463 __vswprintf_c_l ___scrt_fastfail 22427->22432 22430 6a834f 22428->22430 22429->22432 22436 6a75bc 22430->22436 22431 6a94d4 22441 6a7607 20 API calls _free 22431->22441 22432->22431 22434 6a94a8 MultiByteToWideChar 22432->22434 22434->22431 22435 6a94c4 GetStringTypeW 22434->22435 22435->22431 22437 6a2626 __fassign 38 API calls 22436->22437 22438 6a75cf 22437->22438 22442 6a739f 22438->22442 22441->22426 22444 6a73ba __vswprintf_c_l 22442->22444 22443 6a73e0 MultiByteToWideChar 22445 6a740a 22443->22445 22446 6a7594 22443->22446 22444->22443 22450 6a59ec __vswprintf_c_l 21 API calls 22445->22450 22452 6a742b __vswprintf_c_l 22445->22452 22447 69d763 CatchGuardHandler 5 API calls 22446->22447 22448 6a75a7 22447->22448 22448->22421 22449 6a7474 MultiByteToWideChar 22451 6a748d 22449->22451 22463 6a74e0 22449->22463 22450->22452 22469 6a79fa 22451->22469 22452->22449 22452->22463 22456 6a74ef 22458 6a59ec __vswprintf_c_l 21 API calls 22456->22458 22464 6a7510 __vswprintf_c_l 22456->22464 22457 6a74b7 22459 6a79fa __vswprintf_c_l 11 API calls 22457->22459 22457->22463 22458->22464 22459->22463 22460 6a7585 22477 6a7607 20 API calls _free 22460->22477 22462 6a79fa __vswprintf_c_l 11 API calls 22465 6a7564 22462->22465 22478 6a7607 20 API calls _free 22463->22478 22464->22460 22464->22462 22465->22460 22466 6a7573 WideCharToMultiByte 22465->22466 22466->22460 22467 6a75b3 22466->22467 22479 6a7607 20 API calls _free 22467->22479 22470 6a7726 pre_c_initialization 5 API calls 22469->22470 22471 6a7a21 22470->22471 22473 6a7a2a 22471->22473 22480 6a7a82 10 API calls 3 library calls 22471->22480 22475 69d763 CatchGuardHandler 5 API calls 22473->22475 22474 6a7a6a LCMapStringW 22474->22473 22476 6a74a4 22475->22476 22476->22456 22476->22457 22476->22463 22477->22463 22478->22446 22479->22463 22480->22474 22570 69cec0 22481->22570 22484 68f3c9 GetProcAddress 22486 68f3f2 GetProcAddress 22484->22486 22487 68f3e2 22484->22487 22485 68f41a 22488 68f74f GetModuleFileNameW 22485->22488 22581 6a461a 42 API calls __vswprintf_c_l 22485->22581 22486->22485 22489 68f3fe 22486->22489 22487->22486 22497 68f76a 22488->22497 22489->22485 22491 68f68d 22491->22488 22492 68f698 GetModuleFileNameW CreateFileW 22491->22492 22493 68f743 CloseHandle 22492->22493 22494 68f6c7 SetFilePointer 22492->22494 22493->22488 22494->22493 22495 68f6d7 ReadFile 22494->22495 22495->22493 22501 68f6f6 22495->22501 22499 68f79f CompareStringW 22497->22499 22502 68f7d5 GetFileAttributesW 22497->22502 22503 68f7e9 22497->22503 22572 68a930 22497->22572 22575 68f35b 22497->22575 22499->22497 22500 68f35b 2 API calls 22500->22501 22501->22493 22501->22500 22502->22497 22502->22503 22504 68f7f6 22503->22504 22507 68f828 22503->22507 22506 68f80e GetFileAttributesW 22504->22506 22508 68f822 22504->22508 22505 68f937 22529 698b8d GetCurrentDirectoryW 22505->22529 22506->22504 22506->22508 22507->22505 22509 68a930 GetVersionExW 22507->22509 22508->22507 22510 68f842 22509->22510 22511 68f849 22510->22511 22512 68f8af 22510->22512 22514 68f35b 2 API calls 22511->22514 22513 683f2b _swprintf 51 API calls 22512->22513 22515 68f8d7 AllocConsole 22513->22515 22516 68f853 22514->22516 22517 68f92f ExitProcess 22515->22517 22518 68f8e4 GetCurrentProcessId AttachConsole 22515->22518 22519 68f35b 2 API calls 22516->22519 22589 6a20a3 22518->22589 22520 68f85d 22519->22520 22582 68d192 22520->22582 22523 68f905 GetStdHandle WriteConsoleW Sleep FreeConsole 22523->22517 22525 683f2b _swprintf 51 API calls 22526 68f88b 22525->22526 22527 68d192 54 API calls 22526->22527 22528 68f89a 22527->22528 22528->22517 22529->22123 22531 68f35b 2 API calls 22530->22531 22532 699049 OleInitialize 22531->22532 22533 69906c GdiplusStartup SHGetMalloc 22532->22533 22533->22125 22535 690734 IsDBCSLeadByte 22534->22535 22535->22535 22536 69074c 22535->22536 22536->22127 22601 683efe 22537->22601 22540 699a75 LoadBitmapW 22541 699a9f GetObjectW 22540->22541 22542 699a96 22540->22542 22630 698abf 22541->22630 22635 698bcf FindResourceW 22542->22635 22547 699af2 22558 68caf7 22547->22558 22548 699ad2 22651 698b21 GetDC GetDeviceCaps ReleaseDC 22548->22651 22549 698bcf 13 API calls 22551 699ac7 22549->22551 22551->22548 22554 699acd DeleteObject 22551->22554 22552 699ada 22652 698ade GetDC GetDeviceCaps ReleaseDC 22552->22652 22554->22548 22555 699ae3 22653 698cf2 8 API calls ___scrt_fastfail 22555->22653 22557 699aea DeleteObject 22557->22547 22664 68cb1c 22558->22664 22562 68cb0a 22562->22146 22564 6990c3 GdiplusShutdown CoUninitialize 22563->22564 22564->22162 22565->22134 22566->22147 22567->22129 22568->22153 22569->22160 22571 68f3af GetModuleHandleW 22570->22571 22571->22484 22571->22485 22573 68a944 GetVersionExW 22572->22573 22574 68a980 22572->22574 22573->22574 22574->22497 22576 69cec0 22575->22576 22577 68f368 GetSystemDirectoryW 22576->22577 22578 68f39e 22577->22578 22579 68f380 22577->22579 22578->22497 22580 68f391 LoadLibraryW 22579->22580 22580->22578 22581->22491 22583 68d1c2 22582->22583 22584 68d1cb LoadStringW 22583->22584 22585 68d1e1 LoadStringW 22583->22585 22584->22585 22586 68d1f3 22584->22586 22585->22586 22591 68c96f 22586->22591 22588 68d201 22588->22525 22590 6a20ab 22589->22590 22590->22523 22590->22590 22592 68c979 22591->22592 22593 68c9ed _strlen 22592->22593 22598 68ca4b _wcschr _wcsrchr 22592->22598 22599 6908f3 WideCharToMultiByte 22592->22599 22600 6908f3 WideCharToMultiByte 22593->22600 22596 68ca18 _strlen 22597 683f2b _swprintf 51 API calls 22596->22597 22597->22598 22598->22588 22599->22593 22600->22596 22602 683f15 __vswprintf_c_l 22601->22602 22605 6a34cd 22602->22605 22608 6a21ab 22605->22608 22609 6a21d3 22608->22609 22610 6a21eb 22608->22610 22625 6a5e2e 20 API calls __dosmaperr 22609->22625 22610->22609 22611 6a21f3 22610->22611 22614 6a2626 __fassign 38 API calls 22611->22614 22613 6a21d8 22626 6a5d0d 26 API calls ___std_exception_copy 22613->22626 22616 6a2203 22614->22616 22627 6a25f1 20 API calls 2 library calls 22616->22627 22617 69d763 CatchGuardHandler 5 API calls 22619 683f1f SetEnvironmentVariableW GetModuleHandleW LoadIconW 22617->22619 22619->22540 22620 6a227b 22628 6a282c 51 API calls 3 library calls 22620->22628 22623 6a2286 22629 6a26a9 20 API calls _free 22623->22629 22624 6a21e3 22624->22617 22625->22613 22626->22624 22627->22620 22628->22623 22629->22624 22654 698ade GetDC GetDeviceCaps ReleaseDC 22630->22654 22632 698ac6 22633 698ad2 22632->22633 22655 698b21 GetDC GetDeviceCaps ReleaseDC 22632->22655 22633->22547 22633->22548 22633->22549 22636 698bf0 SizeofResource 22635->22636 22637 698c22 22635->22637 22636->22637 22638 698c04 LoadResource 22636->22638 22637->22541 22638->22637 22639 698c15 LockResource 22638->22639 22639->22637 22640 698c29 GlobalAlloc 22639->22640 22640->22637 22641 698c40 GlobalLock 22640->22641 22642 698cb7 GlobalFree 22641->22642 22643 698c4b __vswprintf_c_l 22641->22643 22642->22637 22644 698c53 CreateStreamOnHGlobal 22643->22644 22645 698c6b 22644->22645 22646 698cb0 GlobalUnlock 22644->22646 22656 698b64 GdipAlloc 22645->22656 22646->22642 22649 698ca5 22649->22646 22650 698c8f GdipCreateHBITMAPFromBitmap 22650->22649 22651->22552 22652->22555 22653->22557 22654->22632 22655->22633 22657 698b83 22656->22657 22658 698b76 22656->22658 22657->22646 22657->22649 22657->22650 22660 698923 22658->22660 22661 69894b GdipCreateBitmapFromStream 22660->22661 22662 698944 GdipCreateBitmapFromStreamICM 22660->22662 22663 698950 22661->22663 22662->22663 22663->22657 22665 68cb26 _wcschr __EH_prolog 22664->22665 22666 68cb52 GetModuleFileNameW 22665->22666 22667 68cb83 22665->22667 22668 68cb6c 22666->22668 22687 68978d 22667->22687 22668->22667 22672 68cbb3 22680 68ccef 22672->22680 22682 68cd39 22672->22682 22696 689b3b 22672->22696 22711 68995d 22672->22711 22719 689a30 22672->22719 22673 689a30 70 API calls 22676 68cd09 new 22673->22676 22677 68995d 73 API calls 22676->22677 22676->22682 22679 68cd2f new 22677->22679 22679->22682 22724 6906d7 MultiByteToWideChar 22679->22724 22680->22673 22680->22682 22704 689487 22682->22704 22683 68ce98 GetModuleHandleW FindResourceW 22684 68cec6 22683->22684 22686 68cec0 22683->22686 22685 68c96f 52 API calls 22684->22685 22685->22686 22686->22562 22688 689797 22687->22688 22689 6897ed CreateFileW 22688->22689 22690 68981a GetLastError 22689->22690 22691 68986b 22689->22691 22725 68b2c5 22690->22725 22691->22672 22693 68983a 22693->22691 22694 68983e CreateFileW GetLastError 22693->22694 22695 689862 22694->22695 22695->22691 22697 689b4e 22696->22697 22698 689b5f SetFilePointer 22696->22698 22699 689b98 22697->22699 22738 686e6a 68 API calls 22697->22738 22698->22699 22700 689b7d GetLastError 22698->22700 22699->22672 22700->22699 22702 689b87 22700->22702 22702->22699 22739 686e6a 68 API calls 22702->22739 22705 6894ab 22704->22705 22710 6894bc 22704->22710 22706 6894be 22705->22706 22707 6894b7 22705->22707 22705->22710 22745 6894f3 22706->22745 22740 68963a 22707->22740 22710->22683 22714 689974 22711->22714 22713 6899d5 22713->22672 22714->22713 22715 6899c7 22714->22715 22717 6899d7 22714->22717 22760 689663 22714->22760 22772 686e30 68 API calls 22715->22772 22717->22713 22718 689663 5 API calls 22717->22718 22718->22717 22777 6898e7 22719->22777 22722 689a5b 22722->22672 22724->22682 22726 68b2d2 22725->22726 22734 68b2dc 22726->22734 22735 68b45f CharUpperW 22726->22735 22728 68b2eb 22736 68b48b CharUpperW 22728->22736 22730 68b2fa 22731 68b2fe 22730->22731 22732 68b375 GetCurrentDirectoryW 22730->22732 22737 68b45f CharUpperW 22731->22737 22732->22734 22734->22693 22735->22728 22736->22730 22737->22734 22738->22698 22739->22699 22741 689643 22740->22741 22742 689647 22740->22742 22741->22710 22742->22741 22751 689dfc 22742->22751 22746 6894ff 22745->22746 22749 68951d 22745->22749 22748 68950b CloseHandle 22746->22748 22746->22749 22747 68953c 22747->22710 22748->22749 22749->22747 22759 686d3c 67 API calls 22749->22759 22752 69cec0 22751->22752 22753 689e09 DeleteFileW 22752->22753 22754 689e1c 22753->22754 22755 689661 22753->22755 22756 68b2c5 2 API calls 22754->22756 22755->22710 22757 689e30 22756->22757 22757->22755 22758 689e34 DeleteFileW 22757->22758 22758->22755 22759->22747 22761 68967c ReadFile 22760->22761 22762 689671 GetStdHandle 22760->22762 22763 689695 22761->22763 22768 6896b5 22761->22768 22762->22761 22773 68976a 22763->22773 22765 68969c 22766 6896bd GetLastError 22765->22766 22767 6896aa 22765->22767 22769 6896cc 22765->22769 22766->22768 22766->22769 22770 689663 GetFileType 22767->22770 22768->22714 22769->22768 22771 6896dc GetLastError 22769->22771 22770->22768 22771->22767 22771->22768 22772->22713 22774 689770 22773->22774 22775 689773 GetFileType 22773->22775 22774->22765 22776 689781 22775->22776 22776->22765 22778 689952 22777->22778 22781 6898f3 22777->22781 22778->22722 22782 686e6a 68 API calls 22778->22782 22779 68992a SetFilePointer 22779->22778 22780 689948 GetLastError 22779->22780 22780->22778 22781->22779 22782->22722 22784 6a48ed ___FrameUnwindToState 22783->22784 22785 6a4905 22784->22785 22786 6a4a3b _abort GetModuleHandleW 22784->22786 22805 6a76c7 EnterCriticalSection 22785->22805 22788 6a48f9 22786->22788 22788->22785 22817 6a4a7f GetModuleHandleExW 22788->22817 22791 6a490d 22795 6a4982 22791->22795 22804 6a49ab 22791->22804 22825 6a5418 20 API calls _abort 22791->22825 22793 6a49c8 22809 6a49fa 22793->22809 22794 6a49f4 22826 6af149 5 API calls CatchGuardHandler 22794->22826 22796 6a499a 22795->22796 22800 6a56c0 _abort 5 API calls 22795->22800 22801 6a56c0 _abort 5 API calls 22796->22801 22800->22796 22801->22804 22806 6a49eb 22804->22806 22805->22791 22827 6a770f LeaveCriticalSection 22806->22827 22808 6a49c4 22808->22793 22808->22794 22828 6a7b04 22809->22828 22812 6a4a28 22814 6a4a7f _abort 8 API calls 22812->22814 22813 6a4a08 GetPEB 22813->22812 22815 6a4a18 GetCurrentProcess TerminateProcess 22813->22815 22816 6a4a30 ExitProcess 22814->22816 22815->22812 22818 6a4aa9 GetProcAddress 22817->22818 22819 6a4acc 22817->22819 22820 6a4abe 22818->22820 22821 6a4adb 22819->22821 22822 6a4ad2 FreeLibrary 22819->22822 22820->22819 22823 69d763 CatchGuardHandler 5 API calls 22821->22823 22822->22821 22824 6a4ae5 22823->22824 22824->22785 22825->22795 22827->22808 22829 6a7b29 22828->22829 22830 6a7b1f 22828->22830 22831 6a7726 pre_c_initialization 5 API calls 22829->22831 22832 69d763 CatchGuardHandler 5 API calls 22830->22832 22831->22830 22833 6a4a04 22832->22833 22833->22812 22833->22813 23920 6a6ef2 21 API calls 2 library calls 23862 6a34f1 QueryPerformanceFrequency QueryPerformanceCounter 23922 6986ca 22 API calls 22928 69c0cf 22929 69c0dc 22928->22929 22930 68d192 54 API calls 22929->22930 22931 69c0f0 22930->22931 22932 683f2b _swprintf 51 API calls 22931->22932 22933 69c102 SetDlgItemTextW 22932->22933 22936 69991d PeekMessageW 22933->22936 22937 699959 22936->22937 22938 699938 GetMessageW TranslateMessage DispatchMessageW 22936->22938 22938->22937 23923 69aa98 101 API calls 4 library calls 23948 6963c2 114 API calls 23865 69aa98 96 API calls 4 library calls 23949 6a7bd9 27 API calls 2 library calls 23867 697cdc GetClientRect 23896 69d5df 27 API calls pre_c_initialization 23869 6894d1 72 API calls 23951 69aa98 91 API calls 3 library calls 21974 6810a9 21979 685b05 21974->21979 21980 685b0f __EH_prolog 21979->21980 21986 68acb6 21980->21986 21982 685b1b 21992 685cfa GetCurrentProcess GetProcessAffinityMask 21982->21992 21987 68acc0 __EH_prolog 21986->21987 21993 68de12 73 API calls 21987->21993 21989 68acd2 21994 68adce 21989->21994 21993->21989 21995 68ade0 ___scrt_fastfail 21994->21995 21998 68fcd4 21995->21998 22001 68fc94 GetCurrentProcess GetProcessAffinityMask 21998->22001 22002 68ad48 22001->22002 22002->21982 22005 6a8aad 31 API calls CatchGuardHandler 23897 6a09a0 6 API calls 4 library calls 22008 69c7bf 22009 69c790 22008->22009 22011 69cabb 22009->22011 22039 69c7c9 22011->22039 22013 69cad5 22014 69cb32 22013->22014 22018 69cb56 22013->22018 22050 69ca39 11 API calls 3 library calls 22014->22050 22016 69cb3d RaiseException 22017 69cd2b 22016->22017 22054 69d763 22017->22054 22019 69cbce LoadLibraryExA 22018->22019 22021 69cc2f 22018->22021 22028 69cc41 22018->22028 22034 69ccfd 22018->22034 22019->22021 22022 69cbe1 GetLastError 22019->22022 22024 69cc3a FreeLibrary 22021->22024 22021->22028 22025 69cc0a 22022->22025 22026 69cbf4 22022->22026 22023 69cd3a 22023->22009 22024->22028 22051 69ca39 11 API calls 3 library calls 22025->22051 22026->22021 22026->22025 22027 69cc9f GetProcAddress 22030 69ccaf GetLastError 22027->22030 22027->22034 22028->22027 22028->22034 22032 69ccc2 22030->22032 22031 69cc15 RaiseException 22031->22017 22032->22034 22052 69ca39 11 API calls 3 library calls 22032->22052 22053 69ca39 11 API calls 3 library calls 22034->22053 22036 69cce3 RaiseException 22037 69c7c9 ___delayLoadHelper2@8 11 API calls 22036->22037 22038 69ccfa 22037->22038 22038->22034 22040 69c7fb 22039->22040 22041 69c7d5 22039->22041 22040->22013 22061 69c877 8 API calls 2 library calls 22041->22061 22043 69c7da 22044 69c7f6 22043->22044 22062 69c9c9 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 22043->22062 22063 69c7fc GetModuleHandleW GetProcAddress GetProcAddress 22044->22063 22047 69d763 CatchGuardHandler 5 API calls 22048 69cab7 22047->22048 22048->22013 22049 69ca86 22049->22047 22050->22016 22051->22031 22052->22036 22053->22017 22055 69d76c 22054->22055 22056 69d76e IsProcessorFeaturePresent 22054->22056 22055->22023 22058 69dd57 22056->22058 22064 69dd1b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22058->22064 22060 69de3a 22060->22023 22061->22043 22062->22044 22063->22049 22064->22060 23955 6a6fbc 71 API calls _free 22835 6813b4 75 API calls 3 library calls 23956 694fb4 119 API calls __vswprintf_c_l 23782 69c781 23783 69c72f 23782->23783 23784 69cabb ___delayLoadHelper2@8 19 API calls 23783->23784 23784->23783 23899 699583 GetDlgItem EnableWindow ShowWindow SendMessageW 23787 6a7686 23788 6a7691 23787->23788 23789 6a7998 11 API calls 23788->23789 23790 6a76ba 23788->23790 23791 6a76b6 23788->23791 23789->23788 23793 6a76de DeleteCriticalSection 23790->23793 23793->23791 23900 698999 GdipCloneImage GdipAlloc 23928 6a8a9b GetProcessHeap 23929 687a9b GetCurrentProcess GetLastError CloseHandle

                                  Executed Functions

                                  Function 0069C130 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 199filesleeptimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0068F3A5: GetModuleHandleW.KERNEL32 ref: 0068F3BD
                                    • Part of subcall function 0068F3A5: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0068F3D5
                                    • Part of subcall function 0068F3A5: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0068F3F8
                                    • Part of subcall function 00698B8D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00698B95
                                    • Part of subcall function 00699035: OleInitialize.OLE32(00000000), ref: 0069904E
                                    • Part of subcall function 00699035: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00699085
                                    • Part of subcall function 00699035: SHGetMalloc.SHELL32(006C20E8), ref: 0069908F
                                    • Part of subcall function 00690710: GetCPInfo.KERNEL32(00000000,?), ref: 00690721
                                    • Part of subcall function 00690710: IsDBCSLeadByte.KERNEL32(00000000), ref: 00690735
                                  • GetCommandLineW.KERNEL32 ref: 0069C178
                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0069C19F
                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0069C1B0
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0069C1EA
                                    • Part of subcall function 0069BE09: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0069BE1F
                                    • Part of subcall function 0069BE09: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0069BE5B
                                  • CloseHandle.KERNEL32(00000000), ref: 0069C1F3
                                  • GetModuleFileNameW.KERNEL32(00000000,006D7938,00000800), ref: 0069C20E
                                  • SetEnvironmentVariableW.KERNEL32(sfxname,006D7938), ref: 0069C220
                                  • GetLocalTime.KERNEL32(?), ref: 0069C227
                                  • _swprintf.LIBCMT ref: 0069C266
                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0069C278
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0069C27B
                                  • LoadIconW.USER32(00000000,00000064), ref: 0069C292
                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4E,00000000), ref: 0069C2E3
                                  • Sleep.KERNEL32(?), ref: 0069C311
                                  • DeleteObject.GDI32 ref: 0069C350
                                  • DeleteObject.GDI32(?), ref: 0069C35C
                                    • Part of subcall function 0069A8D3: CharUpperW.USER32(?,?,?,?,00001000), ref: 0069A92B
                                    • Part of subcall function 0069A8D3: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0069A952
                                  • CloseHandle.KERNEL32 ref: 0069C39B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$*al$*xm$8ym$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                  • API String ID: 985665271-756990092
                                  • Opcode ID: 842404879cecf0d9bc6a99e952b0786c9b1ad0821d26969aac1242ac9fcb9faa
                                  • Instruction ID: a1d58e019321991c0ec2eccf79772cc42842ce51062e749771e559e83e14d86d
                                  • Opcode Fuzzy Hash: 842404879cecf0d9bc6a99e952b0786c9b1ad0821d26969aac1242ac9fcb9faa
                                  • Instruction Fuzzy Hash: 5861F6B1904200AFDB60AFA9EC59E7B3BDFEB49710F04152EF94097692DA748D80C7A5
                                  Function 0068A2C3 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 865 68a2c3-68a2e9 call 69cec0 868 68a2eb-68a2fe FindFirstFileW 865->868 869 68a35d-68a366 FindNextFileW 865->869 872 68a384-68a42d call 68f160 call 68b952 call 6901af * 3 868->872 873 68a304-68a31f call 68b2c5 868->873 870 68a368-68a376 GetLastError 869->870 871 68a37c-68a37e 869->871 870->871 871->872 874 68a432-68a445 871->874 872->874 880 68a321-68a334 FindFirstFileW 873->880 881 68a336-68a33f GetLastError 873->881 880->872 880->881 883 68a350 881->883 884 68a341-68a344 881->884 887 68a352-68a358 883->887 884->883 886 68a346-68a349 884->886 886->883 889 68a34b-68a34e 886->889 887->874 889->887
                                  APIs
                                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0068A1BE,000000FF,?,?), ref: 0068A2F8
                                  • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0068A1BE,000000FF,?,?), ref: 0068A32E
                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0068A1BE,000000FF,?,?), ref: 0068A336
                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,0068A1BE,000000FF,?,?), ref: 0068A35E
                                  • GetLastError.KERNEL32(?,?,?,?,0068A1BE,000000FF,?,?), ref: 0068A36A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileFind$ErrorFirstLast$Next
                                  • String ID:
                                  • API String ID: 869497890-0
                                  • Opcode ID: 2b3a06e34ee0740dda795780617c87ffdf244634445bd1497e564e9f0373f510
                                  • Instruction ID: 88119ec3d38c9fbade31d488a520b2b55aa6338c1341cbe02b6f7509f743ce36
                                  • Opcode Fuzzy Hash: 2b3a06e34ee0740dda795780617c87ffdf244634445bd1497e564e9f0373f510
                                  • Instruction Fuzzy Hash: 0C418172604245AFD720EFA8C880ADBF7E9BF49350F040B2EF9D9D3240D734A9548B92
                                  Function 006A49FA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,006A49D0,?,006B7F60,0000000C,006A4B27,?,00000002,00000000), ref: 006A4A1B
                                  • TerminateProcess.KERNEL32(00000000,?,006A49D0,?,006B7F60,0000000C,006A4B27,?,00000002,00000000), ref: 006A4A22
                                  • ExitProcess.KERNEL32 ref: 006A4A34
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 14dadace8aa739b5d6a19148734c9f6019d782da87721ba740e5fee3e1eb978e
                                  • Instruction ID: 113a2940a71f2c7c231870924d8b98e4aa5c2eba8ce3e46290a198c272a58a9e
                                  • Opcode Fuzzy Hash: 14dadace8aa739b5d6a19148734c9f6019d782da87721ba740e5fee3e1eb978e
                                  • Instruction Fuzzy Hash: E6E04671044108AFCF51BF64DD08A893F6BEB82342F001158F9088A232CF75DD82DF44
                                  Function 006883EB Relevance: 3.9, APIs: 2, Instructions: 931COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 006883F0
                                  • _memcmp.LIBVCRUNTIME ref: 00688858
                                    • Part of subcall function 006880DA: CharUpperW.USER32(?,?,00000000,?,?,?,?,?,?,?,00000800,?,006886CF,?,-00000930,?), ref: 0068819D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CharH_prologUpper_memcmp
                                  • String ID:
                                  • API String ID: 4047935103-0
                                  • Opcode ID: 6e9770829ed11b05fb6d4c914d693ea427bfe7b9307ae049adae440d277730aa
                                  • Instruction ID: faee15ca5b4b4b89bedbc4757f501291e279063a223c3be183bbea766439849f
                                  • Opcode Fuzzy Hash: 6e9770829ed11b05fb6d4c914d693ea427bfe7b9307ae049adae440d277730aa
                                  • Instruction Fuzzy Hash: 41723B70904185AEDF25FF64C885BF977ABAF15300F4C42BAE9499B283DB319E85C760
                                  Function 00699B4E Relevance: 102.2, APIs: 46, Strings: 12, Instructions: 724COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00699B53
                                    • Part of subcall function 006812E7: GetDlgItem.USER32(00000000,00003021), ref: 0068132B
                                    • Part of subcall function 006812E7: SetWindowTextW.USER32(00000000,006B02E4), ref: 00681341
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prologItemTextWindow
                                  • String ID: !l$"%s"%s$*Al$*al$*xm$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                  • API String ID: 810644672-430362536
                                  • Opcode ID: cc772221d68a1355d712e30d7ce7f58460e9e64fa74ab8d376439319654c7283
                                  • Instruction ID: 527eaac67ff55f32c7381ad651f6d9cb564affaca9779c52d40e8bad6dca53bd
                                  • Opcode Fuzzy Hash: cc772221d68a1355d712e30d7ce7f58460e9e64fa74ab8d376439319654c7283
                                  • Instruction Fuzzy Hash: 094215B0A40345BFEF21ABA49C5AFFA3BAFAB05700F041119FA41A65D1CB744D85CB76
                                  Function 0068F3A5 Relevance: 77.3, APIs: 22, Strings: 22, Instructions: 314libraryfileloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 257 68f3a5-68f3c7 call 69cec0 GetModuleHandleW 260 68f3c9-68f3e0 GetProcAddress 257->260 261 68f41a-68f681 257->261 262 68f3f2-68f3fc GetProcAddress 260->262 263 68f3e2-68f3ef 260->263 264 68f74f-68f780 GetModuleFileNameW call 68b8dc call 68f160 261->264 265 68f687-68f692 call 6a461a 261->265 262->261 266 68f3fe-68f415 262->266 263->262 278 68f782-68f78c call 68a930 264->278 265->264 273 68f698-68f6c5 GetModuleFileNameW CreateFileW 265->273 266->261 274 68f743-68f74a CloseHandle 273->274 275 68f6c7-68f6d5 SetFilePointer 273->275 274->264 275->274 277 68f6d7-68f6f4 ReadFile 275->277 277->274 280 68f6f6-68f71b 277->280 283 68f799 278->283 284 68f78e-68f792 call 68f35b 278->284 282 68f738-68f741 call 68ef59 280->282 282->274 292 68f71d-68f737 call 68f35b 282->292 287 68f79b-68f79d 283->287 289 68f797 284->289 290 68f7bf-68f7e1 call 68b952 GetFileAttributesW 287->290 291 68f79f-68f7bd CompareStringW 287->291 289->287 294 68f7e3-68f7e7 290->294 299 68f7eb 290->299 291->290 291->294 292->282 294->278 298 68f7e9 294->298 300 68f7ef-68f7f4 298->300 299->300 301 68f828-68f82a 300->301 302 68f7f6 300->302 304 68f830-68f847 call 68b926 call 68a930 301->304 305 68f937-68f941 301->305 303 68f7f8-68f81a call 68b952 GetFileAttributesW 302->303 310 68f81c-68f820 303->310 311 68f824 303->311 315 68f849-68f8aa call 68f35b * 2 call 68d192 call 683f2b call 68d192 call 698cca 304->315 316 68f8af-68f8e2 call 683f2b AllocConsole 304->316 310->303 313 68f822 310->313 311->301 313->301 321 68f92f-68f931 ExitProcess 315->321 316->321 322 68f8e4-68f929 GetCurrentProcessId AttachConsole call 6a20a3 GetStdHandle WriteConsoleW Sleep FreeConsole 316->322 322->321
                                  APIs
                                  • GetModuleHandleW.KERNEL32 ref: 0068F3BD
                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0068F3D5
                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0068F3F8
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0068F6A3
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0068F6BB
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0068F6CD
                                  • ReadFile.KERNEL32(00000000,?,00007FFE,006B0858,00000000), ref: 0068F6EC
                                  • CloseHandle.KERNEL32(00000000), ref: 0068F744
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0068F75A
                                  • CompareStringW.KERNEL32(00000400,00001001,006B08A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0068F7B4
                                  • GetFileAttributesW.KERNELBASE(?,?,006B0870,00000800,?,00000000,?,00000800), ref: 0068F7DD
                                  • GetFileAttributesW.KERNEL32(?,?,0k,00000800), ref: 0068F816
                                    • Part of subcall function 0068F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0068F376
                                    • Part of subcall function 0068F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0068DF18,Crypt32.dll,?,0068DF9C,?,0068DF7E,?,?,?,?), ref: 0068F398
                                  • _swprintf.LIBCMT ref: 0068F886
                                  • _swprintf.LIBCMT ref: 0068F8D2
                                    • Part of subcall function 00683F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00683F3E
                                  • AllocConsole.KERNEL32 ref: 0068F8DA
                                  • GetCurrentProcessId.KERNEL32 ref: 0068F8E4
                                  • AttachConsole.KERNEL32(00000000), ref: 0068F8EB
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0068F911
                                  • WriteConsoleW.KERNEL32(00000000), ref: 0068F918
                                  • Sleep.KERNEL32(00002710), ref: 0068F923
                                  • FreeConsole.KERNEL32 ref: 0068F929
                                  • ExitProcess.KERNEL32 ref: 0068F931
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                  • String ID: k$$k$,k$0k$@k$Dk$Dk$DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$\k$\k$`k$dwmapi.dll$kernel32$tk$uxtheme.dll$xk$xk$k$k
                                  • API String ID: 1201351596-4133220441
                                  • Opcode ID: 5190d57d4a386c5be1dc025409f97979871faf51a94772f8943e4b0d1bd6517f
                                  • Instruction ID: d35326bef2b6f63d3451b4d19a548b689960030059080b8930111588aaab9463
                                  • Opcode Fuzzy Hash: 5190d57d4a386c5be1dc025409f97979871faf51a94772f8943e4b0d1bd6517f
                                  • Instruction Fuzzy Hash: 40D163F1048384AAF770EF50D849BDFBFEAEF84744F501A2DE18896281C7B09589CB56
                                  Function 0069AA44 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 438windowfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 404 69aa44-69aa5c call 69cdf0 call 69cec0 409 69aa62-69aa8c call 6996eb 404->409 410 69b644-69b651 404->410 409->410 413 69aa92-69aa97 409->413 414 69aa98-69aaa6 413->414 415 69aaa7-69aab7 call 6993b9 414->415 418 69aab9 415->418 419 69aabb-69aad0 call 690b00 418->419 422 69aadd-69aae0 419->422 423 69aad2-69aad6 419->423 425 69b610-69b63b call 6996eb 422->425 426 69aae6 422->426 423->419 424 69aad8 423->424 424->425 425->414 441 69b641-69b643 425->441 427 69ad9a-69ad9c 426->427 428 69aaed-69aaf0 426->428 429 69ad7d-69ad7f 426->429 430 69acdc-69acde 426->430 427->425 434 69ada2-69ada9 427->434 428->425 433 69aaf6-69ab63 call 698b8d call 68b5be call 68a16c call 68a2a6 call 686fa3 call 68a1f9 428->433 429->425 432 69ad85-69ad95 SetWindowTextW 429->432 430->425 435 69ace4-69acf0 430->435 432->425 505 69ab69-69ab6f 433->505 506 69acc8-69acd7 call 68a182 433->506 434->425 438 69adaf-69adc8 434->438 439 69acf2-69ad03 call 6a4644 435->439 440 69ad04-69ad09 435->440 443 69adca 438->443 444 69add0-69adde call 6a20a3 438->444 439->440 446 69ad0b-69ad11 440->446 447 69ad13-69ad1e call 699843 440->447 441->410 443->444 444->425 460 69ade4-69aded 444->460 451 69ad23-69ad25 446->451 447->451 456 69ad30-69ad50 call 6a20a3 call 6a20ce 451->456 457 69ad27-69ad2e call 6a20a3 451->457 478 69ad69-69ad6b 456->478 479 69ad52-69ad59 456->479 457->456 465 69adef-69adf3 460->465 466 69ae16-69ae19 460->466 465->466 469 69adf5-69adfd 465->469 470 69ae1f-69ae22 466->470 471 69aefe-69af0c call 68f160 466->471 469->425 477 69ae03-69ae11 call 68f160 469->477 472 69ae2f-69ae4a 470->472 473 69ae24-69ae29 470->473 488 69af0e-69af22 call 6a02bb 471->488 490 69ae4c-69ae86 472->490 491 69ae94-69ae9b 472->491 473->471 473->472 477->488 478->425 487 69ad71-69ad78 call 6a20be 478->487 484 69ad5b-69ad5d 479->484 485 69ad60-69ad68 call 6a4644 479->485 484->485 485->478 487->425 507 69af2f-69af82 call 68f160 call 699591 GetDlgItem SetWindowTextW SendMessageW call 6a20d9 488->507 508 69af24-69af28 488->508 528 69ae88 490->528 529 69ae8a-69ae8c 490->529 497 69aec9-69aeec call 6a20a3 * 2 491->497 498 69ae9d-69aeb5 call 6a20a3 491->498 497->488 533 69aeee-69aefc call 68f138 497->533 498->497 521 69aeb7-69aec4 call 68f138 498->521 514 69ab76-69ab8b SetFileAttributesW 505->514 506->425 542 69af87-69af8b 507->542 508->507 509 69af2a-69af2c 508->509 509->507 515 69ac31-69ac3d GetFileAttributesW 514->515 516 69ab91-69abc4 call 68b150 call 68ae45 call 6a20a3 514->516 525 69acad-69acc2 call 68a1f9 515->525 526 69ac3f-69ac4e DeleteFileW 515->526 551 69abd7-69abe5 call 68b57e 516->551 552 69abc6-69abd5 call 6a20a3 516->552 521->497 525->506 540 69ab71 525->540 526->525 532 69ac50-69ac53 526->532 528->529 529->491 537 69ac57-69ac83 call 683f2b GetFileAttributesW 532->537 533->488 549 69ac55-69ac56 537->549 550 69ac85-69ac9b MoveFileW 537->550 540->514 542->425 546 69af91-69afa3 SendMessageW 542->546 546->425 549->537 550->525 553 69ac9d-69aca7 MoveFileExW 550->553 551->506 558 69abeb-69ac2a call 6a20a3 call 69de40 551->558 552->551 552->558 553->525 558->515
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0069AA49
                                    • Part of subcall function 006996EB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 006997B3
                                  • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0069A35C,?,00000000), ref: 0069AB7E
                                  • GetFileAttributesW.KERNEL32(?), ref: 0069AC38
                                  • DeleteFileW.KERNEL32(?), ref: 0069AC46
                                  • SetWindowTextW.USER32(?,?), ref: 0069AD8F
                                  • _wcsrchr.LIBVCRUNTIME ref: 0069AF19
                                  • GetDlgItem.USER32(?,00000066), ref: 0069AF54
                                  • SetWindowTextW.USER32(00000000,?), ref: 0069AF64
                                  • SendMessageW.USER32(00000000,00000143,00000000,006C412A), ref: 0069AF78
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0069AFA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                                  • String ID: %s.%d.tmp$*Al$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                  • API String ID: 3676479488-1871660262
                                  • Opcode ID: 0a2e5062c37437d1a5212f36ad98460e9039cfaed41c2ab597190cf2b2f6b96f
                                  • Instruction ID: 12bd951565e54eaaea3b98bc042ee7a5cf05921622b39196ee3d13fd5097bf9a
                                  • Opcode Fuzzy Hash: 0a2e5062c37437d1a5212f36ad98460e9039cfaed41c2ab597190cf2b2f6b96f
                                  • Instruction Fuzzy Hash: FEE180B2900119AAEF20ABA4DD45DEE73BEAF05350F0041AAF945E7541EF709F84CFA5
                                  Function 0068CF27 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 563 68cf27-68cfa1 call 68c8de GetWindowRect GetClientRect 566 68d042-68d04a 563->566 567 68cfa7-68cfaf 563->567 568 68d04c-68d07e GetWindowTextW call 68c96f SetWindowTextW 566->568 569 68d084-68d09f GetSystemMetrics GetWindow 566->569 567->569 570 68cfb5-68cffe 567->570 568->569 572 68d17d-68d17f 569->572 573 68d000 570->573 574 68d002-68d004 570->574 575 68d0a4-68d0aa 572->575 576 68d185-68d18f 572->576 573->574 578 68d008-68d03e GetWindowLongW GetWindowRect 574->578 579 68d006 574->579 575->576 580 68d0b0-68d0c8 GetWindowTextW 575->580 578->566 579->578 582 68d0ca-68d0e9 call 68c96f SetWindowTextW 580->582 583 68d0ef-68d0f4 580->583 582->583 585 68d16b-68d17a GetWindow 583->585 586 68d0f6-68d164 GetWindowRect 583->586 585->576 587 68d17c 585->587 586->585 587->572
                                  APIs
                                    • Part of subcall function 0068C8DE: _wcschr.LIBVCRUNTIME ref: 0068C90D
                                  • GetWindowRect.USER32(?,?), ref: 0068CF5E
                                  • GetClientRect.USER32(?,?), ref: 0068CF6A
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0068D00B
                                  • GetWindowRect.USER32(?,?), ref: 0068D038
                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0068D057
                                  • SetWindowTextW.USER32(?,?), ref: 0068D07E
                                  • GetSystemMetrics.USER32(00000008), ref: 0068D086
                                  • GetWindow.USER32(?,00000005), ref: 0068D091
                                  • GetWindowTextW.USER32(00000000,?,00000400), ref: 0068D0BC
                                  • SetWindowTextW.USER32(00000000,00000000), ref: 0068D0E9
                                  • GetWindowRect.USER32(00000000,?), ref: 0068D0FC
                                  • GetWindow.USER32(00000000,00000002), ref: 0068D16E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                  • String ID: d
                                  • API String ID: 4134264131-2564639436
                                  • Opcode ID: 71a520183a7445a6d191661d99ed4825ecc55705b291c580fc999aa80674e2ff
                                  • Instruction ID: cdd7a88f0a85d8453ce5fedc061c997adc02959f53f727bd521d617942a27cc7
                                  • Opcode Fuzzy Hash: 71a520183a7445a6d191661d99ed4825ecc55705b291c580fc999aa80674e2ff
                                  • Instruction Fuzzy Hash: 22617FB1208340AFD714DFA8CD88E6BBBEAFFC9714F04561DF69492290C674E9458B62
                                  Function 0069B70D Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetDlgItem.USER32(00000068,006D8958), ref: 0069B71C
                                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00699324), ref: 0069B747
                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0069B756
                                  • SendMessageW.USER32(00000000,000000C2,00000000,006B02E4), ref: 0069B760
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0069B776
                                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0069B78C
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0069B7CC
                                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0069B7D6
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0069B7E5
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0069B808
                                  • SendMessageW.USER32(00000000,000000C2,00000000,006B1368), ref: 0069B813
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: MessageSend$ItemShowWindow
                                  • String ID: \
                                  • API String ID: 1207805008-2967466578
                                  • Opcode ID: e646e81852bd5980d01296cbe1780433003695ad1286743a693a175da05ad7eb
                                  • Instruction ID: bf0e31415cda6fc72eed8fc1f18cf5922d52823568d95bfab420ea359d510e5f
                                  • Opcode Fuzzy Hash: e646e81852bd5980d01296cbe1780433003695ad1286743a693a175da05ad7eb
                                  • Instruction Fuzzy Hash: 9D215AB12857057FE310EB249C41FAF7EDDEF82714F000609FA90961D0D7A549088BBB
                                  Function 00698BCF Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorywindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 598 698bcf-698bea FindResourceW 599 698bf0-698c02 SizeofResource 598->599 600 698cc5-698cc7 598->600 601 698c22-698c24 599->601 602 698c04-698c13 LoadResource 599->602 604 698cc4 601->604 602->601 603 698c15-698c20 LockResource 602->603 603->601 605 698c29-698c3e GlobalAlloc 603->605 604->600 606 698cbe-698cc3 605->606 607 698c40-698c49 GlobalLock 605->607 606->604 608 698c4b-698c69 call 69dfa0 CreateStreamOnHGlobal 607->608 609 698cb7-698cb8 GlobalFree 607->609 612 698c6b-698c83 call 698b64 608->612 613 698cb0-698cb1 GlobalUnlock 608->613 609->606 612->613 617 698c85-698c8d 612->617 613->609 618 698ca8-698cac 617->618 619 698c8f-698ca3 GdipCreateHBITMAPFromBitmap 617->619 618->613 619->618 620 698ca5 619->620 620->618
                                  APIs
                                  • FindResourceW.KERNEL32(00000066,PNG,?,?,00699AC7,00000066), ref: 00698BE0
                                  • SizeofResource.KERNEL32(00000000,75755780,?,?,00699AC7,00000066), ref: 00698BF8
                                  • LoadResource.KERNEL32(00000000,?,?,00699AC7,00000066), ref: 00698C0B
                                  • LockResource.KERNEL32(00000000,?,?,00699AC7,00000066), ref: 00698C16
                                  • GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,00699AC7,00000066), ref: 00698C34
                                  • GlobalLock.KERNEL32(00000000), ref: 00698C41
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00698C61
                                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00698C9C
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00698CB1
                                  • GlobalFree.KERNEL32(00000000), ref: 00698CB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                                  • String ID: PNG
                                  • API String ID: 3656887471-364855578
                                  • Opcode ID: 52a37a75f2870220289cafb7eb90398fe505f97d16705d7988275c2d6a090d73
                                  • Instruction ID: eb162c8e39eaffd51d265c0ec6450f26b410597d217de3fd390e2ca2a6b02029
                                  • Opcode Fuzzy Hash: 52a37a75f2870220289cafb7eb90398fe505f97d16705d7988275c2d6a090d73
                                  • Instruction Fuzzy Hash: AA2193B1502301AFDB259F65DD4996BBFAEEF86760B00562CF845D3660DF31DC40CAA0
                                  Function 0069B9A9 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 621 69b9a9-69b9c1 call 69cec0 624 69bc0d-69bc15 621->624 625 69b9c7-69b9d3 call 6a20a3 621->625 625->624 628 69b9d9-69ba01 call 69de40 625->628 631 69ba0b-69ba18 628->631 632 69ba03 628->632 633 69ba1a 631->633 634 69ba1c-69ba25 631->634 632->631 633->634 635 69ba5d 634->635 636 69ba27-69ba29 634->636 637 69ba61-69ba63 635->637 638 69ba31-69ba34 636->638 639 69ba6a-69ba6c 637->639 640 69ba65-69ba68 637->640 641 69ba3a-69ba42 638->641 642 69bbc1-69bbc6 638->642 645 69ba7f-69ba91 call 68b0ec 639->645 646 69ba6e-69ba75 639->646 640->639 640->645 647 69ba48-69ba4e 641->647 648 69bbda-69bbe2 641->648 643 69bbc8 642->643 644 69bbbb-69bbbf 642->644 653 69bbcd-69bbd1 643->653 644->642 644->653 656 69baaa-69bab5 call 689e4f 645->656 657 69ba93-69baa0 call 690b00 645->657 646->645 649 69ba77 646->649 647->648 654 69ba54-69ba5b 647->654 650 69bbea-69bbf2 648->650 651 69bbe4-69bbe6 648->651 649->645 650->637 651->650 653->648 654->635 654->638 662 69bad2-69badf ShellExecuteExW 656->662 663 69bab7-69bace call 68ae70 656->663 657->656 664 69baa2 657->664 666 69bc0b-69bc0c 662->666 667 69bae5-69baf8 662->667 663->662 664->656 666->624 669 69bb0b-69bb0d 667->669 670 69bafa-69bb01 667->670 672 69bb0f-69bb18 669->672 673 69bb20-69bb3f call 69be68 669->673 670->669 671 69bb03-69bb09 670->671 671->669 674 69bb76-69bb82 CloseHandle 671->674 672->673 682 69bb1a-69bb1e ShowWindow 672->682 673->674 688 69bb41-69bb49 673->688 675 69bb93-69bba1 674->675 676 69bb84-69bb91 call 690b00 674->676 680 69bbfe-69bc00 675->680 681 69bba3-69bba5 675->681 676->675 689 69bbf7 676->689 680->666 686 69bc02-69bc04 680->686 681->680 687 69bba7-69bbad 681->687 682->673 686->666 690 69bc06-69bc09 ShowWindow 686->690 687->680 691 69bbaf-69bbb9 687->691 688->674 692 69bb4b-69bb5c GetExitCodeProcess 688->692 689->680 690->666 691->680 692->674 693 69bb5e-69bb68 692->693 694 69bb6a 693->694 695 69bb6f 693->695 694->695 695->674
                                  APIs
                                  • ShellExecuteExW.SHELL32(000001C0), ref: 0069BAD7
                                  • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0069BB1C
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0069BB54
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0069BB7A
                                  • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0069BC09
                                    • Part of subcall function 00690B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0068AC99,?,?,?,0068AC48,?,-00000002,?,00000000,?), ref: 00690B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                  • String ID: $*Ql$.exe$.inf
                                  • API String ID: 3686203788-2161803830
                                  • Opcode ID: 83e6c24a6cd201b908acece0f31b041fe86b4e474b9d89bee83b06197ebbaa2b
                                  • Instruction ID: f1998430685de6418cba96e698db22d7fd5ae35da391df93e0eb00e2336c161a
                                  • Opcode Fuzzy Hash: 83e6c24a6cd201b908acece0f31b041fe86b4e474b9d89bee83b06197ebbaa2b
                                  • Instruction Fuzzy Hash: 9351C1704093809ADF31AF14EA54AFBBBEFEF85704F04281DE4C197A98DBA19984C756
                                  Function 0068CB1C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 258COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 696 68cb1c-68cb50 call 69cdf0 call 69cec0 call 6a00da 703 68cb52-68cb81 GetModuleFileNameW call 68b8dc call 68f138 696->703 704 68cb83-68cb8c call 68f160 696->704 707 68cb91-68cbb5 call 689451 call 68978d 703->707 704->707 715 68ce08-68ce23 call 689487 707->715 716 68cbbb-68cbc4 707->716 718 68cbc7-68cbca 716->718 720 68ccf8-68cd18 call 689a30 call 6a20c3 718->720 721 68cbd0-68cbd6 call 689b3b 718->721 720->715 730 68cd1e-68cd37 call 68995d 720->730 725 68cbdb-68cc02 call 68995d 721->725 731 68cc08-68cc10 725->731 732 68ccc1-68ccc4 725->732 742 68cd39-68cd3e 730->742 743 68cd40-68cd52 call 6a20c3 730->743 735 68cc3b-68cc46 731->735 736 68cc12-68cc1a 731->736 733 68ccc7-68cce9 call 689a30 732->733 733->718 753 68ccef-68ccf2 733->753 739 68cc48-68cc54 735->739 740 68cc71-68cc79 735->740 736->735 737 68cc1c-68cc36 call 6a3650 736->737 757 68cc38 737->757 758 68ccb7-68ccbf 737->758 739->740 746 68cc56-68cc5b 739->746 747 68cc7b-68cc83 740->747 748 68cca5-68cca9 740->748 750 68cd77-68cd7f 742->750 743->715 763 68cd58-68cd75 call 6906d7 call 6a20be 743->763 746->740 754 68cc5d-68cc6f call 6a3579 746->754 747->748 755 68cc85-68cc9f call 6a3650 747->755 748->732 749 68ccab-68ccae 748->749 749->731 760 68cd81 750->760 761 68cd84-68cd91 750->761 753->715 753->720 754->740 769 68ccb3 754->769 755->715 755->748 757->735 758->733 760->761 765 68cdfd-68ce05 761->765 766 68cd93-68cd95 761->766 763->750 765->715 770 68cd96-68cda0 766->770 769->758 770->765 772 68cda2-68cda6 770->772 774 68cda8-68cdaf 772->774 775 68cde0-68cde3 772->775 776 68cdb1-68cdb4 774->776 777 68cdd6 774->777 779 68cded-68cdef 775->779 780 68cde5-68cdeb 775->780 781 68cdd2-68cdd4 776->781 782 68cdb6-68cdb9 776->782 783 68cdd8-68cdde 777->783 784 68cdf0 779->784 780->779 780->784 781->783 785 68cdbb-68cdbe 782->785 786 68cdce-68cdd0 782->786 787 68cdf4-68cdfb 783->787 784->787 788 68cdca-68cdcc 785->788 789 68cdc0-68cdc4 785->789 786->783 787->765 787->770 788->783 789->784 790 68cdc6-68cdc8 789->790 790->783
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0068CB21
                                  • _wcschr.LIBVCRUNTIME ref: 0068CB3F
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0068CB03,?), ref: 0068CB5A
                                    • Part of subcall function 006906D7: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0068B2AB,00000000,?,?,?,?), ref: 006906F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr
                                  • String ID: *messages***$*messages***$R$a
                                  • API String ID: 803915177-2900423073
                                  • Opcode ID: f5f04c94ca2ea888b1ae5b93a653981c63216552935b0ab26e103160c1c268c2
                                  • Instruction ID: 7907920f42334ce01cf084dfef052fda20e8556d8975d9fd181343c33d3d9bfc
                                  • Opcode Fuzzy Hash: f5f04c94ca2ea888b1ae5b93a653981c63216552935b0ab26e103160c1c268c2
                                  • Instruction Fuzzy Hash: 709145B2A002059ADB30FF68CC45BEE7BA6EF45320F10466DE649A7391DA709D85CB64
                                  Function 006A739F Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 791 6a739f-6a73b8 792 6a73ba-6a73ca call 6ab9ae 791->792 793 6a73ce-6a73d3 791->793 792->793 800 6a73cc 792->800 794 6a73e0-6a7404 MultiByteToWideChar 793->794 795 6a73d5-6a73dd 793->795 798 6a740a-6a7416 794->798 799 6a7597-6a75aa call 69d763 794->799 795->794 801 6a746a 798->801 802 6a7418-6a7429 798->802 800->793 804 6a746c-6a746e 801->804 805 6a742b-6a743a call 6af160 802->805 806 6a7448-6a7459 call 6a59ec 802->806 808 6a758c 804->808 809 6a7474-6a7487 MultiByteToWideChar 804->809 805->808 818 6a7440-6a7446 805->818 806->808 819 6a745f 806->819 813 6a758e-6a7595 call 6a7607 808->813 809->808 812 6a748d-6a749f call 6a79fa 809->812 820 6a74a4-6a74a8 812->820 813->799 822 6a7465-6a7468 818->822 819->822 820->808 823 6a74ae-6a74b5 820->823 822->804 824 6a74ef-6a74fb 823->824 825 6a74b7-6a74bc 823->825 827 6a74fd-6a750e 824->827 828 6a7547 824->828 825->813 826 6a74c2-6a74c4 825->826 826->808 829 6a74ca-6a74e4 call 6a79fa 826->829 831 6a7529-6a753a call 6a59ec 827->831 832 6a7510-6a751f call 6af160 827->832 830 6a7549-6a754b 828->830 829->813 846 6a74ea 829->846 836 6a754d-6a7566 call 6a79fa 830->836 837 6a7585-6a758b call 6a7607 830->837 831->837 845 6a753c 831->845 832->837 843 6a7521-6a7527 832->843 836->837 849 6a7568-6a756f 836->849 837->808 848 6a7542-6a7545 843->848 845->848 846->808 848->830 850 6a75ab-6a75b1 849->850 851 6a7571-6a7572 849->851 852 6a7573-6a7583 WideCharToMultiByte 850->852 851->852 852->837 853 6a75b3-6a75ba call 6a7607 852->853 853->813
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006A2FB2,006A2FB2,?,?,?,006A75F0,00000001,00000001,F5E85006), ref: 006A73F9
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006A75F0,00000001,00000001,F5E85006,?,?,?), ref: 006A747F
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006A7579
                                  • __freea.LIBCMT ref: 006A7586
                                    • Part of subcall function 006A59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,006A239A,?,0000015D,?,?,?,?,006A2F19,000000FF,00000000,?,?), ref: 006A5A1E
                                  • __freea.LIBCMT ref: 006A758F
                                  • __freea.LIBCMT ref: 006A75B4
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: 1f314084dd93c42c2c0e1540553c2f946a5223badf14fb8153af08f0c5be6663
                                  • Instruction ID: 94fa743aa64806671f6384aa509bb6e4da592ab2a35cff656d42092290081104
                                  • Opcode Fuzzy Hash: 1f314084dd93c42c2c0e1540553c2f946a5223badf14fb8153af08f0c5be6663
                                  • Instruction Fuzzy Hash: ED51F172A14216ABEB25AF64CC41EEF7BABEB46710F154629FC04D7240EB34DC40DEA4
                                  Function 00698FC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 856 698fc7-698fe6 GetClassNameW 857 698fe8-698ffd call 690b00 856->857 858 69900e-699010 856->858 863 69900d 857->863 864 698fff-69900b FindWindowExW 857->864 859 69901b-69901f 858->859 860 699012-699014 858->860 860->859 863->858 864->863
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000050), ref: 00698FDE
                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 00699015
                                    • Part of subcall function 00690B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0068AC99,?,?,?,0068AC48,?,-00000002,?,00000000,?), ref: 00690B16
                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00699005
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                  • String ID: @UJu$EDIT
                                  • API String ID: 4243998846-1013725496
                                  • Opcode ID: 5fc52a7822ef475e0c284afc5dee0e7d3b4bd7da167bc281c0799f5f7d4e0285
                                  • Instruction ID: 10346415f5e49eda12200a93a6fcff1d11ff7b5f474e05007c8630e30271dd30
                                  • Opcode Fuzzy Hash: 5fc52a7822ef475e0c284afc5dee0e7d3b4bd7da167bc281c0799f5f7d4e0285
                                  • Instruction Fuzzy Hash: A2F02772A0032C3BEB305A689C09FDB77AD9F4AB10F44016DFE00F2684E7609941C6F6
                                  Function 0068FA23 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0068FDB7: ResetEvent.KERNEL32(?,01393368,0068FA45,006C1E74,01393368,?,-00000001,006AF605,000000FF,?,0068FC7B,?,?,0068A5F0,?), ref: 0068FDD7
                                    • Part of subcall function 0068FDB7: ReleaseSemaphore.KERNEL32(?,?,00000000,?,-00000001,006AF605,000000FF,?,0068FC7B,?,?,0068A5F0,?), ref: 0068FDEB
                                  • ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0068FA57
                                  • CloseHandle.KERNELBASE(0139336C,0139336C), ref: 0068FA71
                                  • DeleteCriticalSection.KERNEL32(01393508), ref: 0068FA8A
                                  • CloseHandle.KERNELBASE(?), ref: 0068FA96
                                  • CloseHandle.KERNEL32(?), ref: 0068FAA2
                                    • Part of subcall function 0068FB19: WaitForSingleObject.KERNEL32(?,000000FF,0068FCF9,?,?,0068FD6E,?,?,?,?,?,0068FD58), ref: 0068FB1F
                                    • Part of subcall function 0068FB19: GetLastError.KERNEL32(?,?,0068FD6E,?,?,?,?,?,0068FD58), ref: 0068FB2B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                  • String ID:
                                  • API String ID: 1868215902-0
                                  • Opcode ID: df7156cfb738a72c4a8f9a87c95ea9a2456d8f3c66171fb48e1852412d2d83bf
                                  • Instruction ID: ff9bb388795a7068e0de27ec20006bd85603bad92db19c9ba5e1a15dcc55ae65
                                  • Opcode Fuzzy Hash: df7156cfb738a72c4a8f9a87c95ea9a2456d8f3c66171fb48e1852412d2d83bf
                                  • Instruction Fuzzy Hash: 41019E72040B44EFD721AB68DD48FC6BBEBFB45710F004629F29A92560CB716840CB61
                                  Function 00699035 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0068F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0068F376
                                    • Part of subcall function 0068F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0068DF18,Crypt32.dll,?,0068DF9C,?,0068DF7E,?,?,?,?), ref: 0068F398
                                  • OleInitialize.OLE32(00000000), ref: 0069904E
                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00699085
                                  • SHGetMalloc.SHELL32(006C20E8), ref: 0069908F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                  • String ID: riched20.dll
                                  • API String ID: 3498096277-3360196438
                                  • Opcode ID: 0d5f74fc7ad8efc541d73ca9e13a8f578975fecdbc0f9128165a96b3bac7f40e
                                  • Instruction ID: 8a35ce5c5ddfb32cccfb48581f46ec06b0fdb45677bdb96509f0b1d9e2912720
                                  • Opcode Fuzzy Hash: 0d5f74fc7ad8efc541d73ca9e13a8f578975fecdbc0f9128165a96b3bac7f40e
                                  • Instruction Fuzzy Hash: C1F04FB1D00109ABCB50AF99D8499EEFFFDEF84310F00415AE814E2200D7B41645CBE1
                                  Function 0068978D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 905 68978d-6897ae call 69cec0 908 6897b0-6897b5 905->908 909 6897b7 905->909 908->909 910 6897b9-6897d6 908->910 909->910 911 6897d8 910->911 912 6897de-6897e8 910->912 911->912 913 6897ea 912->913 914 6897ed-689818 CreateFileW 912->914 913->914 915 68981a-68983c GetLastError call 68b2c5 914->915 916 68987c-689891 914->916 922 68986b-689870 915->922 923 68983e-689860 CreateFileW GetLastError 915->923 917 6898ab-6898b6 916->917 918 689893-6898a6 call 68f160 916->918 918->917 922->916 926 689872 922->926 924 689862 923->924 925 689866-689869 923->925 924->925 925->916 925->922 926->916
                                  APIs
                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,00000000,?,?,0068777A,?,00000005,?,00000011), ref: 0068980D
                                  • GetLastError.KERNEL32(?,?,0068777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0068981A
                                  • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,0068777A,?,00000005,?), ref: 0068984F
                                  • GetLastError.KERNEL32(?,?,0068777A,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00689857
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CreateErrorFileLast
                                  • String ID:
                                  • API String ID: 1214770103-0
                                  • Opcode ID: d624e10c9bb675c425b656e2161943e7ea2ed2070c7dbb3f412ec83c62f0dbf8
                                  • Instruction ID: e6b8d6d607c3d150c490b326d9b197d65b5334beedfced7d16133740c5ee9fff
                                  • Opcode Fuzzy Hash: d624e10c9bb675c425b656e2161943e7ea2ed2070c7dbb3f412ec83c62f0dbf8
                                  • Instruction Fuzzy Hash: AB3137B19407556FE720AF248C45BE7BBA6FB45324F144B29F990873D1D3759888C7A0
                                  Function 00689663 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 927 689663-68966f 928 68967c-689693 ReadFile 927->928 929 689671-689679 GetStdHandle 927->929 930 6896ef 928->930 931 689695-68969e call 68976a 928->931 929->928 932 6896f2-6896f7 930->932 935 6896a0-6896a8 931->935 936 6896b7-6896bb 931->936 935->936 937 6896aa 935->937 938 6896cc-6896d0 936->938 939 6896bd-6896c6 GetLastError 936->939 940 6896ab-6896b5 call 689663 937->940 942 6896ea-6896ed 938->942 943 6896d2-6896da 938->943 939->938 941 6896c8-6896ca 939->941 940->932 941->932 942->932 943->942 945 6896dc-6896e5 GetLastError 943->945 945->942 947 6896e7-6896e8 945->947 947->940
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 00689673
                                  • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 0068968B
                                  • GetLastError.KERNEL32 ref: 006896BD
                                  • GetLastError.KERNEL32 ref: 006896DC
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLast$FileHandleRead
                                  • String ID:
                                  • API String ID: 2244327787-0
                                  • Opcode ID: e2a785f796f885c70660342bc19facacb65b875e8c5d5f6ea0bbf010fb855907
                                  • Instruction ID: d9698380635b06201489036e85c3f15ff3969af9d0351cf7438f2776e78a3e26
                                  • Opcode Fuzzy Hash: e2a785f796f885c70660342bc19facacb65b875e8c5d5f6ea0bbf010fb855907
                                  • Instruction Fuzzy Hash: 69115A70500214AFEF207F60DC54ABA7BABEB15325F18872AF92685290E7758DC0CF71
                                  Function 006A77C2 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006A2203,00000000,00000000,?,006A7769,006A2203,00000000,00000000,00000000,?,006A7966,00000006,FlsSetValue), ref: 006A77F4
                                  • GetLastError.KERNEL32(?,006A7769,006A2203,00000000,00000000,00000000,?,006A7966,00000006,FlsSetValue,006B3768,006B3770,00000000,00000364,?,006A63E0), ref: 006A7800
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006A7769,006A2203,00000000,00000000,00000000,?,006A7966,00000006,FlsSetValue,006B3768,006B3770,00000000), ref: 006A780E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 9bfc783d96204243becd563502b82c394dec5568782f6505c678d61d4656927a
                                  • Instruction ID: 0b70193a0f3662d3d57d6e8d2cda56972e88b63298007f65f5fe0d1a74346581
                                  • Opcode Fuzzy Hash: 9bfc783d96204243becd563502b82c394dec5568782f6505c678d61d4656927a
                                  • Instruction Fuzzy Hash: 2601F7767192229BC7216A6D9C48AAB7B9AAF16BA1B100630F91AD7240D724DD41CAE0
                                  Function 0069991D Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0069992E
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0069993F
                                  • TranslateMessage.USER32(?), ref: 00699949
                                  • DispatchMessageW.USER32(?), ref: 00699953
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 4217535847-0
                                  • Opcode ID: f4a48ab6855073e1a87eb39248335615738b0b8b401286fb73e4ad12b11b4edb
                                  • Instruction ID: 4309b0b145704fc50b00a72e3dd911718d10d282b3db9dac5e72b9b4c0edf0fd
                                  • Opcode Fuzzy Hash: f4a48ab6855073e1a87eb39248335615738b0b8b401286fb73e4ad12b11b4edb
                                  • Instruction Fuzzy Hash: 90E0EDB2C0212EB78F20ABE6AD4CDDBBF6DEE062657004115B919D2000D6689545C7F1
                                  Function 0068FBBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00010000,Function_0000FD4F,?,00000000,00000000), ref: 0068FBE1
                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 0068FC28
                                    • Part of subcall function 00686D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00686DAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                  • String ID: CreateThread failed
                                  • API String ID: 2655393344-3849766595
                                  • Opcode ID: 7eb2d1fed8dedb0e404b5d11ca6687187cd3f3b26ca4dcd63f3b3c973ccd497e
                                  • Instruction ID: 2784258a0239dfc9796b4c3b3ef1253bf22193fd9ddfcf1a55921dd787dc8815
                                  • Opcode Fuzzy Hash: 7eb2d1fed8dedb0e404b5d11ca6687187cd3f3b26ca4dcd63f3b3c973ccd497e
                                  • Instruction Fuzzy Hash: 9101F9B534430A6FE3207F58DC42FB7775BEB45761F20063EFA41D6181CAA1A8818774
                                  Function 00689C18 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,?,?,0068C8A3,00000001,?,?,?,00000000,0069420A,?,?,?,?,?,00693CAF), ref: 00689C33
                                  • WriteFile.KERNEL32(?,00000000,?,00693EB7,00000000,?,?,00000000,0069420A,?,?,?,?,?,00693CAF,?), ref: 00689C73
                                  • WriteFile.KERNELBASE(?,00000000,?,00693EB7,00000000,?,00000001,?,?,0068C8A3,00000001,?,?,?,00000000,0069420A), ref: 00689CA0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileWrite$Handle
                                  • String ID:
                                  • API String ID: 4209713984-0
                                  • Opcode ID: 4a2c7fdf011c26580752828b475671694cfa5a3cf38627b2bd4dba4971c1d93c
                                  • Instruction ID: cd66e1eacac73dc98daa6cc80a6260cd561c1be2148f96724ad77446f44ce0dd
                                  • Opcode Fuzzy Hash: 4a2c7fdf011c26580752828b475671694cfa5a3cf38627b2bd4dba4971c1d93c
                                  • Instruction Fuzzy Hash: D6310871248609AFDB20BF24D808BB6FBAAFF51310F184719F55593280C776E849CBB5
                                  Function 00689ED6 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00689DE2,?,00000001,00000000,?,?), ref: 00689EFD
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00689DE2,?,00000001,00000000,?,?), ref: 00689F30
                                  • GetLastError.KERNEL32(?,?,?,?,00689DE2,?,00000001,00000000,?,?), ref: 00689F4D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$ErrorLast
                                  • String ID:
                                  • API String ID: 2485089472-0
                                  • Opcode ID: bad337658cd585c088b3773b84fc7459a3f1209a23b266e25a98adcba701dfe0
                                  • Instruction ID: 5075fe2b16adc4bef9db8f486b4c661fff989820622b4da9a57541d941a4b3ed
                                  • Opcode Fuzzy Hash: bad337658cd585c088b3773b84fc7459a3f1209a23b266e25a98adcba701dfe0
                                  • Instruction Fuzzy Hash: 1A01243110821866EB7ABB684C0AFFE374F9F06741F0C0685FB05E6180D720D980DBB5
                                  Function 00683A90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: 7425c57780727d53594d0fd484f6e4f4f0c4dcbf1f6b6c72ea746f0d0f7c8f28
                                  • Instruction ID: 63f0266cd5af2f2812818f84b7b2bacdfb69b33d209728cbabd65cb17a05a143
                                  • Opcode Fuzzy Hash: 7425c57780727d53594d0fd484f6e4f4f0c4dcbf1f6b6c72ea746f0d0f7c8f28
                                  • Instruction Fuzzy Hash: 1D61D0B1104F449EDB21EF74CC419EBB7EAAF14701F444A2EE5AB87242DB326A49CF11
                                  Function 006A82B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 006A82D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Info
                                  • String ID:
                                  • API String ID: 1807457897-3916222277
                                  • Opcode ID: f92fdce20457295aacf57198dc4634995c834c06602806839dd79a77a4db5f5f
                                  • Instruction ID: 0ba7302ad8708fd7cfb3be08d883da68db9001714f8ea9f0613b2388145e9e3b
                                  • Opcode Fuzzy Hash: f92fdce20457295aacf57198dc4634995c834c06602806839dd79a77a4db5f5f
                                  • Instruction Fuzzy Hash: A9410B7090834C9FDF219E688C84AFABBFBEB56704F1404EDE58A87142E635AD45DF60
                                  Function 00681DD2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00681DD7
                                    • Part of subcall function 00683A90: __EH_prolog.LIBCMT ref: 00683A95
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: 92596bcb81a3ba09183f69771f898ffc4abde23dfa6364bd291b8c26a159d16c
                                  • Instruction ID: f51bb8aff1ad3a96cbd103d49d18d1116170bf1ec2ac2f57a66dc0ff7d23c6da
                                  • Opcode Fuzzy Hash: 92596bcb81a3ba09183f69771f898ffc4abde23dfa6364bd291b8c26a159d16c
                                  • Instruction Fuzzy Hash: 642139719001099FCB55EF98C9459EEFBFABF59300F10056EE845AB252C7325E12CF65
                                  Function 0068192C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: f1c0b514c2b0b3fda0e7caddffde44fe9a8d8d309cf898cd0a52193ba67049c2
                                  • Instruction ID: 09a7eeb1326b617163c25391ca826ebf77e85589e21d51fb4286b91e4747f8e9
                                  • Opcode Fuzzy Hash: f1c0b514c2b0b3fda0e7caddffde44fe9a8d8d309cf898cd0a52193ba67049c2
                                  • Instruction Fuzzy Hash: 2D11B171A00205AFCF14EF65D4A5ABEFBAFBF46300F04421AE8469B341DB359852DB90
                                  Function 006A79FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 006A7A6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: String
                                  • String ID: LCMapStringEx
                                  • API String ID: 2568140703-3893581201
                                  • Opcode ID: dbbad2eebbf4726f9c733df4413794e3833ead3e5acf7b98271e5e6cdefa5494
                                  • Instruction ID: 7dc534d35cca5e1fd08eba67e782b680d0c77769b821ab55b5ea3982c932c093
                                  • Opcode Fuzzy Hash: dbbad2eebbf4726f9c733df4413794e3833ead3e5acf7b98271e5e6cdefa5494
                                  • Instruction Fuzzy Hash: 3D0117B6644219BBCF02AF90DC05DEE7F63EB08750F014214FE1865261DA328A71AB84
                                  Function 006A7998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,006A708B), ref: 006A79E3
                                  Strings
                                  • InitializeCriticalSectionEx, xrefs: 006A79B3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CountCriticalInitializeSectionSpin
                                  • String ID: InitializeCriticalSectionEx
                                  • API String ID: 2593887523-3084827643
                                  • Opcode ID: 1475c45fba655f16aa50bbb378e2cd5c9c5aa9e66931df243c84476044b6f3cf
                                  • Instruction ID: af92acee52b9bd77dc90b140eb31c93a784a81f97045811e2c226b07352b2239
                                  • Opcode Fuzzy Hash: 1475c45fba655f16aa50bbb378e2cd5c9c5aa9e66931df243c84476044b6f3cf
                                  • Instruction Fuzzy Hash: C2F024B464021CBBCB006F90DC05C9EBFA3EB05720B004229FC185A260DA718E50DBC4
                                  Function 006A783D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Alloc
                                  • String ID: FlsAlloc
                                  • API String ID: 2773662609-671089009
                                  • Opcode ID: 51138d017fba2aec7610bbca81749f75bc1c1c9c8aa862ea736e8037584a94b7
                                  • Instruction ID: 450b80573d892de218865f27a28b3670f64a77b65f2f334bfe9c108cb7dd1f77
                                  • Opcode Fuzzy Hash: 51138d017fba2aec7610bbca81749f75bc1c1c9c8aa862ea736e8037584a94b7
                                  • Instruction Fuzzy Hash: 81E05CF0B452187783047BA49C05DAE7F97CB05710B410178FD0157340DD705E4087C9
                                  Function 006A1D87 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • try_get_function.LIBVCRUNTIME ref: 006A1D9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: try_get_function
                                  • String ID: FlsAlloc
                                  • API String ID: 2742660187-671089009
                                  • Opcode ID: 2f35847d98d9bd9792149c7bdfd7fced55cf31ef56e656ec67db904e2c53a87d
                                  • Instruction ID: e5d57262895a468692e759b9080e3e758906ae26fb13b15e12ebad4fda9c2d88
                                  • Opcode Fuzzy Hash: 2f35847d98d9bd9792149c7bdfd7fced55cf31ef56e656ec67db904e2c53a87d
                                  • Instruction Fuzzy Hash: 0FD02EB6BC23383BD61036D8AC02AEABE0BCB03FB1F450161FF082D28295A1188047D5
                                  Function 006A8609 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006A81DC: GetOEMCP.KERNEL32(00000000,?,?,006A8465,?), ref: 006A8207
                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,006A84AA,?,00000000), ref: 006A867D
                                  • GetCPInfo.KERNEL32(00000000,006A84AA,?,?,?,006A84AA,?,00000000), ref: 006A8690
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CodeInfoPageValid
                                  • String ID:
                                  • API String ID: 546120528-0
                                  • Opcode ID: 30fe56efbb956f38081901637864f85b0063841e0741b550136a666315f705ea
                                  • Instruction ID: 5ed6bf69bd6e2ca89afbc444d78640902f6fd3d72692280bd1ee9c6db71e31ff
                                  • Opcode Fuzzy Hash: 30fe56efbb956f38081901637864f85b0063841e0741b550136a666315f705ea
                                  • Instruction Fuzzy Hash: 5B51E1709002059EEB25AF75C885AFEBBE7EF43310F24446ED0868B251EB75DD428F91
                                  Function 006813B4 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 006813B4
                                    • Part of subcall function 00685F9E: __EH_prolog.LIBCMT ref: 00685FA3
                                    • Part of subcall function 0068C463: __EH_prolog.LIBCMT ref: 0068C468
                                    • Part of subcall function 0068C463: new.LIBCMT ref: 0068C4AB
                                    • Part of subcall function 0068C463: new.LIBCMT ref: 0068C4CF
                                  • new.LIBCMT ref: 0068142C
                                    • Part of subcall function 0068ACB6: __EH_prolog.LIBCMT ref: 0068ACBB
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 88d2537a28108f0e3677a1d29d7490b72363d7e2c82d70d03a64efc2e17446e2
                                  • Instruction ID: c79fdb52cf6a43b02aa87055edd7d35cb2201b0128448da90af72d77e9023cba
                                  • Opcode Fuzzy Hash: 88d2537a28108f0e3677a1d29d7490b72363d7e2c82d70d03a64efc2e17446e2
                                  • Instruction Fuzzy Hash: 014134B0805B40DEE720DF7984859E6FBEAFF29310F504A6ED5EE87282CB326554CB15
                                  Function 006813AF Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 006813B4
                                    • Part of subcall function 00685F9E: __EH_prolog.LIBCMT ref: 00685FA3
                                    • Part of subcall function 0068C463: __EH_prolog.LIBCMT ref: 0068C468
                                    • Part of subcall function 0068C463: new.LIBCMT ref: 0068C4AB
                                    • Part of subcall function 0068C463: new.LIBCMT ref: 0068C4CF
                                  • new.LIBCMT ref: 0068142C
                                    • Part of subcall function 0068ACB6: __EH_prolog.LIBCMT ref: 0068ACBB
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 4cce0dfc4c0f494c19fe25b0c09b586bb6a8fa5fd52176f003118acdd80898d8
                                  • Instruction ID: 8a9af79598d92543e381732a77498c35da0acfba5e5553f72b233d2cf258ebfc
                                  • Opcode Fuzzy Hash: 4cce0dfc4c0f494c19fe25b0c09b586bb6a8fa5fd52176f003118acdd80898d8
                                  • Instruction Fuzzy Hash: 114124B0805B409EE720DF7984859E6FBEAFF29310F504A6ED5EE87282CB326554CB15
                                  Function 006A8448 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006A630E: GetLastError.KERNEL32(?,006BCBE8,006A2664,006BCBE8,?,?,006A2203,?,?,006BCBE8), ref: 006A6312
                                    • Part of subcall function 006A630E: _free.LIBCMT ref: 006A6345
                                    • Part of subcall function 006A630E: SetLastError.KERNEL32(00000000,?,006BCBE8), ref: 006A6386
                                    • Part of subcall function 006A630E: _abort.LIBCMT ref: 006A638C
                                    • Part of subcall function 006A8567: _abort.LIBCMT ref: 006A8599
                                    • Part of subcall function 006A8567: _free.LIBCMT ref: 006A85CD
                                    • Part of subcall function 006A81DC: GetOEMCP.KERNEL32(00000000,?,?,006A8465,?), ref: 006A8207
                                  • _free.LIBCMT ref: 006A84C0
                                  • _free.LIBCMT ref: 006A84F6
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorLast_abort
                                  • String ID:
                                  • API String ID: 2991157371-0
                                  • Opcode ID: fb47da8c2d8a3da92f7eecc32bbd4fc4112505489328ef04251fbe216f4b70ae
                                  • Instruction ID: 68b2c2357ead88d98e45ab73de939573a8b551734fcd8cca0f289e1ea0dd7dbc
                                  • Opcode Fuzzy Hash: fb47da8c2d8a3da92f7eecc32bbd4fc4112505489328ef04251fbe216f4b70ae
                                  • Instruction Fuzzy Hash: 7731AF31904205AFDB10FBA8D445AAD77F6EF46320F25419DE9049B3A2EF359E41CF54
                                  Function 00689541 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00689BD7,?,?,00687735), ref: 006895C9
                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00689BD7,?,?,00687735), ref: 006895FE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 390c9b3cf4ce1e3b7b6d34f937a1f08e7c9f7aaf8e55dd4c8b8deb8d45f4f180
                                  • Instruction ID: 327e973e001c7281beb53eb7bdd2212cf5f274e3938552a3ac2e10418509a5dc
                                  • Opcode Fuzzy Hash: 390c9b3cf4ce1e3b7b6d34f937a1f08e7c9f7aaf8e55dd4c8b8deb8d45f4f180
                                  • Instruction Fuzzy Hash: 8C21D2B1404748AEE731AF24CC85BF77BEAEB05764F044A2DF5E592291C374AC898B71
                                  Function 00689A62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00687436,?,?,?), ref: 00689A7C
                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00689B2C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$BuffersFlushTime
                                  • String ID:
                                  • API String ID: 1392018926-0
                                  • Opcode ID: 1217d95882bca446feb694610656b4419b3ade644c455bd2e550c0ac63f94021
                                  • Instruction ID: 5bfc1dea75156773353a201c062e213794a9bac64cfd2e9ee5f852af1d024358
                                  • Opcode Fuzzy Hash: 1217d95882bca446feb694610656b4419b3ade644c455bd2e550c0ac63f94021
                                  • Instruction Fuzzy Hash: 3321D331258285AFC718EF24C891AFBBBE5AF96704F4C4A1DB8D587241D329ED4CC7A1
                                  Function 006A7726 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 006A7786
                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006A7793
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressProc__crt_fast_encode_pointer
                                  • String ID:
                                  • API String ID: 2279764990-0
                                  • Opcode ID: 9ee6718361a5f7f5254149a7df7462521008ae9159f65cb416fb66143f33440d
                                  • Instruction ID: a2c63259cdf738855b8a71c9414afe9163c6fabe91aafc9ac74120e0d5c496e9
                                  • Opcode Fuzzy Hash: 9ee6718361a5f7f5254149a7df7462521008ae9159f65cb416fb66143f33440d
                                  • Instruction Fuzzy Hash: 3A110A37A041209F9B21FE6CEC9089A7797AB867207164230FC15EF354E731EC418ED1
                                  Function 00689B3B Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00689B71
                                  • GetLastError.KERNEL32 ref: 00689B7D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer
                                  • String ID:
                                  • API String ID: 2976181284-0
                                  • Opcode ID: 7fd95749bb81b512cae56cc118141de3745a77bb6f01407ea50f684a658b86dd
                                  • Instruction ID: 1d0a16be6c0464c75f1cdcdc88ee63a2ea2ccb59f51dfe1260ae2b54084c2fd8
                                  • Opcode Fuzzy Hash: 7fd95749bb81b512cae56cc118141de3745a77bb6f01407ea50f684a658b86dd
                                  • Instruction Fuzzy Hash: CB0156717052045BD734AE29EC447BBB7DB9B84715F18473EB152C3680DA75DC49C721
                                  Function 006898E7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 0068993B
                                  • GetLastError.KERNEL32 ref: 00689948
                                    • Part of subcall function 006896FA: __EH_prolog.LIBCMT ref: 006896FF
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorFileH_prologLastPointer
                                  • String ID:
                                  • API String ID: 4236474358-0
                                  • Opcode ID: 056d6fccd01e060a39723f0648c467899a89fb2c2b3d71101b4d1149a750e9c8
                                  • Instruction ID: d2210af95a8836ddf26049af633e7c71f1997bb840878dd423bdff6b4fba7276
                                  • Opcode Fuzzy Hash: 056d6fccd01e060a39723f0648c467899a89fb2c2b3d71101b4d1149a750e9c8
                                  • Instruction Fuzzy Hash: 92019E322012069B8F18AE5A9884AFB775BBF5633170D832DF93A8B290D670EC019770
                                  Function 006A5ADA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 006A5AFB
                                    • Part of subcall function 006A59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,006A239A,?,0000015D,?,?,?,?,006A2F19,000000FF,00000000,?,?), ref: 006A5A1E
                                  • RtlReAllocateHeap.NTDLL(00000000,?,00200000,?,?,006BCBE8,006817D2,?,?,?,?,00000000,?,006813A9,?,?), ref: 006A5B37
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AllocateHeap$_free
                                  • String ID:
                                  • API String ID: 1482568997-0
                                  • Opcode ID: da4041a293a6589efbc440f8957a1a07b7e038cd699596d425587e582df54e65
                                  • Instruction ID: d6b974dba894e9ab748468a350db706504f83a54180be274c1b024ac28bfeb9e
                                  • Opcode Fuzzy Hash: da4041a293a6589efbc440f8957a1a07b7e038cd699596d425587e582df54e65
                                  • Instruction Fuzzy Hash: 4EF0C231711A15AADB71FA25AC21EAB371FAF83772B11411AF8179A291EE309D018D74
                                  Function 0068FC94 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?), ref: 0068FCA1
                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 0068FCA8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Process$AffinityCurrentMask
                                  • String ID:
                                  • API String ID: 1231390398-0
                                  • Opcode ID: 377930eaa95554ea4ad899ab8b54f8201258b683de10d7efd2817017f318cb72
                                  • Instruction ID: 59d9f367e37bd465ffb84fc2efc5b23b001c58fcd5d48abc80b14a1e29c06838
                                  • Opcode Fuzzy Hash: 377930eaa95554ea4ad899ab8b54f8201258b683de10d7efd2817017f318cb72
                                  • Instruction Fuzzy Hash: 7CE06D72A4410E679B08ABA89C059EB779EDA18201720067AAC07D3304F924DE4147A4
                                  Function 0068A113 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00689F49,?,?,?,00689DE2,?,00000001,00000000,?,?), ref: 0068A127
                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00689F49,?,?,?,00689DE2,?,00000001,00000000,?,?), ref: 0068A158
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: d26a43d30f9bb8455762b1f1155dd11e4604ad1ee13548fe9f02a11d70a29116
                                  • Instruction ID: 5cc788cbd5394c49a259e19173fd37139fed3925e93c7cbb6bbe361f5ae04e57
                                  • Opcode Fuzzy Hash: d26a43d30f9bb8455762b1f1155dd11e4604ad1ee13548fe9f02a11d70a29116
                                  • Instruction Fuzzy Hash: 59F0653524010D6BEF117FA4DC45BEB7B6EBF04385F448155BE88D6260DB32DE989B50
                                  Function 0069C0CF Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText_swprintf
                                  • String ID:
                                  • API String ID: 3011073432-0
                                  • Opcode ID: af1b900f73692eda0c7a7d296ef7247b4fbe7b491a482f57fd2bbf00f397ab35
                                  • Instruction ID: a7457c3f1ad1073b156cae4be767d866737ad7df659e899ef5ebedb19b8d36f6
                                  • Opcode Fuzzy Hash: af1b900f73692eda0c7a7d296ef7247b4fbe7b491a482f57fd2bbf00f397ab35
                                  • Instruction Fuzzy Hash: E8F0EC72580348BBEF11B7608C06FEA371F9B04741F44455ABA05935E2D5725E2097B9
                                  Function 00689DFC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNELBASE(?,?,?,00689661,?,?,006894BC), ref: 00689E0D
                                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00689661,?,?,006894BC), ref: 00689E3B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: d5ed812deb400f1674243b670f6989895d9a5ffd75c81009820e021140446b66
                                  • Instruction ID: 297bc82e11d35443578cc45d33cfc4ff41ac9acdabaaa15adb24cfb24ee52f1d
                                  • Opcode Fuzzy Hash: d5ed812deb400f1674243b670f6989895d9a5ffd75c81009820e021140446b66
                                  • Instruction Fuzzy Hash: C0E02B3164010857EB20BF60DC05BEA3B9FAF08781F840165B944C2150DB31DD909A60
                                  Function 00689E63 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?,?,?,00689E58,?,006875A0,?,?,?,?), ref: 00689E74
                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00689E58,?,006875A0,?,?,?,?), ref: 00689EA0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 9b5be792d85155429851dca1f3eaa8fe13227033fb70c7052a2dc97335c667ec
                                  • Instruction ID: 7bf16c9066f64ed06731da3238f6e2a9edc0ef36e75d604c6871003e51385469
                                  • Opcode Fuzzy Hash: 9b5be792d85155429851dca1f3eaa8fe13227033fb70c7052a2dc97335c667ec
                                  • Instruction Fuzzy Hash: F2E065365001185BDB50BB68DC05BEA7BAE9F183A2F040361FD48E3290D6719D9487D0
                                  Function 0068F35B Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0068F376
                                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0068DF18,Crypt32.dll,?,0068DF9C,?,0068DF7E,?,?,?,?), ref: 0068F398
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystem
                                  • String ID:
                                  • API String ID: 1175261203-0
                                  • Opcode ID: 73bdf3fca5b7b638183186eedbaf017968f0aafb88be4831d263708793e20895
                                  • Instruction ID: 2633aa31907614945d79372505297fe9863fb79ca22665d3dacdbd34babc399c
                                  • Opcode Fuzzy Hash: 73bdf3fca5b7b638183186eedbaf017968f0aafb88be4831d263708793e20895
                                  • Instruction Fuzzy Hash: 95E0927280011C67DB10ABA49C04FD77B6DEB08381F0401A5B948D2000DA70DA808BF0
                                  Function 00698923 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00698944
                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0069894B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: BitmapCreateFromGdipStream
                                  • String ID:
                                  • API String ID: 1918208029-0
                                  • Opcode ID: 6ad9565e768919b9d62262a54824deba313c7cf2c59bad7ec7f723a1d0b28c1b
                                  • Instruction ID: a8f322d9752cd16e58b8177219a4eac28ad790f2220b8aa2fa2b2a999c5dd7cd
                                  • Opcode Fuzzy Hash: 6ad9565e768919b9d62262a54824deba313c7cf2c59bad7ec7f723a1d0b28c1b
                                  • Instruction Fuzzy Hash: A7E06D71801218EFCB60DF99C501BE9BBEDEF05361F10806EE84593B00E6706E04EB92
                                  Function 0069909D Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • GdiplusShutdown.GDIPLUS(?,?,?,006AF605,000000FF), ref: 006990C6
                                  • CoUninitialize.COMBASE(?,?,?,006AF605,000000FF), ref: 006990CB
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: GdiplusShutdownUninitialize
                                  • String ID:
                                  • API String ID: 3856339756-0
                                  • Opcode ID: 1a216fa2cb99ddc8a67e266fa8060eebb47c8a06f327a7fe30d197ee949dba9d
                                  • Instruction ID: ef3015bcef2c3e95517b8914f8353612dc11e570206ca21ee5b8f54ea5836fdd
                                  • Opcode Fuzzy Hash: 1a216fa2cb99ddc8a67e266fa8060eebb47c8a06f327a7fe30d197ee949dba9d
                                  • Instruction Fuzzy Hash: 24E0DF32508640DFC310DF88DC06F41BBEAFB09B20F00836AB81A83B60CB386C00CB85
                                  Function 006A0C46 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006A1D87: try_get_function.LIBVCRUNTIME ref: 006A1D9C
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006A0C64
                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 006A0C6F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                  • String ID:
                                  • API String ID: 806969131-0
                                  • Opcode ID: b3f11564f2d1c3595b333c073a489b84e9665907631f3bf963ea0392f0d22899
                                  • Instruction ID: 62eab989aa81037dad3ceaa5b418d213c737dae06541f87f88db9a5768a309ca
                                  • Opcode Fuzzy Hash: b3f11564f2d1c3595b333c073a489b84e9665907631f3bf963ea0392f0d22899
                                  • Instruction Fuzzy Hash: 3DD022BCA98302197D8432F4A81248A13479D137B4B70134EE0238D6D3EE369C836C2E
                                  Function 006812C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemShowWindow
                                  • String ID:
                                  • API String ID: 3351165006-0
                                  • Opcode ID: 6be6a79c2619ac7053a354e17fe4a5a62860b08f0cb1aa50f42f6dfe31003cb0
                                  • Instruction ID: 80dff21cd2a734bc83216fe872491512d7b3f3ff5e77a10b679582a9b04289f1
                                  • Opcode Fuzzy Hash: 6be6a79c2619ac7053a354e17fe4a5a62860b08f0cb1aa50f42f6dfe31003cb0
                                  • Instruction Fuzzy Hash: 02C012B2058200BFCB010BB0DC09C2EBBAAABA5312F00CA08B4B5C00A0CA38C060DB12
                                  Function 0068FC3C Relevance: 2.5, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(006C1E74,?,?,0068A5F0,?,?,?,?,006AF605,000000FF), ref: 0068FC4B
                                  • LeaveCriticalSection.KERNEL32(006C1E74,?,?,0068A5F0,?,?,?,?,006AF605,000000FF), ref: 0068FC89
                                    • Part of subcall function 0068FA23: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0068FA57
                                    • Part of subcall function 0068FA23: CloseHandle.KERNELBASE(0139336C,0139336C), ref: 0068FA71
                                    • Part of subcall function 0068FA23: DeleteCriticalSection.KERNEL32(01393508), ref: 0068FA8A
                                    • Part of subcall function 0068FA23: CloseHandle.KERNELBASE(?), ref: 0068FA96
                                    • Part of subcall function 0068FA23: CloseHandle.KERNEL32(?), ref: 0068FAA2
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseCriticalHandleSection$DeleteEnterLeaveReleaseSemaphore
                                  • String ID:
                                  • API String ID: 3265325312-0
                                  • Opcode ID: d440a2fd55e60ad8996e7da7a974e7311dfc45c26fcaa57e1740b50a1eb94897
                                  • Instruction ID: a45d6cb96adab0bca68da1e18bb6cc4ca12427c30b5a32eee5be374b9ff969df
                                  • Opcode Fuzzy Hash: d440a2fd55e60ad8996e7da7a974e7311dfc45c26fcaa57e1740b50a1eb94897
                                  • Instruction Fuzzy Hash: 3CF0A73164121097D7117B15E805AFF766BDB4BB65F14423EFC0497691C7718D41C7A4
                                  Function 006819E2 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: c5a66262f03eb7e8dbd3562a93cb495f9f1d90d83a1805733511877b6bf18913
                                  • Instruction ID: aa0e4677aa2ab160d03e8244ccf11ef3630c0bd54e5e0049c13f1b70c2356e74
                                  • Opcode Fuzzy Hash: c5a66262f03eb7e8dbd3562a93cb495f9f1d90d83a1805733511877b6bf18913
                                  • Instruction Fuzzy Hash: C9B1C170A00646AFEB28EF78C444AF9FBABBF06304F14435AE4569B381C7359956CB91
                                  Function 006881ED Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 006881F2
                                    • Part of subcall function 006813AF: __EH_prolog.LIBCMT ref: 006813B4
                                    • Part of subcall function 006813AF: new.LIBCMT ref: 0068142C
                                    • Part of subcall function 006819E2: __EH_prolog.LIBCMT ref: 006819E7
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 2aa471c01d416f0eae7fd0675cccf6b6aad3d61a238791eca444f3a9f1d516de
                                  • Instruction ID: d6028ac7dcbc3441f12b99b4dc4e62dce5737694632f873f5a90868e89224a36
                                  • Opcode Fuzzy Hash: 2aa471c01d416f0eae7fd0675cccf6b6aad3d61a238791eca444f3a9f1d516de
                                  • Instruction Fuzzy Hash: 7B41CF318406589FDF60FBA0C855BEA736AAF50700F4402EEE58AA3183DB745FC8DB54
                                  Function 006921E5 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9853fdf3b054999a35b3bc4972f6142be87efed0b191b221a56422af789f6d87
                                  • Instruction ID: 0320050432dbe3beb06fdb5be8a6b0e4615d88bfad402089b26f65179a07ab74
                                  • Opcode Fuzzy Hash: 9853fdf3b054999a35b3bc4972f6142be87efed0b191b221a56422af789f6d87
                                  • Instruction Fuzzy Hash: 5C21B6B1E402166FDF14DFB8CC51AAA766EEF09714F00463EE509EBA81D7749E40C6A8
                                  Function 00699484 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00699489
                                    • Part of subcall function 006813AF: __EH_prolog.LIBCMT ref: 006813B4
                                    • Part of subcall function 006813AF: new.LIBCMT ref: 0068142C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: f558c4d11108ffb6677e05855f0789a06a478566bdd92f6b510b2f664aedead3
                                  • Instruction ID: d1068309a80641fe5e7c5f892ed08684876cf2a4a5ede986e7151a2f3be9f492
                                  • Opcode Fuzzy Hash: f558c4d11108ffb6677e05855f0789a06a478566bdd92f6b510b2f664aedead3
                                  • Instruction Fuzzy Hash: 1B217F71C042499FCF15EF58D9419EEBBFAAF1A300F0001AEE809B7202D735AE06DB64
                                  Function 00689120 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: b1f14eef397502ac12884269071cf1f069c9a65fc4df1ad5e75d64bcdaa58cb5
                                  • Instruction ID: 52d45995d9e04171cc5640acce35b80072d6baeaf1a672411879a69e642b76b6
                                  • Opcode Fuzzy Hash: b1f14eef397502ac12884269071cf1f069c9a65fc4df1ad5e75d64bcdaa58cb5
                                  • Instruction Fuzzy Hash: 32117373E045255BCF12BF58CC559EEBB37AF88750F044229F90577211DA308D1087B4
                                  Function 006A8ED5 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006A5A7D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,006A633C,00000001,00000364,?,006A2203,?,?,006BCBE8), ref: 006A5ABE
                                  • _free.LIBCMT ref: 006A8F41
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: e032975ebbae66d82fc58406085c7988e182e8e093097f4fa6ffad3816001ba0
                                  • Instruction ID: b9fc6bf9249da50a3e979ed408e74273aee0481f09829dc24b05032446f6b674
                                  • Opcode Fuzzy Hash: e032975ebbae66d82fc58406085c7988e182e8e093097f4fa6ffad3816001ba0
                                  • Instruction Fuzzy Hash: B3012B722003455FE321DE599C8195AFBEAEBC6370F25051DE59493280EA30AC058B34
                                  Function 006A5A7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,006A633C,00000001,00000364,?,006A2203,?,?,006BCBE8), ref: 006A5ABE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 39881253c2cb7582c8582d2d976e360cf13733d5ebd09955f74081fba394544f
                                  • Instruction ID: 788809e209b579fc87f3bf5091a8a0e967ef0f3d8fe273512f8fb44c8cc322c9
                                  • Opcode Fuzzy Hash: 39881253c2cb7582c8582d2d976e360cf13733d5ebd09955f74081fba394544f
                                  • Instruction Fuzzy Hash: A1F0B431705E346BEB61FA619C85BAA374BAF43760B194215AE1B96294DB60EC008EE4
                                  Function 006A59EC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,006A239A,?,0000015D,?,?,?,?,006A2F19,000000FF,00000000,?,?), ref: 006A5A1E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: c7823a9c0cb01c959f30cee0c781467a9c2ea7952a0343e033effa711bf01c6b
                                  • Instruction ID: d23dc0d8a25f8e4aed61a062c14788f4467f949ec899ccda7dc2bff80703bb0c
                                  • Opcode Fuzzy Hash: c7823a9c0cb01c959f30cee0c781467a9c2ea7952a0343e033effa711bf01c6b
                                  • Instruction Fuzzy Hash: 2EE0E531321E215AEB20B6629C417DE374FAB533B0F021369AE07922A0EB60CD008DA4
                                  Function 00685B05 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00685B0A
                                    • Part of subcall function 0068ACB6: __EH_prolog.LIBCMT ref: 0068ACBB
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 50e86c6773ff229e7e6ad0ada43db260ec0bdf778549b5f40e4d995956237c88
                                  • Instruction ID: 5e9f3dca3b3dd5f40e04a9aac5408c5515f1c02be5d31dd19652c2a6a9fc441e
                                  • Opcode Fuzzy Hash: 50e86c6773ff229e7e6ad0ada43db260ec0bdf778549b5f40e4d995956237c88
                                  • Instruction Fuzzy Hash: FC018634600645DAD704F7A4C4197DDF7E59F15300F40829DA89A63242CFB41B08C7A7
                                  Function 0068A195 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0068A1C4
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: dada54eca70b73e8d65555cba730757be2f570703df1ff37f9da5d04bddeb4bb
                                  • Instruction ID: 233898884ae870fce03f4af0a3311d253f7c91adc6000ed94f4bc93116c920d8
                                  • Opcode Fuzzy Hash: dada54eca70b73e8d65555cba730757be2f570703df1ff37f9da5d04bddeb4bb
                                  • Instruction Fuzzy Hash: 01F0BE31408780EADA627BF48808BCBBFA25F06331F048B0EF5F912292C2B550999732
                                  Function 00681EBF Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00681EC4
                                    • Part of subcall function 00681927: __EH_prolog.LIBCMT ref: 0068192C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 88360b34b44f2639c4c438c91116d307839f6544711e574f303a1a6181d81b36
                                  • Instruction ID: 9a2cee963b9568acae81b6d89d9fe8c4084167e8d8ad5b4aa1975887b1558f24
                                  • Opcode Fuzzy Hash: 88360b34b44f2639c4c438c91116d307839f6544711e574f303a1a6181d81b36
                                  • Instruction Fuzzy Hash: 0CF098B1D002498ECF41EFA8C5456EEBBF5AB1A300F0446BED519E7202E73556158BA5
                                  Function 00681EC4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00681EC4
                                    • Part of subcall function 00681927: __EH_prolog.LIBCMT ref: 0068192C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
                                  • Instruction ID: 5a867db4f4938f1b0d7479ce8c337ade46f3cc28e8ba94619d5d01da47cfc68d
                                  • Opcode Fuzzy Hash: 9174b26c55bc6689883bf4742441a397630375c3705d662e38516824eb19a35e
                                  • Instruction Fuzzy Hash: 71F0A5B1C002488ECF81EFA8C546AEEBBF5BB1A300F0446BED409E7202EB355605CB95
                                  Function 0068F944 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 0068F979
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ExecutionStateThread
                                  • String ID:
                                  • API String ID: 2211380416-0
                                  • Opcode ID: 504d0eeb5afb93695badbc65505c348bfe12412a8171a3d467091a735c98820f
                                  • Instruction ID: 3e45ec4882633164f2f8aa49894f401eb1766edd15bdb73ce0afc29ea6f362fe
                                  • Opcode Fuzzy Hash: 504d0eeb5afb93695badbc65505c348bfe12412a8171a3d467091a735c98820f
                                  • Instruction Fuzzy Hash: 7CD02B1170102129EF513B2C680ABFD190B0FC1330F0C027DF44567293CB45088253B2
                                  Function 00698B64 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipAlloc.GDIPLUS(00000010), ref: 00698B6A
                                    • Part of subcall function 00698923: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00698944
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Gdip$AllocBitmapCreateFromStream
                                  • String ID:
                                  • API String ID: 1915507550-0
                                  • Opcode ID: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
                                  • Instruction ID: 00ebdb063765b0abe884856581ab2e4b2a9dfa0b354e63e3cebcec511814ee22
                                  • Opcode Fuzzy Hash: b3ecc342144db532c8dedf8b776bc33c6e15ccf428a3dce563ad8a90b77a80c7
                                  • Instruction Fuzzy Hash: 08D0A7B020010D7FDF81AB648C0297D7A9EEB02360F048139BC04C7650FE71CD11B255
                                  Function 0068976A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNELBASE(000000FF,0068969C), ref: 00689776
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: 97824f78c646d776fdb81861b3a14eaad270e0f5fa1620268bf9deaeb2cdf542
                                  • Instruction ID: 5706984768f50dadd76733a096e8d8e58944247df73c6a4dc990b2d9c510d470
                                  • Opcode Fuzzy Hash: 97824f78c646d776fdb81861b3a14eaad270e0f5fa1620268bf9deaeb2cdf542
                                  • Instruction Fuzzy Hash: 27D01270061200658F752E345D090B66A63DB833A672CDBE4E025C41B1C722C843F754
                                  Function 0069BF76 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0069BF9B
                                    • Part of subcall function 0069991D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0069992E
                                    • Part of subcall function 0069991D: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0069993F
                                    • Part of subcall function 0069991D: TranslateMessage.USER32(?), ref: 00699949
                                    • Part of subcall function 0069991D: DispatchMessageW.USER32(?), ref: 00699953
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Message$DispatchItemPeekSendTranslate
                                  • String ID:
                                  • API String ID: 4142818094-0
                                  • Opcode ID: 5ee76a9bbdb30809c6fa613799e7a5f2fb87a5d5c59747936e93ae67ed98d433
                                  • Instruction ID: 001de0147b154757871b8ce244aa317cd70f2375bcac262aa7ae8f8a9b0b0a9d
                                  • Opcode Fuzzy Hash: 5ee76a9bbdb30809c6fa613799e7a5f2fb87a5d5c59747936e93ae67ed98d433
                                  • Instruction Fuzzy Hash: B0D09E71148200AADB112B51CD06F1A7AA7BB88B04F404658B744340B186629D20EB16
                                  Function 0069CD5B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069CD6D
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: b6188193ad23aab8fcd29abb57a624def004faeabcfe97baba97f94c727cacfc
                                  • Instruction ID: b8a41d5f6d7d789a144f7865fc7bde38f6564789da81ebb0fe725c607e7f315b
                                  • Opcode Fuzzy Hash: b6188193ad23aab8fcd29abb57a624def004faeabcfe97baba97f94c727cacfc
                                  • Instruction Fuzzy Hash: 57B012E1258004BD751496986F0EC77150FC4C0F31330803FF401D1480F8440CC7C132
                                  Function 0069C74A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 72b4378d8ca08d1233685bf04cf7308fa963e1ee80916ac4b75831324e8ead5c
                                  • Instruction ID: b8117ff88e3bfaed2aadc4972b1fcf79a9bd13ea27da533c58bd3f8729e73a5a
                                  • Opcode Fuzzy Hash: 72b4378d8ca08d1233685bf04cf7308fa963e1ee80916ac4b75831324e8ead5c
                                  • Instruction Fuzzy Hash: DDB012E12685056CB544E58C2D06C76010FC0C0F30330C42FF800C6781D8404D874A32
                                  Function 0069C740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: c1bf9967a42206b16853933764300d090f4960d3b2ac539fab0bacbcbc8175c8
                                  • Instruction ID: 3f1ac7f2600aa844a84fd189988395f6201615791e1aff5746658434709b9ea0
                                  • Opcode Fuzzy Hash: c1bf9967a42206b16853933764300d090f4960d3b2ac539fab0bacbcbc8175c8
                                  • Instruction Fuzzy Hash: 08B012E12684057CB544E1846D06C77010FC0C0F30330852FF401C6681D8404C874636
                                  Function 0069C75E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: b395dd04ec0c5f4e881f05c2f5a53f3f1bbd81ff631d405663e62aeb77ff7ce3
                                  • Instruction ID: f8337679b7da95b52c251bc08227436beb557788739a4b88e7e46c0d013091f0
                                  • Opcode Fuzzy Hash: b395dd04ec0c5f4e881f05c2f5a53f3f1bbd81ff631d405663e62aeb77ff7ce3
                                  • Instruction Fuzzy Hash: 5BB012F12586056DB544E58C3F06C77010FC0C0F30330842FF400C6781D8404D874A32
                                  Function 0069C725 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 9ec46ff4f5c85ad86121315cd3bfff1df3b0fa340f3df0339e04583aea69567f
                                  • Instruction ID: 3b1a3da589c83bce2b116f8321520eff21cc7f82bd15743ac4786d86349d667e
                                  • Opcode Fuzzy Hash: 9ec46ff4f5c85ad86121315cd3bfff1df3b0fa340f3df0339e04583aea69567f
                                  • Instruction Fuzzy Hash: 04B012E12586057CB904A1882D46C76010FC0C4F30330852FF400C5681D8404DC78A32
                                  Function 0069C7BF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C798
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: fe4705da529b7b3f318082579752e5ebc255e4531d29cd4da726dc54f7498892
                                  • Instruction ID: 58543df3b0fd576d67dad1315e8f3ec29e05d791b385e97462389fd8c5ebfb76
                                  • Opcode Fuzzy Hash: fe4705da529b7b3f318082579752e5ebc255e4531d29cd4da726dc54f7498892
                                  • Instruction Fuzzy Hash: 5DB092E12780046C654892956906876010FC084B21320802AB400C66809840088A023A
                                  Function 0069C7B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C798
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 470618b25bba888228d99542bf1c145c30ac11c3fe6ee5973cb204f3120af351
                                  • Instruction ID: daa715f196e6bef0cddc30183dee712fb62e1c8c7f1e219eaae72bfde734f032
                                  • Opcode Fuzzy Hash: 470618b25bba888228d99542bf1c145c30ac11c3fe6ee5973cb204f3120af351
                                  • Instruction Fuzzy Hash: 5CB012E12781087C7944D2DA2C06C76010FC0C4F31330C02FF400C6780D8400C82033E
                                  Function 0069C786 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C798
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 379b6e726885b09bc5b143873cad0469dacca46477c2606de58ea2273b6c8f1c
                                  • Instruction ID: c121f7e82e7ef36228b8372a48b465c46950d10142f54cb7e3cac0b05cd998a9
                                  • Opcode Fuzzy Hash: 379b6e726885b09bc5b143873cad0469dacca46477c2606de58ea2273b6c8f1c
                                  • Instruction Fuzzy Hash: 6FB012F12781047C7544D2D16C06C76010FC0C1F31330C02FF800C658098401C86033E
                                  Function 0069C76D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: d7f3e2b00b2159dddc5f9d5f3186cc1f433cd1ed264a7aff255c62a1321bb555
                                  • Instruction ID: 2e4533d196d19d28349928093d7cdf9a072a509e86453332c1d85d980c976145
                                  • Opcode Fuzzy Hash: d7f3e2b00b2159dddc5f9d5f3186cc1f433cd1ed264a7aff255c62a1321bb555
                                  • Instruction Fuzzy Hash: BEA002D51595167CB544A1516D16C76011EC4C5F71331891EF401C5581995059475575
                                  Function 0069C777 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 997681dbd98fe03928240b4ed59f39b50081e3cc5269a7da7df0a10e9f0447b3
                                  • Instruction ID: 2e4533d196d19d28349928093d7cdf9a072a509e86453332c1d85d980c976145
                                  • Opcode Fuzzy Hash: 997681dbd98fe03928240b4ed59f39b50081e3cc5269a7da7df0a10e9f0447b3
                                  • Instruction Fuzzy Hash: BEA002D51595167CB544A1516D16C76011EC4C5F71331891EF401C5581995059475575
                                  Function 0069C759 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 4e1ef23dbda81d30eed10e3a6f5a17111df40f814edf4e306ad08cf57d7f8949
                                  • Instruction ID: 2e4533d196d19d28349928093d7cdf9a072a509e86453332c1d85d980c976145
                                  • Opcode Fuzzy Hash: 4e1ef23dbda81d30eed10e3a6f5a17111df40f814edf4e306ad08cf57d7f8949
                                  • Instruction Fuzzy Hash: BEA002D51595167CB544A1516D16C76011EC4C5F71331891EF401C5581995059475575
                                  Function 0069C7A6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C798
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 9d791bfffb7ff693f6ad1c7e422fc82229e556e41653532765111337be612be3
                                  • Instruction ID: bb1aa13e6b9f69f469c79005d242cedc0d3ebb4ab754ddae427b6d6ba36f16fb
                                  • Opcode Fuzzy Hash: 9d791bfffb7ff693f6ad1c7e422fc82229e556e41653532765111337be612be3
                                  • Instruction Fuzzy Hash: 18A002D51795057C754492916D06C76011EC4C5F71371851EF401C5581595019465579
                                  Function 0069C7B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C798
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 7f507800e1859a449353d03ee434f0bf8d39f1af8f1a653873b22e483a441d9b
                                  • Instruction ID: bb1aa13e6b9f69f469c79005d242cedc0d3ebb4ab754ddae427b6d6ba36f16fb
                                  • Opcode Fuzzy Hash: 7f507800e1859a449353d03ee434f0bf8d39f1af8f1a653873b22e483a441d9b
                                  • Instruction Fuzzy Hash: 18A002D51795057C754492916D06C76011EC4C5F71371851EF401C5581595019465579
                                  Function 0069C781 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0069C737
                                    • Part of subcall function 0069CABB: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0069CB38
                                    • Part of subcall function 0069CABB: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0069CB49
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: da2744222d2d1df24a115cd9d87527d16fb2d6fdd5898573c1e18aeb1cb6f417
                                  • Instruction ID: 2e4533d196d19d28349928093d7cdf9a072a509e86453332c1d85d980c976145
                                  • Opcode Fuzzy Hash: da2744222d2d1df24a115cd9d87527d16fb2d6fdd5898573c1e18aeb1cb6f417
                                  • Instruction Fuzzy Hash: BEA002D51595167CB544A1516D16C76011EC4C5F71331891EF401C5581995059475575
                                  Function 00699022 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetCurrentDirectoryW.KERNELBASE(?,00699279,006C2120,00000000,006C3122,00000006), ref: 00699026
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory
                                  • String ID:
                                  • API String ID: 1611563598-0
                                  • Opcode ID: 445b1bbcb1b0bfe3267e11bd68187318a0126c6adb3d3cd5cc577bcf8c8e5a5a
                                  • Instruction ID: fd669f64f6b6f4f8de4fb3006c103e6bb87fdb52adc87145eb0bdc1965f05f98
                                  • Opcode Fuzzy Hash: 445b1bbcb1b0bfe3267e11bd68187318a0126c6adb3d3cd5cc577bcf8c8e5a5a
                                  • Instruction Fuzzy Hash: DEA0127019410656CB100B34CC09C167A515760702F0097207002C00A0CB308850E500
                                  Function 006894F3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(000000FF,?,?,006894C3), ref: 0068950E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: d7914a7a8e5af6ce4b0fe5f3292bf893dea5a1a839c69de2335706a1816879e0
                                  • Instruction ID: 9199b81f32e480f054a1e1639c31733abf76364203e8cb9ad096501b4b6730b4
                                  • Opcode Fuzzy Hash: d7914a7a8e5af6ce4b0fe5f3292bf893dea5a1a839c69de2335706a1816879e0
                                  • Instruction Fuzzy Hash: 05F0E9B0542B044FDB31AA34D5187E3B7E55B12731F084B1ED0E643AD0D3716449DF21

                                  Non-executed Functions

                                  Function 0069A536 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006812E7: GetDlgItem.USER32(00000000,00003021), ref: 0068132B
                                    • Part of subcall function 006812E7: SetWindowTextW.USER32(00000000,006B02E4), ref: 00681341
                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0069A5C7
                                  • EndDialog.USER32(?,00000006), ref: 0069A5DA
                                  • GetDlgItem.USER32(?,0000006C), ref: 0069A5F6
                                  • SetFocus.USER32(00000000), ref: 0069A5FD
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0069A63D
                                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0069A670
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0069A686
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0069A6A4
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0069A6B4
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0069A6D1
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0069A6EF
                                    • Part of subcall function 0068D192: LoadStringW.USER32(?,?,00000200,?), ref: 0068D1D7
                                    • Part of subcall function 0068D192: LoadStringW.USER32(?,?,00000200,?), ref: 0068D1ED
                                  • _swprintf.LIBCMT ref: 0069A71F
                                    • Part of subcall function 00683F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00683F3E
                                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0069A732
                                  • FindClose.KERNEL32(00000000), ref: 0069A735
                                  • _swprintf.LIBCMT ref: 0069A790
                                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 0069A7A3
                                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0069A7B9
                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0069A7D9
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0069A7E9
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0069A803
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0069A81B
                                  • _swprintf.LIBCMT ref: 0069A84C
                                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0069A85F
                                  • _swprintf.LIBCMT ref: 0069A8AF
                                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 0069A8C2
                                    • Part of subcall function 0069932E: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00699354
                                    • Part of subcall function 0069932E: GetNumberFormatW.KERNEL32(00000400,00000000,?,006BA154,?,?), ref: 006993A3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                  • API String ID: 3227067027-1840816070
                                  • Opcode ID: 74f287a52959dcdb4812306affa2b9b6f36a89834f7e6d06afc4321e4901c13f
                                  • Instruction ID: 5ecd11c9f71624d57542a9122931c59bc1c71f4429b0bec0b5aabaf936b93c36
                                  • Opcode Fuzzy Hash: 74f287a52959dcdb4812306affa2b9b6f36a89834f7e6d06afc4321e4901c13f
                                  • Instruction Fuzzy Hash: ED91E5B2248308BBE721ABE0CD49FFB77EEEB49700F004919F645D6580D630AA4587A3
                                  Function 00687070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00687075
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 006871D5
                                  • CloseHandle.KERNEL32(00000000), ref: 006871E5
                                    • Part of subcall function 00687A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00687AAC
                                    • Part of subcall function 00687A9D: GetLastError.KERNEL32 ref: 00687AF2
                                    • Part of subcall function 00687A9D: CloseHandle.KERNEL32(?), ref: 00687B01
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 006871F0
                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 006872FE
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0068732A
                                  • CloseHandle.KERNEL32(?), ref: 0068733C
                                  • GetLastError.KERNEL32(00000015,00000000,?), ref: 0068734C
                                  • RemoveDirectoryW.KERNEL32(?), ref: 00687398
                                  • DeleteFileW.KERNEL32(?), ref: 006873C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                  • API String ID: 3935142422-3508440684
                                  • Opcode ID: bc55a8095ba66ef83c1112d3f3ec8567f530064e8d313b12d0ea467ac36ed9cd
                                  • Instruction ID: af2b66bb91d2585dfddf3b4c5296a1346a06a2bb34ee850cdebf4fd6d665fde1
                                  • Opcode Fuzzy Hash: bc55a8095ba66ef83c1112d3f3ec8567f530064e8d313b12d0ea467ac36ed9cd
                                  • Instruction Fuzzy Hash: B3B1D1B1904218AFEF20EF64CC45BEE77BAAF09300F144669F959E7242D730EA45CB65
                                  Function 006A957E Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 006A95C2
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A917A
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A918C
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A919E
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A91B0
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A91C2
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A91D4
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A91E6
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A91F8
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A920A
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A921C
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A922E
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A9240
                                    • Part of subcall function 006A915D: _free.LIBCMT ref: 006A9252
                                  • _free.LIBCMT ref: 006A95B7
                                    • Part of subcall function 006A59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?), ref: 006A59C8
                                    • Part of subcall function 006A59B2: GetLastError.KERNEL32(?,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?,?), ref: 006A59DA
                                  • _free.LIBCMT ref: 006A95D9
                                  • _free.LIBCMT ref: 006A95EE
                                  • _free.LIBCMT ref: 006A95F9
                                  • _free.LIBCMT ref: 006A961B
                                  • _free.LIBCMT ref: 006A962E
                                  • _free.LIBCMT ref: 006A963C
                                  • _free.LIBCMT ref: 006A9647
                                  • _free.LIBCMT ref: 006A967F
                                  • _free.LIBCMT ref: 006A9686
                                  • _free.LIBCMT ref: 006A96A3
                                  • _free.LIBCMT ref: 006A96BB
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: cf484b33e76b38ca2321501b63399ae8002d6cfcc0fa901a4478c310f19a2ba0
                                  • Instruction ID: 0028d96d18de470f208fb21709df6763ab2e85a8ce80a38d894e2891a381dd16
                                  • Opcode Fuzzy Hash: cf484b33e76b38ca2321501b63399ae8002d6cfcc0fa901a4478c310f19a2ba0
                                  • Instruction Fuzzy Hash: 05313771601600DFFB61BA79D845B9773EAEF02320F21982DF44ADA252DA31AC80CF64
                                  Function 0069B8BB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindow.USER32(?,00000005), ref: 0069B8DC
                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0069B90B
                                    • Part of subcall function 00690B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0068AC99,?,?,?,0068AC48,?,-00000002,?,00000000,?), ref: 00690B16
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0069B929
                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0069B940
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0069B953
                                    • Part of subcall function 00698B21: GetDC.USER32(00000000), ref: 00698B2D
                                    • Part of subcall function 00698B21: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00698B3C
                                    • Part of subcall function 00698B21: ReleaseDC.USER32(00000000,00000000), ref: 00698B4A
                                    • Part of subcall function 00698ADE: GetDC.USER32(00000000), ref: 00698AEA
                                    • Part of subcall function 00698ADE: GetDeviceCaps.GDI32(00000000,00000058), ref: 00698AF9
                                    • Part of subcall function 00698ADE: ReleaseDC.USER32(00000000,00000000), ref: 00698B07
                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0069B97A
                                  • DeleteObject.GDI32(00000000), ref: 0069B981
                                  • GetWindow.USER32(00000000,00000002), ref: 0069B98A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                  • String ID: STATIC
                                  • API String ID: 1444658586-1882779555
                                  • Opcode ID: 37cab24798b377eb0e572220dc248b2e183bbd5852aa51545924bc0a3326d83a
                                  • Instruction ID: 07dc86365cbf2858c3bf228c40d4cf5876f7952a9fe7a5ba716b07de4263faad
                                  • Opcode Fuzzy Hash: 37cab24798b377eb0e572220dc248b2e183bbd5852aa51545924bc0a3326d83a
                                  • Instruction Fuzzy Hash: B12108B25502247FEF206BA4DD46FEE766FEF05710F005111FA01B6581CF744D8186BA
                                  Function 006A621A Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 006A622E
                                    • Part of subcall function 006A59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?), ref: 006A59C8
                                    • Part of subcall function 006A59B2: GetLastError.KERNEL32(?,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?,?), ref: 006A59DA
                                  • _free.LIBCMT ref: 006A623A
                                  • _free.LIBCMT ref: 006A6245
                                  • _free.LIBCMT ref: 006A6250
                                  • _free.LIBCMT ref: 006A625B
                                  • _free.LIBCMT ref: 006A6266
                                  • _free.LIBCMT ref: 006A6271
                                  • _free.LIBCMT ref: 006A627C
                                  • _free.LIBCMT ref: 006A6287
                                  • _free.LIBCMT ref: 006A6295
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: e41dffe83b81626b2baedc38543f9ea276ea2040534c7a67bc962984f80cd77a
                                  • Instruction ID: b65d978161120873905400ad574ec7768ed946ed95343adafa3df78a1390f492
                                  • Opcode Fuzzy Hash: e41dffe83b81626b2baedc38543f9ea276ea2040534c7a67bc962984f80cd77a
                                  • Instruction Fuzzy Hash: 6C117275111548EFDB41FF54C942C9A3BB6FF05360B0240A9F9898F222D631DE909F84
                                  Function 006820D3 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;%u$x%u$xc%u
                                  • API String ID: 0-2277559157
                                  • Opcode ID: ed953414f58db6418be84a7ffce3af55e834e84d46e1f8dd0fba5246a765d298
                                  • Instruction ID: 3cbb4d93865655c12c3795413129b85a66f7bce4de0978cafe249666fa81e41c
                                  • Opcode Fuzzy Hash: ed953414f58db6418be84a7ffce3af55e834e84d46e1f8dd0fba5246a765d298
                                  • Instruction Fuzzy Hash: 5FF123716043825BDB14FB2488B9BEE779BAF91304F08476DFD858B383CA349949C766
                                  Function 0069995E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006812E7: GetDlgItem.USER32(00000000,00003021), ref: 0068132B
                                    • Part of subcall function 006812E7: SetWindowTextW.USER32(00000000,006B02E4), ref: 00681341
                                  • EndDialog.USER32(?,00000001), ref: 006999AE
                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 006999DB
                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 006999F0
                                  • SetWindowTextW.USER32(?,?), ref: 00699A01
                                  • GetDlgItem.USER32(?,00000065), ref: 00699A0A
                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00699A1E
                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00699A30
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: MessageSend$Item$TextWindow$Dialog
                                  • String ID: LICENSEDLG
                                  • API String ID: 3214253823-2177901306
                                  • Opcode ID: ba835b54c99395842feae43321458a4c5b5f60b4d12549ebe7b3c65ea6fd20f9
                                  • Instruction ID: 304cb3e3c6ecbcf7d6a540fed7c4fea92915b068be359c875926a3c66bfe784c
                                  • Opcode Fuzzy Hash: ba835b54c99395842feae43321458a4c5b5f60b4d12549ebe7b3c65ea6fd20f9
                                  • Instruction Fuzzy Hash: 412129716012047FEB116B69DD49E7B3B6FEB47B94F04000CF640A6990CB629C41D636
                                  Function 006A6541 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID: >,j$>,j$>,j
                                  • API String ID: 1036877536-1053307531
                                  • Opcode ID: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
                                  • Instruction ID: 1fc213c8f353aff4b562d425d951aba8ffc59976e3a8431324e1881738e91ec6
                                  • Opcode Fuzzy Hash: be6c9d0d7c1be526505d416ba69bbcf9729ec644743c8de63497f1cd699fda8f
                                  • Instruction Fuzzy Hash: 08A134729102869FDB21AF28C891BAEBBE6EF52314F1C41ADF4959B381C638DD41CB51
                                  Function 0068927D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00689282
                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 006892A5
                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 006892C4
                                    • Part of subcall function 00690B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0068AC99,?,?,?,0068AC48,?,-00000002,?,00000000,?), ref: 00690B16
                                  • _swprintf.LIBCMT ref: 00689360
                                    • Part of subcall function 00683F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00683F3E
                                  • MoveFileW.KERNEL32(?,?), ref: 006893D5
                                  • MoveFileW.KERNEL32(?,?), ref: 00689411
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                  • String ID: rtmp%d
                                  • API String ID: 2111052971-3303766350
                                  • Opcode ID: 7d32afbe6a7ebd4888a78b6f13f9c3bd34e35166b8643d4d886d114e55790f46
                                  • Instruction ID: af46dbde1fafe7de45b2e88c5e5fe006268eda2c62e08a9b5047b8962fe3efa7
                                  • Opcode Fuzzy Hash: 7d32afbe6a7ebd4888a78b6f13f9c3bd34e35166b8643d4d886d114e55790f46
                                  • Instruction Fuzzy Hash: 7D419371911158AADF60FB70CD44EEB77BEAF44381F4842A9B905E3142DA349B46CF74
                                  Function 00697EE4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00698704,?), ref: 00697FB9
                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00697FDA
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00698001
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Global$AllocByteCharCreateMultiStreamWide
                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                  • API String ID: 4094277203-4209811716
                                  • Opcode ID: dc7dd12f95af2defeebec250c157a840662fea3b53f9735eec9f31e51c39ec32
                                  • Instruction ID: a16cf8d913a4fe0cae28e4c2d75d1abbdbcf9c69922b2cb6eed81708534c6fab
                                  • Opcode Fuzzy Hash: dc7dd12f95af2defeebec250c157a840662fea3b53f9735eec9f31e51c39ec32
                                  • Instruction Fuzzy Hash: 2B3113721183117EEB24BB64DC06FAB779EDF53720F10410EF511A62C1EFB4994587A9
                                  Function 00697D95 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTickCount.KERNEL32 ref: 00697DAE
                                  • GetTickCount.KERNEL32 ref: 00697DCC
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00697DE2
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00697DF6
                                  • TranslateMessage.USER32(?), ref: 00697E01
                                  • DispatchMessageW.USER32(?), ref: 00697E0C
                                  • ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00697EBC
                                  • SetWindowTextW.USER32(?,00000000), ref: 00697EC6
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
                                  • String ID:
                                  • API String ID: 4150546248-0
                                  • Opcode ID: dc22f0893b4cbb6be51a15102d5d3e250d088acbc033489fddda4aba95e8cc83
                                  • Instruction ID: 4de65d1cf381adfa7cf038646d3ea592e2b844e9a237e91a3c50e56d2f269121
                                  • Opcode Fuzzy Hash: dc22f0893b4cbb6be51a15102d5d3e250d088acbc033489fddda4aba95e8cc83
                                  • Instruction Fuzzy Hash: 01415C71208306AFDB14DFA5D88496B7BEEEF89704B00096DF545C7650DB31EC49CB62
                                  Function 0068FE0E Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __aulldiv.LIBCMT ref: 0068FE21
                                    • Part of subcall function 0068A930: GetVersionExW.KERNEL32(?), ref: 0068A955
                                  • FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0068FE4A
                                  • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 0068FE5C
                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0068FE69
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0068FE7F
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0068FE8B
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0068FEC1
                                  • __aullrem.LIBCMT ref: 0068FF4B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                  • String ID:
                                  • API String ID: 1247370737-0
                                  • Opcode ID: 1eb578fdb17c4d9565b813d18c9e7de4e6814ea716410a1a78562854ddb5c373
                                  • Instruction ID: fca2ed2c2c959ce5adec70782acd223c0f87c7281d9cd48d69cbeaecce5e1a50
                                  • Opcode Fuzzy Hash: 1eb578fdb17c4d9565b813d18c9e7de4e6814ea716410a1a78562854ddb5c373
                                  • Instruction Fuzzy Hash: 48413DB24083059FC714EF65C8809ABFBF9FF88714F004A2EF69692650E735E548DB56
                                  Function 006AC56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,006ACCE2,00000000,00000000,00000000,00000000,00000000,?), ref: 006AC5AF
                                  • __fassign.LIBCMT ref: 006AC62A
                                  • __fassign.LIBCMT ref: 006AC645
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 006AC66B
                                  • WriteFile.KERNEL32(?,00000000,00000000,006ACCE2,00000000,?,?,?,?,?,?,?,?,?,006ACCE2,00000000), ref: 006AC68A
                                  • WriteFile.KERNEL32(?,00000000,00000001,006ACCE2,00000000,?,?,?,?,?,?,?,?,?,006ACCE2,00000000), ref: 006AC6C3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: 48c8829f953bd09edd171ad85b61fa7dd8be8c2189401447b55bd00a2db58d51
                                  • Instruction ID: 5bbbf8a0ea9508c56eb32188c64406856e2395cc8355677a916311d44e7f438a
                                  • Opcode Fuzzy Hash: 48c8829f953bd09edd171ad85b61fa7dd8be8c2189401447b55bd00a2db58d51
                                  • Instruction Fuzzy Hash: 7B51AFB09002099FDB10DFA8D885AEEBBFAEF1A310F14515AE551E7251E730E941CF65
                                  Function 0069B0D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000800,?), ref: 0069B0EE
                                  • _swprintf.LIBCMT ref: 0069B122
                                    • Part of subcall function 00683F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00683F3E
                                  • SetDlgItemTextW.USER32(?,00000066,006C3122), ref: 0069B142
                                  • _wcschr.LIBVCRUNTIME ref: 0069B175
                                  • EndDialog.USER32(?,00000001), ref: 0069B256
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                  • String ID: %s%s%u
                                  • API String ID: 2892007947-1360425832
                                  • Opcode ID: 43cd5e157f3caad478fdfc6d1d3e0ffc5f210658e9336b57f6191ded97ead9bd
                                  • Instruction ID: c28f05b38c526bc0f88cdf8b73c14e7e40b8b81a7135dea8107ad595abf7af88
                                  • Opcode Fuzzy Hash: 43cd5e157f3caad478fdfc6d1d3e0ffc5f210658e9336b57f6191ded97ead9bd
                                  • Instruction Fuzzy Hash: 3941B27190021DAEEF61DBA0DE85EEE77BEEB04700F0450AAF508E6551EF719B848F64
                                  Function 0068C96F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _strlen$_swprintf_wcschr_wcsrchr
                                  • String ID: %08x
                                  • API String ID: 1593746830-3682738293
                                  • Opcode ID: 379c3eb59a2bbbfec7eb26aee42a06d0350301c5783ae41bb6cf36c9ea8e3390
                                  • Instruction ID: f78a9e55604bd1fc12c7c5b2e854b3931d1ee0539f399087fd54f73d29d54e8a
                                  • Opcode Fuzzy Hash: 379c3eb59a2bbbfec7eb26aee42a06d0350301c5783ae41bb6cf36c9ea8e3390
                                  • Instruction Fuzzy Hash: C341E472904354AAEB34F624CC49EFB77DEEB89320F04062AF94597242E6749D45C3B6
                                  Function 0069859B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000), ref: 006985B4
                                  • GetWindowRect.USER32(?,?), ref: 006985D9
                                  • ShowWindow.USER32(?,00000005,?), ref: 00698670
                                  • SetWindowTextW.USER32(?,00000000), ref: 00698678
                                  • ShowWindow.USER32(00000000,00000005), ref: 0069868E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$Show$RectText
                                  • String ID: RarHtmlClassName
                                  • API String ID: 3937224194-1658105358
                                  • Opcode ID: 0b9a86737379ba0985e8786a8595b40457242dffb6f36444ae97d1f0f0d04e2c
                                  • Instruction ID: 3755baa76186566075471f476b86fc7bc5a8c3ece809c97c1a2524c33501dbf2
                                  • Opcode Fuzzy Hash: 0b9a86737379ba0985e8786a8595b40457242dffb6f36444ae97d1f0f0d04e2c
                                  • Instruction Fuzzy Hash: 6A318F72104310AFCB219FA4DD48F5BBFAEEF49701F044559FD59AA292DB30E940CBA2
                                  Function 006A9300 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006A92C4: _free.LIBCMT ref: 006A92ED
                                  • _free.LIBCMT ref: 006A934E
                                    • Part of subcall function 006A59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?), ref: 006A59C8
                                    • Part of subcall function 006A59B2: GetLastError.KERNEL32(?,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?,?), ref: 006A59DA
                                  • _free.LIBCMT ref: 006A9359
                                  • _free.LIBCMT ref: 006A9364
                                  • _free.LIBCMT ref: 006A93B8
                                  • _free.LIBCMT ref: 006A93C3
                                  • _free.LIBCMT ref: 006A93CE
                                  • _free.LIBCMT ref: 006A93D9
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
                                  • Instruction ID: c450a439c2ead3036be87d97d69a432bc1d7ee9a05cb81b36000bf6c6372a8aa
                                  • Opcode Fuzzy Hash: f1ac33a155eeba0822e17f5f402666ce6a004e9925b6c7aeea596f78182db2dd
                                  • Instruction Fuzzy Hash: 26116031551B04F6DA70F7B0CC47FCB779E9F02710F40481CB29A6A092D664FE444E64
                                  Function 006A0BB4 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,006A0BAB,0069E602), ref: 006A0BC2
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006A0BD0
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006A0BE9
                                  • SetLastError.KERNEL32(00000000,?,006A0BAB,0069E602), ref: 006A0C3B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 98f5469ba3d838a4a4c9edb04cfdc25ea45a2297d0e211462955c37f418a5392
                                  • Instruction ID: 93d9e4ca7aaad7eb4e0b3550bfd1a52c801c1ff4a3eae7b935842283dd949c6f
                                  • Opcode Fuzzy Hash: 98f5469ba3d838a4a4c9edb04cfdc25ea45a2297d0e211462955c37f418a5392
                                  • Instruction Fuzzy Hash: C80124722292126EF7A036B8AC855A76A5BEF177B4B20032EF521452F1EF214C829915
                                  Function 0069C7FC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                  • API String ID: 0-1718035505
                                  • Opcode ID: d0d152108bd2683c4065d43b74c99ff8510c734da8b978ea138b6f212af83cb5
                                  • Instruction ID: f9a2c96d1cdfe12316a28ba8a2bd8529c1c74e659a1d5d0a4d5b077ae695c723
                                  • Opcode Fuzzy Hash: d0d152108bd2683c4065d43b74c99ff8510c734da8b978ea138b6f212af83cb5
                                  • Instruction Fuzzy Hash: 3F01F9B1F62221A7DF205EB55DA46E72F8F5A037B1311213AD511D7B50D710C882A7A0
                                  Function 0069003E Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0069009C
                                    • Part of subcall function 0068A930: GetVersionExW.KERNEL32(?), ref: 0068A955
                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006900BE
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 006900D8
                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 006900E9
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 006900F9
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00690105
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion
                                  • String ID:
                                  • API String ID: 2092733347-0
                                  • Opcode ID: 98e4c11ad9c91514a954836c593d6a2ac104c3b0b50bdbed985a35950162d68d
                                  • Instruction ID: 2788d55c7f4f016438b230f0f1a2d505768a75c384564f9e4d3431479a983161
                                  • Opcode Fuzzy Hash: 98e4c11ad9c91514a954836c593d6a2ac104c3b0b50bdbed985a35950162d68d
                                  • Instruction Fuzzy Hash: EC31C47A1083459ED704DFA9C88099BB7EDFF98704F045A1EF999C3210E634D549CB6A
                                  Function 0069820D Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID:
                                  • API String ID: 2931989736-0
                                  • Opcode ID: eab70ede157d4bf01fffb96af972d756eff0b5afc0d1c801b369e5343bd2d814
                                  • Instruction ID: 98b9229f4d4184183b8101af359a160b181847aaf55f02676187a6570af7d73c
                                  • Opcode Fuzzy Hash: eab70ede157d4bf01fffb96af972d756eff0b5afc0d1c801b369e5343bd2d814
                                  • Instruction Fuzzy Hash: AB21C5B160050ABFDF04AB50DC82EBB77AEAF52758B10812DFC059BA06EB31DE4597D4
                                  Function 006A630E Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,006BCBE8,006A2664,006BCBE8,?,?,006A2203,?,?,006BCBE8), ref: 006A6312
                                  • _free.LIBCMT ref: 006A6345
                                  • _free.LIBCMT ref: 006A636D
                                  • SetLastError.KERNEL32(00000000,?,006BCBE8), ref: 006A637A
                                  • SetLastError.KERNEL32(00000000,?,006BCBE8), ref: 006A6386
                                  • _abort.LIBCMT ref: 006A638C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 36c1c65a81556624bc8b4ee89c8c6e90f2004f2ef6ae7ba695475465fa7c90f5
                                  • Instruction ID: b039ea4500fd849e64838c776b7c3af47add1d41390b7a18c7963349c442d480
                                  • Opcode Fuzzy Hash: 36c1c65a81556624bc8b4ee89c8c6e90f2004f2ef6ae7ba695475465fa7c90f5
                                  • Instruction Fuzzy Hash: 5BF0F47520990066DB517B64AC0AB9B26278BC3731B29131DF525D23A1FF618C434959
                                  Function 0069A8D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • CharUpperW.USER32(?,?,?,?,00001000), ref: 0069A92B
                                  • CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0069A952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CharUpper
                                  • String ID: *al$-
                                  • API String ID: 9403516-993255241
                                  • Opcode ID: 90e63b6ce339952680c31a83849bf32919ce498741fb24a10c4fbde0cd53e439
                                  • Instruction ID: fd380ad915fc13102272fc1fe103043b186fdc4e46b0cc36e57598db1348211a
                                  • Opcode Fuzzy Hash: 90e63b6ce339952680c31a83849bf32919ce498741fb24a10c4fbde0cd53e439
                                  • Instruction Fuzzy Hash: 5F21B17241430599DF21AAED880CBB6B6EFBB95310F06491FF595C2E41DA74C888E3E7
                                  Function 0069B81F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006812E7: GetDlgItem.USER32(00000000,00003021), ref: 0068132B
                                    • Part of subcall function 006812E7: SetWindowTextW.USER32(00000000,006B02E4), ref: 00681341
                                  • EndDialog.USER32(?,00000001), ref: 0069B86A
                                  • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0069B880
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0069B89A
                                  • SetDlgItemTextW.USER32(?,00000066), ref: 0069B8A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: RENAMEDLG
                                  • API String ID: 445417207-3299779563
                                  • Opcode ID: 26aee160384298328c76e56197190048235825cb16369b44a5ef897c48dee21c
                                  • Instruction ID: f5657905244873092e5633d906e6699842b859a4002960c1ff9d8e5abd6512c4
                                  • Opcode Fuzzy Hash: 26aee160384298328c76e56197190048235825cb16369b44a5ef897c48dee21c
                                  • Instruction Fuzzy Hash: 98014532A40204BAD6114EA9BF48F773B6EA78AB51F001416F240B79D0C3A698019B72
                                  Function 006A4A7F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006A4A30,?,?,006A49D0,?,006B7F60,0000000C,006A4B27,?,00000002), ref: 006A4A9F
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006A4AB2
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,006A4A30,?,?,006A49D0,?,006B7F60,0000000C,006A4B27,?,00000002,00000000), ref: 006A4AD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 82130617e5a62608c3a4bc7cacd50497c382d351468c94b840a4949862261ffb
                                  • Instruction ID: fd875797cbd32e330260bf693923a3e150e44534f06d373a606386fbfc81ce67
                                  • Opcode Fuzzy Hash: 82130617e5a62608c3a4bc7cacd50497c382d351468c94b840a4949862261ffb
                                  • Instruction Fuzzy Hash: 0BF0AF71A40209BBDB05AFD4DC19BDEBFFAEF44711F044268F905A6250DB709E80CB94
                                  Function 0068DF05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0068F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0068F376
                                    • Part of subcall function 0068F35B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0068DF18,Crypt32.dll,?,0068DF9C,?,0068DF7E,?,?,?,?), ref: 0068F398
                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0068DF24
                                  • GetProcAddress.KERNEL32(006C1E58,CryptUnprotectMemory), ref: 0068DF34
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                  • API String ID: 2141747552-1753850145
                                  • Opcode ID: 03abd9ee1d1d9fd118c20347e29b848ec20e9e691638efc2eb7ac3d9e76c29af
                                  • Instruction ID: 0231a5402eb3f9ba441449ad90056173f0b1122040a6881ce989e13ac1339311
                                  • Opcode Fuzzy Hash: 03abd9ee1d1d9fd118c20347e29b848ec20e9e691638efc2eb7ac3d9e76c29af
                                  • Instruction Fuzzy Hash: 68E04FF0518742AEEB406B349809B86FF967B94710F058255F119C2281E7B4D0E49B50
                                  Function 006A52C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 695caba297515b49a3e4c37681c3bbada51fa49ba84ee1ffb47e2380c34583d4
                                  • Instruction ID: bb83b718ed99acf20ee9b649a90745ff9f2c03a9e2311a4d8540cd91b5f32b8d
                                  • Opcode Fuzzy Hash: 695caba297515b49a3e4c37681c3bbada51fa49ba84ee1ffb47e2380c34583d4
                                  • Instruction Fuzzy Hash: FD419572A006009FCF14EF79C881A9EB7B6EF8A314F1545A9E516EB351E671AD01CF80
                                  Function 006A89A0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 006A89A9
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006A89CC
                                    • Part of subcall function 006A59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,006A239A,?,0000015D,?,?,?,?,006A2F19,000000FF,00000000,?,?), ref: 006A5A1E
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006A89F2
                                  • _free.LIBCMT ref: 006A8A05
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006A8A14
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 4873ef04d4acc69e0ac4c5323f8db4a296c1d7c8f05dd0b7f42737978826f179
                                  • Instruction ID: 44f82cd514f0a7a91ada44533048447dfc36cdddec32bcdfe3b64031772786e6
                                  • Opcode Fuzzy Hash: 4873ef04d4acc69e0ac4c5323f8db4a296c1d7c8f05dd0b7f42737978826f179
                                  • Instruction Fuzzy Hash: 4B0184B26026557F272176BA6C4DCBB6D7FEFC7FA1315022AFA05D7201EE608C0189B1
                                  Function 006A6392 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,006A5E33,006A5ACF,?,006A633C,00000001,00000364,?,006A2203,?,?,006BCBE8), ref: 006A6397
                                  • _free.LIBCMT ref: 006A63CC
                                  • _free.LIBCMT ref: 006A63F3
                                  • SetLastError.KERNEL32(00000000,?,006BCBE8), ref: 006A6400
                                  • SetLastError.KERNEL32(00000000,?,006BCBE8), ref: 006A6409
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 0a8e62ba31f16ed6f82b07ad692f13a1e3b0e19008578a925a95a62b678e0dbf
                                  • Instruction ID: 67b41a3e391507ffb8073fd5be40e77995925ebe6c00b3ec91fe97196199b528
                                  • Opcode Fuzzy Hash: 0a8e62ba31f16ed6f82b07ad692f13a1e3b0e19008578a925a95a62b678e0dbf
                                  • Instruction Fuzzy Hash: 840149B2105A00679B127764AC85A6B176BCBD337172A522DF41592392EF74CC034925
                                  Function 006A925B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 006A9273
                                    • Part of subcall function 006A59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?), ref: 006A59C8
                                    • Part of subcall function 006A59B2: GetLastError.KERNEL32(?,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?,?), ref: 006A59DA
                                  • _free.LIBCMT ref: 006A9285
                                  • _free.LIBCMT ref: 006A9297
                                  • _free.LIBCMT ref: 006A92A9
                                  • _free.LIBCMT ref: 006A92BB
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 22c49ac05db2eec11fb8e9905609a399c29235ed97a2adf4b4fcea92880372fd
                                  • Instruction ID: 14f224929f173c179e85207ebabf75fa03c604d74cf6f157d622caba6e848b06
                                  • Opcode Fuzzy Hash: 22c49ac05db2eec11fb8e9905609a399c29235ed97a2adf4b4fcea92880372fd
                                  • Instruction Fuzzy Hash: 28F0FF72516640FB9A60FB98E8C2D5677EBEA027207655909F409DBA02C625FDC04E64
                                  Function 006A5513 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 006A5531
                                    • Part of subcall function 006A59B2: RtlFreeHeap.NTDLL(00000000,00000000,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?), ref: 006A59C8
                                    • Part of subcall function 006A59B2: GetLastError.KERNEL32(?,?,006A92F2,?,00000000,?,00000000,?,006A9319,?,00000007,?,?,006A9716,?,?), ref: 006A59DA
                                  • _free.LIBCMT ref: 006A5543
                                  • _free.LIBCMT ref: 006A5556
                                  • _free.LIBCMT ref: 006A5567
                                  • _free.LIBCMT ref: 006A5578
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 72cbbaa9539f71b7515b737daa2ea4a044c110dedbde9681f1563941a5ee9d46
                                  • Instruction ID: 625824b93500cc44340d18d9ac5a56d939ae87de2a70bdc39774d0a2c28467a6
                                  • Opcode Fuzzy Hash: 72cbbaa9539f71b7515b737daa2ea4a044c110dedbde9681f1563941a5ee9d46
                                  • Instruction Fuzzy Hash: 0AF01DB4C17510DB9B51BF58BC0144A3B73FB0A720343224BF41596266D7244C819F87
                                  Function 006A4B7A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\dfbzdfb.exe,00000104), ref: 006A4BBA
                                  • _free.LIBCMT ref: 006A4C85
                                  • _free.LIBCMT ref: 006A4C8F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Users\user\AppData\Local\Temp\dfbzdfb.exe
                                  • API String ID: 2506810119-3557689370
                                  • Opcode ID: 86e4c088fca9f78a52661a66a149de7d3b7a96469564c5a9858c7ec597c19140
                                  • Instruction ID: b293020f8052d0bdfb5dffd9a4d5f4dcccd9ce637db549c7096ddc51e1316062
                                  • Opcode Fuzzy Hash: 86e4c088fca9f78a52661a66a149de7d3b7a96469564c5a9858c7ec597c19140
                                  • Instruction Fuzzy Hash: D0317371A01258EFDB61EB999C8199EBBFEEFC6720B11406AF40997311DBB08E40DF50
                                  Function 00687463 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00687468
                                    • Part of subcall function 00683A90: __EH_prolog.LIBCMT ref: 00683A95
                                  • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000), ref: 0068752E
                                    • Part of subcall function 00687A9D: GetCurrentProcess.KERNEL32(00000020,?), ref: 00687AAC
                                    • Part of subcall function 00687A9D: GetLastError.KERNEL32 ref: 00687AF2
                                    • Part of subcall function 00687A9D: CloseHandle.KERNEL32(?), ref: 00687B01
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                  • API String ID: 3813983858-639343689
                                  • Opcode ID: 0fe0bd4cbb468b1e4f2ea3543f5720cb0ac9f1d1d5ce50d53506432d8e0d730b
                                  • Instruction ID: 93c0e50388a6d2a14d20456c4355a88296cd19a8f87eb23c729a80e66d904556
                                  • Opcode Fuzzy Hash: 0fe0bd4cbb468b1e4f2ea3543f5720cb0ac9f1d1d5ce50d53506432d8e0d730b
                                  • Instruction Fuzzy Hash: 4331D5B1904208AEDF60FFA4DC02BEE7FABEF55310F104229F545A7242DB708B848766
                                  Function 00699122 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006812E7: GetDlgItem.USER32(00000000,00003021), ref: 0068132B
                                    • Part of subcall function 006812E7: SetWindowTextW.USER32(00000000,006B02E4), ref: 00681341
                                  • EndDialog.USER32(?,00000001), ref: 006991AA
                                  • GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 006991BF
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 006991D4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: ASKNEXTVOL
                                  • API String ID: 445417207-3402441367
                                  • Opcode ID: 5331662dfb3d70b181918c8addc02a5af471dacc8bb841c6f5705258b4b6fa7e
                                  • Instruction ID: c9d6cf8e68299c8453b2abbed9d543134632f6e2ecaae04d1e1c7fba7b8352ca
                                  • Opcode Fuzzy Hash: 5331662dfb3d70b181918c8addc02a5af471dacc8bb841c6f5705258b4b6fa7e
                                  • Instruction Fuzzy Hash: 37119332645212BFDB119BA8DD4DFA63BAFFB46701F00401AF2009BAA1C26299469776
                                  Function 0069BFA9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • DialogBoxParamW.USER32(GETPASSWORD1,?,00699645,?,?), ref: 0069C021
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: DialogParam
                                  • String ID: *al$*al$GETPASSWORD1
                                  • API String ID: 665744214-713251149
                                  • Opcode ID: 1d4b14c94db6460941d0379826fa076616bcf6428e56765a9bda35c376757dc1
                                  • Instruction ID: 2750ebee723ed0c0bb66b53c2ce7771c84662fc5a7225882ecdb83baf8995a24
                                  • Opcode Fuzzy Hash: 1d4b14c94db6460941d0379826fa076616bcf6428e56765a9bda35c376757dc1
                                  • Instruction Fuzzy Hash: DD113832654204ABEF21DE24AC05FFB3B8FB70A761F040169FD08A75C1D6B55C80D7A8
                                  Function 00699645 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 006812E7: GetDlgItem.USER32(00000000,00003021), ref: 0068132B
                                    • Part of subcall function 006812E7: SetWindowTextW.USER32(00000000,006B02E4), ref: 00681341
                                  • EndDialog.USER32(?,00000001), ref: 00699693
                                  • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 006996AB
                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 006996D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: GETPASSWORD1
                                  • API String ID: 445417207-3292211884
                                  • Opcode ID: 47138cfd511f1a6625dd61a5e388ceafa9616ee5c71eea575796970d20781897
                                  • Instruction ID: 859a54652515583b7c1399d6b263f5ddeb5e68dc6ca320d11aae5274362f64b2
                                  • Opcode Fuzzy Hash: 47138cfd511f1a6625dd61a5e388ceafa9616ee5c71eea575796970d20781897
                                  • Instruction Fuzzy Hash: AF11083290011877EF215EB89D49FFB377EEB4A700F100119FA04F7680C2A69D5187B5
                                  Function 0068B150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • _swprintf.LIBCMT ref: 0068B177
                                    • Part of subcall function 00683F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00683F3E
                                  • _wcschr.LIBVCRUNTIME ref: 0068B195
                                  • _wcschr.LIBVCRUNTIME ref: 0068B1A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                                  • String ID: %c:\
                                  • API String ID: 525462905-3142399695
                                  • Opcode ID: cf8d2538260de2e345e330e9aca8ebe9d5f88f728a410e3f62c0356e235be192
                                  • Instruction ID: d1d2b35df6a2d4aac9fb61efee24f591666e99594ac32552a78384c5784b1a21
                                  • Opcode Fuzzy Hash: cf8d2538260de2e345e330e9aca8ebe9d5f88f728a410e3f62c0356e235be192
                                  • Instruction Fuzzy Hash: 1A01F563500311B9DA307B259C4ADABABEEEE96360714560EFD84DA682FB20D85087B5
                                  Function 0068F982 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSection.KERNEL32(000001A0,00000000,006C1E74,?,?,0068FB9D,00000020,?,0068A812,?,0068C79B,?,00000000,?,00000001,?), ref: 0068F9BB
                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0068A812,?,0068C79B,?,00000000,?,00000001,?,?,?,00693AFE), ref: 0068F9C5
                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0068A812,?,0068C79B,?,00000000,?,00000001,?,?,?,00693AFE), ref: 0068F9D5
                                  Strings
                                  • Thread pool initialization failed., xrefs: 0068F9ED
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                  • String ID: Thread pool initialization failed.
                                  • API String ID: 3340455307-2182114853
                                  • Opcode ID: 1a498f4e00544f3a6cde616f0010448d9dcbe946e37f5082e32320744158b6af
                                  • Instruction ID: 3ca7132d79752e040655ed2fe822520d10d1b73c841c87d93a9c797587b58a3b
                                  • Opcode Fuzzy Hash: 1a498f4e00544f3a6cde616f0010448d9dcbe946e37f5082e32320744158b6af
                                  • Instruction Fuzzy Hash: B61130B1640705AFD7306F65D889AE7FBEDFF95355F10492EF2DA82200DA716880CB20
                                  Function 0069BEE6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                  • API String ID: 0-56093855
                                  • Opcode ID: efec08843256b3c6013b56ba62ddf675636e611e81dc9d1cd81b1d6840fafaa6
                                  • Instruction ID: ac2355db2afdbb414329cfb16c2e2cda018a7e836ddac6bf8afdb87651a7ffb5
                                  • Opcode Fuzzy Hash: efec08843256b3c6013b56ba62ddf675636e611e81dc9d1cd81b1d6840fafaa6
                                  • Instruction Fuzzy Hash: 05019EB2609202AFCB008B58FE50E76BBDFE789390F052526F94192A30E7219C45DF66
                                  Function 0068CE98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0068CEA7
                                  • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0068CEB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: FindHandleModuleResource
                                  • String ID: LTR$RTL
                                  • API String ID: 3537982541-719208805
                                  • Opcode ID: 20925636a36cbd2642ecccbb90b233659e688a6e41ade57980a5e5381d68fcbd
                                  • Instruction ID: 61c115a2b35b6715168f1ebd4101b110516aaf76a6be7fbbbc85fd0c7c9e9d5a
                                  • Opcode Fuzzy Hash: 20925636a36cbd2642ecccbb90b233659e688a6e41ade57980a5e5381d68fcbd
                                  • Instruction Fuzzy Hash: 53F0F06165425467E7347A686C0AFA73FAEE785B10F0007ADB606961C0EAA0998987B4
                                  Function 0069BE09 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0069BE1F
                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0069BE5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: EnvironmentVariable
                                  • String ID: sfxcmd$sfxpar
                                  • API String ID: 1431749950-3493335439
                                  • Opcode ID: 224ec74281e7def9ec58ab63700b1da061e3e5aaada9adcf725a677099932596
                                  • Instruction ID: 8dc7d6a0208cc4f8d60e3913b430f27f11feb9a98421c1e8f4e0ccb8e59062dd
                                  • Opcode Fuzzy Hash: 224ec74281e7def9ec58ab63700b1da061e3e5aaada9adcf725a677099932596
                                  • Instruction Fuzzy Hash: A1F0A7B2401224AADB652BD59C09BEB7B9FDF04B91B000115FE486A241D7618880C7A1
                                  Function 00689F7A Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00687F55,?,?,?), ref: 0068A020
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00687F55,?,?), ref: 0068A064
                                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00687F55,?,?,?,?,?,?,?,?), ref: 0068A0E5
                                  • CloseHandle.KERNEL32(?,?,00000000,?,00687F55,?,?,?,?,?,?,?,?,?,?,?), ref: 0068A0EC
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$Create$CloseHandleTime
                                  • String ID:
                                  • API String ID: 2287278272-0
                                  • Opcode ID: b79b607810ad17df86e8c4b3f6b8da856b5c8ebe46fb43cf169b9c8fc9f6ec03
                                  • Instruction ID: 0c7b2347eba9a9a8604531038a4bd9af148014c762f123ea794fbc375325252b
                                  • Opcode Fuzzy Hash: b79b607810ad17df86e8c4b3f6b8da856b5c8ebe46fb43cf169b9c8fc9f6ec03
                                  • Instruction Fuzzy Hash: 6641D0312483805AE731EF64DC45BEFBBEAAB85704F080A1DF9D1D3281C664DA48CB63
                                  Function 006A93E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,F5E85006,006A2784,00000000,00000000,006A2FB2,?,006A2FB2,?,00000001,006A2784,F5E85006,00000001,006A2FB2,006A2FB2), ref: 006A9431
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006A94BA
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006A94CC
                                  • __freea.LIBCMT ref: 006A94D5
                                    • Part of subcall function 006A59EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,006A239A,?,0000015D,?,?,?,?,006A2F19,000000FF,00000000,?,?), ref: 006A5A1E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                  • String ID:
                                  • API String ID: 2652629310-0
                                  • Opcode ID: d07182c03b8d183a6b3fe830423fbdb1621b2486f4fd068eaf715d34be68c194
                                  • Instruction ID: 063b9c6522abcc9dda50c00c33c87814dc02893ceb2ba15bea30917588af875b
                                  • Opcode Fuzzy Hash: d07182c03b8d183a6b3fe830423fbdb1621b2486f4fd068eaf715d34be68c194
                                  • Instruction Fuzzy Hash: 6F31BF72A0020AABDF25EF68CC41DEE7BE6EB05310F144268FC049B291E735CD51CBA0
                                  Function 00699A75 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadBitmapW.USER32(00000065), ref: 00699A85
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00699AA6
                                  • DeleteObject.GDI32(00000000), ref: 00699ACE
                                  • DeleteObject.GDI32(00000000), ref: 00699AED
                                    • Part of subcall function 00698BCF: FindResourceW.KERNEL32(00000066,PNG,?,?,00699AC7,00000066), ref: 00698BE0
                                    • Part of subcall function 00698BCF: SizeofResource.KERNEL32(00000000,75755780,?,?,00699AC7,00000066), ref: 00698BF8
                                    • Part of subcall function 00698BCF: LoadResource.KERNEL32(00000000,?,?,00699AC7,00000066), ref: 00698C0B
                                    • Part of subcall function 00698BCF: LockResource.KERNEL32(00000000,?,?,00699AC7,00000066), ref: 00698C16
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                  • String ID:
                                  • API String ID: 142272564-0
                                  • Opcode ID: a6d12ddec81cbefbb322a0b3a30341bfcff89f3212b5042ead3937ffc742a3b9
                                  • Instruction ID: e5d3f62c440d8957f078b2120deccf17beff237949f0850c65ac26f3c38a0e16
                                  • Opcode Fuzzy Hash: a6d12ddec81cbefbb322a0b3a30341bfcff89f3212b5042ead3937ffc742a3b9
                                  • Instruction Fuzzy Hash: 0601F2735402152BCF1177B88D42EBE766FEF86B61F490119BE00A7B91DE618C1192B5
                                  Function 006A0FD6 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 006A0FED
                                    • Part of subcall function 006A1625: ___AdjustPointer.LIBCMT ref: 006A166F
                                  • _UnwindNestedFrames.LIBCMT ref: 006A1004
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 006A1016
                                  • CallCatchBlock.LIBVCRUNTIME ref: 006A103A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
                                  • Instruction ID: 64f875ce58b31c0d81b3090319ff875d13778306d129dbcd318f8b35f9ec2305
                                  • Opcode Fuzzy Hash: b9fa4c2ca776b65944230fb083eb0fa8b0de912ee33a1d220a96a688825d65b2
                                  • Instruction Fuzzy Hash: 8E012932400149BBCF22AF55CC01EDA3FBBEF5A754F044018FA1865121C776E8A1EFA4
                                  Function 0068FB54 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0068FB59
                                  • EnterCriticalSection.KERNEL32(006C1E74,?,?,0068A812,?,0068C79B,?,00000000,?,00000001,?,?,?,00693AFE,?,00008000), ref: 0068FB66
                                  • new.LIBCMT ref: 0068FB82
                                    • Part of subcall function 0068F982: InitializeCriticalSection.KERNEL32(000001A0,00000000,006C1E74,?,?,0068FB9D,00000020,?,0068A812,?,0068C79B,?,00000000,?,00000001,?), ref: 0068F9BB
                                    • Part of subcall function 0068F982: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0068A812,?,0068C79B,?,00000000,?,00000001,?,?,?,00693AFE), ref: 0068F9C5
                                    • Part of subcall function 0068F982: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0068A812,?,0068C79B,?,00000000,?,00000001,?,?,?,00693AFE), ref: 0068F9D5
                                  • LeaveCriticalSection.KERNEL32(006C1E74,?,0068A812,?,0068C79B,?,00000000,?,00000001,?,?,?,00693AFE,?,00008000,?), ref: 0068FBA3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Create$EnterEventH_prologInitializeLeaveSemaphore
                                  • String ID:
                                  • API String ID: 3780591329-0
                                  • Opcode ID: 759cec63988e0fa714172c39bad7be99bfebfc31d79d311efb149ce312a15ee8
                                  • Instruction ID: 5024ee669b88f4415ee344f2ef043f2d204d5b50a32d9d39739942a7d02262f1
                                  • Opcode Fuzzy Hash: 759cec63988e0fa714172c39bad7be99bfebfc31d79d311efb149ce312a15ee8
                                  • Instruction Fuzzy Hash: 8BF06274A012119BDB44AF68D811FB97AABEB4F310B00513EE809D7351DB7188008B54
                                  Function 006A0B06 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 006A0B06
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 006A0B0B
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 006A0B10
                                    • Part of subcall function 006A1BDE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 006A1BEF
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 006A0B25
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
                                  • Instruction ID: 9c1ff915f632d7a502aa7074dffcd1eeb0b94f1b8c190eea58764340ea03c86e
                                  • Opcode Fuzzy Hash: 531e6f4e0a03c94a47563f5691ee99a7aac98bf87a5ed1e2fb88b7d1485fc598
                                  • Instruction Fuzzy Hash: FAC048146442E5A83CE43BB123021EE13832CA3BDCF8415C9A8521F207AA5B0C4B6C3F
                                  Function 00698CF2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00698BA4: GetDC.USER32(00000000), ref: 00698BA8
                                    • Part of subcall function 00698BA4: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00698BB3
                                    • Part of subcall function 00698BA4: ReleaseDC.USER32(00000000,00000000), ref: 00698BBE
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00698D23
                                    • Part of subcall function 00698EE9: GetDC.USER32(00000000), ref: 00698EF2
                                    • Part of subcall function 00698EE9: GetObjectW.GDI32(?,00000018,?), ref: 00698F21
                                    • Part of subcall function 00698EE9: ReleaseDC.USER32(00000000,?), ref: 00698FB5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ObjectRelease$CapsDevice
                                  • String ID: (
                                  • API String ID: 1061551593-3887548279
                                  • Opcode ID: 3edcba738cbe607a10c937c663b5fd3a31d53bec4c41984bde55c15e14668cd1
                                  • Instruction ID: 798dd09d3be336f4d1b35b68c4edca97984a49a9a49b44ba1fea4dc7010f2eb3
                                  • Opcode Fuzzy Hash: 3edcba738cbe607a10c937c663b5fd3a31d53bec4c41984bde55c15e14668cd1
                                  • Instruction Fuzzy Hash: F66113B1208214AFD714DF64C884E6BBBEEEF89704F10491DF599CB261DA31E809CB62
                                  Function 006901CD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: _swprintf
                                  • String ID: %ls$%s: %s
                                  • API String ID: 589789837-2259941744
                                  • Opcode ID: 1db946ca8020cec219ebe21a0f45b774bae837ef5cd635a2ee38cbf88c5a9047
                                  • Instruction ID: 5a02da8ef017320e40117366e10649974e0f551ab822af4e1bf524d81095889b
                                  • Opcode Fuzzy Hash: 1db946ca8020cec219ebe21a0f45b774bae837ef5cd635a2ee38cbf88c5a9047
                                  • Instruction Fuzzy Hash: 6451C835288300FEFF612B948D4EF35765FAB09F00F60850AF78A65CE5C5A2A651B71A
                                  Function 006A7BD9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 006A7D45
                                    • Part of subcall function 006A5D1D: IsProcessorFeaturePresent.KERNEL32(00000017,006A5D0C,0000002C,006B80C8,006A8D62,00000000,00000000,006A6391,?,?,006A5D19,00000000,00000000,00000000,00000000,00000000), ref: 006A5D1F
                                    • Part of subcall function 006A5D1D: GetCurrentProcess.KERNEL32(C0000417,006B80C8,0000002C,006A5A4A,00000016,006A6391), ref: 006A5D41
                                    • Part of subcall function 006A5D1D: TerminateProcess.KERNEL32(00000000), ref: 006A5D48
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                  • String ID: *?$.
                                  • API String ID: 2667617558-3972193922
                                  • Opcode ID: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
                                  • Instruction ID: 60eec163041c4ae5b4f520574c57ade8e00c7cd6d0e80773ae2d1c6bde12104a
                                  • Opcode Fuzzy Hash: 7b97f05bead931982e7a23c9cf534e270e960d3348eeadaf4e8a2cba3451af48
                                  • Instruction Fuzzy Hash: 27519E71E0420AAFDF14EFA8CC81AEDBBB6EF59314F24416AE855E7301E6719E018F54
                                  Function 00687619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0068761E
                                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00687799
                                    • Part of subcall function 0068A113: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00689F49,?,?,?,00689DE2,?,00000001,00000000,?,?), ref: 0068A127
                                    • Part of subcall function 0068A113: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00689F49,?,?,?,00689DE2,?,00000001,00000000,?,?), ref: 0068A158
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: File$Attributes$H_prologTime
                                  • String ID: :
                                  • API String ID: 1861295151-336475711
                                  • Opcode ID: 221673ed35cc672e9ec497e8ad67013492077bf2b70ade75e4d6521a1ca8f377
                                  • Instruction ID: 30477b9cc32a3285b104db60c3bae63152b065ea3dae383d4e0486d419bf1d2e
                                  • Opcode Fuzzy Hash: 221673ed35cc672e9ec497e8ad67013492077bf2b70ade75e4d6521a1ca8f377
                                  • Instruction Fuzzy Hash: 4B41E171804218AAEB64FB60CC59EEF777EEF44340F1402ADB645A2142DB749F85CFA4
                                  Function 0068B2C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UNC$\\?\
                                  • API String ID: 0-253988292
                                  • Opcode ID: 7ae7c64971909728c5fdcb8f66dd05cc297ff3fe19986a2488d47833623453fd
                                  • Instruction ID: 272d7eed5dca05cbe65d0b4f874fa681737d159ac28487ec1e10da625ec3d9b3
                                  • Opcode Fuzzy Hash: 7ae7c64971909728c5fdcb8f66dd05cc297ff3fe19986a2488d47833623453fd
                                  • Instruction Fuzzy Hash: 2841D132400219AACF71BF20CC06EEF77ABEF05390F50572AF854A3146E7709A959BA5
                                  Function 0069802C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Shell.Explorer$about:blank
                                  • API String ID: 0-874089819
                                  • Opcode ID: 858476214d615ff745807f7da528c861c74a2bcf41cac9b6f04b06c5c4cc9b6d
                                  • Instruction ID: 9551c7ca371146dea54f4542daeb0dfe0393cc75604ebc2f49885020626b4789
                                  • Opcode Fuzzy Hash: 858476214d615ff745807f7da528c861c74a2bcf41cac9b6f04b06c5c4cc9b6d
                                  • Instruction Fuzzy Hash: 49216F75200706AFDF049B65C8A0E7AB76EBF86710B15852DF5058BA82CF71EC45CBA1
                                  Function 0068DF86 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0068DF05: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0068DF24
                                    • Part of subcall function 0068DF05: GetProcAddress.KERNEL32(006C1E58,CryptUnprotectMemory), ref: 0068DF34
                                  • GetCurrentProcessId.KERNEL32(?,?,?,0068DF7E), ref: 0068E007
                                  Strings
                                  • CryptUnprotectMemory failed, xrefs: 0068DFFF
                                  • CryptProtectMemory failed, xrefs: 0068DFC7
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: AddressProc$CurrentProcess
                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                  • API String ID: 2190909847-396321323
                                  • Opcode ID: d462943a41914a768ca19769ab06b0fafe1c97485938137ab054d3f2f7ff7a53
                                  • Instruction ID: 0a1ab18607118a7928e848ae45c2dc27b4207611b1e1ab81fa0243951ea5ad92
                                  • Opcode Fuzzy Hash: d462943a41914a768ca19769ab06b0fafe1c97485938137ab054d3f2f7ff7a53
                                  • Instruction Fuzzy Hash: 1F115B707042156BEB21BB28DC00EBB379BDF8E750B044619F901DB292EBA1DD5143A0
                                  Function 006812E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0068CF27: GetWindowRect.USER32(?,?), ref: 0068CF5E
                                    • Part of subcall function 0068CF27: GetClientRect.USER32(?,?), ref: 0068CF6A
                                    • Part of subcall function 0068CF27: GetWindowLongW.USER32(?,000000F0), ref: 0068D00B
                                    • Part of subcall function 0068CF27: GetWindowRect.USER32(?,?), ref: 0068D038
                                    • Part of subcall function 0068CF27: GetWindowTextW.USER32(?,?,00000400), ref: 0068D057
                                  • GetDlgItem.USER32(00000000,00003021), ref: 0068132B
                                  • SetWindowTextW.USER32(00000000,006B02E4), ref: 00681341
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: Window$Rect$Text$ClientItemLong
                                  • String ID: 0
                                  • API String ID: 660763476-4108050209
                                  • Opcode ID: c69fe77da072e81a09f10a2f9cd8098c1e34f45825fe3f4e824a6b135e4f1e91
                                  • Instruction ID: e693a451ff0ae247f334271b375d3c84876a8bea5c123237a7a995941e058772
                                  • Opcode Fuzzy Hash: c69fe77da072e81a09f10a2f9cd8098c1e34f45825fe3f4e824a6b135e4f1e91
                                  • Instruction Fuzzy Hash: 23F0C8F0540248ABDF252F60DC09AE93F9F9F06754F084214FE4458591C774C6D2DB14
                                  Function 0068FB19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,0068FCF9,?,?,0068FD6E,?,?,?,?,?,0068FD58), ref: 0068FB1F
                                  • GetLastError.KERNEL32(?,?,0068FD6E,?,?,?,?,?,0068FD58), ref: 0068FB2B
                                    • Part of subcall function 00686D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00686DAD
                                  Strings
                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 0068FB34
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1470295606.0000000000681000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00680000, based on PE: true
                                  • Associated: 00000005.00000002.1469827294.0000000000680000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470339572.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006BE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470365086.00000000006DA000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000005.00000002.1470457648.00000000006DC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_680000_dfbzdfb.jbxd
                                  Similarity
                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                  • API String ID: 1091760877-2248577382
                                  • Opcode ID: d8415f0efa1362a8ee99424ce77a4e12c1eac193ffe7251b0cc8a3e527b3747f
                                  • Instruction ID: abd6429333da1976045f5cf69003d7daf6fda7e2403b3fb8b3d407d44edd27d8
                                  • Opcode Fuzzy Hash: d8415f0efa1362a8ee99424ce77a4e12c1eac193ffe7251b0cc8a3e527b3747f
                                  • Instruction Fuzzy Hash: DDD05EB1A4C43167EA413B28DC1AEFF3E0BAF52771F241B58F539A52F1DA2049C247A5

                                  Execution Graph

                                  Execution Coverage:11.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:1528
                                  Total number of Limit Nodes:33
                                  execution_graph 23980 988a9b GetProcessHeap 23983 967a9b GetCurrentProcess GetLastError CloseHandle 23960 978999 GdipCloneImage GdipAlloc 24010 987b8b FreeLibrary 23961 979583 GetDlgItem EnableWindow ShowWindow SendMessageW 22078 97c781 22079 97c72f 22078->22079 22079->22078 22080 97cabb ___delayLoadHelper2@8 19 API calls 22079->22080 22080->22079 23200 987686 23203 987691 23200->23203 23202 9876ba 23213 9876de DeleteCriticalSection 23202->23213 23203->23202 23205 9876b6 23203->23205 23206 987998 23203->23206 23207 987726 pre_c_initialization 5 API calls 23206->23207 23208 9879bf 23207->23208 23209 9879dd InitializeCriticalSectionAndSpinCount 23208->23209 23210 9879c8 23208->23210 23209->23210 23211 97d763 ___delayLoadHelper2@8 5 API calls 23210->23211 23212 9879f4 23211->23212 23212->23203 23213->23205 23274 9613b4 75 API calls 3 library calls 24012 974fb4 119 API calls __vswprintf_c_l 24013 986fbc 71 API calls _free 23886 97c7bf 23887 97c790 23886->23887 23888 97cabb ___delayLoadHelper2@8 19 API calls 23887->23888 23888->23887 23891 988aad 31 API calls ___delayLoadHelper2@8 23963 9809a0 6 API calls 4 library calls 24017 97aa98 91 API calls 3 library calls 23897 9610a9 23902 965b05 23897->23902 23903 965b0f __EH_prolog 23902->23903 23904 96acb6 75 API calls 23903->23904 23905 965b1b 23904->23905 23909 965cfa GetCurrentProcess GetProcessAffinityMask 23905->23909 24018 987bd9 27 API calls 2 library calls 23922 9694d1 72 API calls 23964 97d5df 27 API calls pre_c_initialization 23923 977cdc GetClientRect 23925 97aa98 96 API calls 4 library calls 24020 9763c2 114 API calls 22082 97c0cf 22083 97c0dc 22082->22083 22090 96d192 22083->22090 22091 96d1c2 22090->22091 22092 96d1e1 LoadStringW 22091->22092 22093 96d1cb LoadStringW 22091->22093 22094 96d1f3 22092->22094 22093->22092 22093->22094 22103 96c96f 22094->22103 22096 96d201 22097 963f2b 22096->22097 22113 963efe 22097->22113 22100 97991d PeekMessageW 22101 979959 22100->22101 22102 979938 GetMessageW TranslateMessage DispatchMessageW 22100->22102 22102->22101 22104 96c979 22103->22104 22107 96c9ed _strlen 22104->22107 22110 96ca4b _wcschr _wcsrchr 22104->22110 22111 9708f3 WideCharToMultiByte 22104->22111 22112 9708f3 WideCharToMultiByte 22107->22112 22108 96ca18 _strlen 22109 963f2b _swprintf 51 API calls 22108->22109 22109->22110 22110->22096 22111->22107 22112->22108 22114 963f15 __vswprintf_c_l 22113->22114 22117 9834cd 22114->22117 22120 9821ab 22117->22120 22121 9821eb 22120->22121 22122 9821d3 22120->22122 22121->22122 22124 9821f3 22121->22124 22137 985e2e 20 API calls _free 22122->22137 22139 982626 22124->22139 22126 9821d8 22138 985d0d 26 API calls pre_c_initialization 22126->22138 22130 97d763 ___delayLoadHelper2@8 5 API calls 22132 963f1f SetDlgItemTextW 22130->22132 22131 98227b 22148 98282c 51 API calls 3 library calls 22131->22148 22132->22100 22135 982286 22149 9826a9 20 API calls _free 22135->22149 22136 9821e3 22136->22130 22137->22126 22138->22136 22140 982643 22139->22140 22146 982203 22139->22146 22140->22146 22150 98630e GetLastError 22140->22150 22142 982664 22170 98645d 38 API calls __fassign 22142->22170 22144 98267d 22171 98648a 38 API calls __fassign 22144->22171 22147 9825f1 20 API calls 2 library calls 22146->22147 22147->22131 22148->22135 22149->22136 22151 98632a 22150->22151 22152 986324 22150->22152 22156 986379 SetLastError 22151->22156 22173 985a7d 22151->22173 22172 9878e9 11 API calls 2 library calls 22152->22172 22156->22142 22157 986344 22180 9859b2 22157->22180 22160 986359 22160->22157 22162 986360 22160->22162 22161 98634a 22163 986385 SetLastError 22161->22163 22187 986180 20 API calls pre_c_initialization 22162->22187 22188 985a3a 38 API calls _abort 22163->22188 22165 98636b 22167 9859b2 _free 20 API calls 22165->22167 22169 986372 22167->22169 22169->22156 22169->22163 22170->22144 22171->22146 22172->22151 22178 985a8a pre_c_initialization 22173->22178 22174 985aca 22190 985e2e 20 API calls _free 22174->22190 22175 985ab5 RtlAllocateHeap 22177 985ac8 22175->22177 22175->22178 22177->22157 22186 98793f 11 API calls 2 library calls 22177->22186 22178->22174 22178->22175 22189 984689 7 API calls 2 library calls 22178->22189 22181 9859e6 _free 22180->22181 22182 9859bd RtlFreeHeap 22180->22182 22181->22161 22182->22181 22183 9859d2 22182->22183 22191 985e2e 20 API calls _free 22183->22191 22185 9859d8 GetLastError 22185->22181 22186->22160 22187->22165 22189->22178 22190->22177 22191->22185 23988 97aa98 101 API calls 4 library calls 23989 9786ca 22 API calls 23276 97d5f1 23277 97d5fd ___FrameUnwindToState 23276->23277 23302 97d109 23277->23302 23279 97d604 23281 97d62d 23279->23281 23379 97da15 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23279->23379 23288 97d66c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23281->23288 23313 98571c 23281->23313 23285 97d64c ___FrameUnwindToState 23286 97d6cc 23321 97db30 23286->23321 23288->23286 23380 98471f 38 API calls 4 library calls 23288->23380 23297 97d6f8 23299 97d701 23297->23299 23381 984b07 28 API calls _abort 23297->23381 23382 97d280 13 API calls 2 library calls 23299->23382 23303 97d112 23302->23303 23383 97d86b IsProcessorFeaturePresent 23303->23383 23305 97d11e 23384 980b06 23305->23384 23307 97d123 23312 97d127 23307->23312 23393 98558a 23307->23393 23310 97d13e 23310->23279 23312->23279 23316 985733 23313->23316 23314 97d763 ___delayLoadHelper2@8 5 API calls 23315 97d646 23314->23315 23315->23285 23317 9856c0 23315->23317 23316->23314 23318 9856ef 23317->23318 23319 97d763 ___delayLoadHelper2@8 5 API calls 23318->23319 23320 985718 23319->23320 23320->23288 23485 97de40 23321->23485 23324 97d6d2 23325 98566d 23324->23325 23487 988549 23325->23487 23327 985676 23329 97d6db 23327->23329 23491 9888d4 38 API calls 23327->23491 23330 97c130 23329->23330 23612 96f3a5 23330->23612 23334 97c14f 23661 979035 23334->23661 23336 97c158 23665 970710 GetCPInfo 23336->23665 23338 97c162 ___scrt_fastfail 23339 97c175 GetCommandLineW 23338->23339 23340 97c184 23339->23340 23341 97c202 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23339->23341 23668 97a8d3 23340->23668 23342 963f2b _swprintf 51 API calls 23341->23342 23344 97c26b SetEnvironmentVariableW GetModuleHandleW LoadIconW 23342->23344 23681 979a75 LoadBitmapW 23344->23681 23346 97c192 OpenFileMappingW 23349 97c1f2 CloseHandle 23346->23349 23350 97c1ab MapViewOfFile 23346->23350 23347 97c1fc 23675 97be09 23347->23675 23349->23341 23354 97c1bc __vswprintf_c_l 23350->23354 23355 97c1e9 UnmapViewOfFile 23350->23355 23356 97be09 2 API calls 23354->23356 23355->23349 23358 97c1d8 23356->23358 23357 97c2b2 23359 97c2c4 DialogBoxParamW 23357->23359 23358->23355 23360 97c2fe 23359->23360 23361 97c317 23360->23361 23362 97c310 Sleep 23360->23362 23365 97c325 23361->23365 23706 979236 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 23361->23706 23362->23361 23364 97c344 DeleteObject 23366 97c35e 23364->23366 23367 97c35b DeleteObject 23364->23367 23365->23364 23368 97c38f 23366->23368 23370 97c3a1 23366->23370 23367->23366 23707 97be68 WaitForSingleObject PeekMessageW WaitForSingleObject 23368->23707 23704 97909d 23370->23704 23372 97c395 CloseHandle 23372->23370 23373 97c3db 23374 984a3b GetModuleHandleW 23373->23374 23375 97d6ee 23374->23375 23375->23297 23376 984b64 23375->23376 23813 9848e1 23376->23813 23379->23279 23380->23286 23381->23299 23382->23285 23383->23305 23385 980b0b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23384->23385 23397 981bde 23385->23397 23388 980b19 23388->23307 23390 980b21 23391 980b2c 23390->23391 23411 981c1a DeleteCriticalSection 23390->23411 23391->23307 23439 988ab6 23393->23439 23396 980b2f 8 API calls 3 library calls 23396->23312 23398 981be7 23397->23398 23400 981c10 23398->23400 23402 980b15 23398->23402 23412 981e72 23398->23412 23417 981c1a DeleteCriticalSection 23400->23417 23402->23388 23403 980c46 23402->23403 23432 981d87 23403->23432 23405 980c50 23410 980c5b 23405->23410 23437 981e35 6 API calls try_get_function 23405->23437 23407 980c69 23408 980c76 23407->23408 23438 980c79 6 API calls ___vcrt_FlsFree 23407->23438 23408->23390 23410->23390 23411->23388 23418 981c66 23412->23418 23415 981ea9 InitializeCriticalSectionAndSpinCount 23416 981e95 23415->23416 23416->23398 23417->23402 23419 981c9a 23418->23419 23422 981c96 23418->23422 23419->23415 23419->23416 23420 981cba 23420->23419 23423 981cc6 GetProcAddress 23420->23423 23422->23419 23422->23420 23425 981d06 23422->23425 23424 981cd6 __crt_fast_encode_pointer 23423->23424 23424->23419 23426 981d2e LoadLibraryExW 23425->23426 23427 981d23 23425->23427 23428 981d4a GetLastError 23426->23428 23430 981d62 23426->23430 23427->23422 23428->23430 23431 981d55 LoadLibraryExW 23428->23431 23429 981d79 FreeLibrary 23429->23427 23430->23427 23430->23429 23431->23430 23433 981c66 try_get_function 5 API calls 23432->23433 23434 981da1 23433->23434 23435 981db9 TlsAlloc 23434->23435 23436 981daa 23434->23436 23436->23405 23437->23407 23438->23410 23442 988ad3 23439->23442 23443 988acf 23439->23443 23440 97d763 ___delayLoadHelper2@8 5 API calls 23441 97d130 23440->23441 23441->23310 23441->23396 23442->23443 23445 9871b1 23442->23445 23443->23440 23446 9871bd ___FrameUnwindToState 23445->23446 23457 9876c7 EnterCriticalSection 23446->23457 23448 9871c4 23458 988f84 23448->23458 23450 9871d3 23456 9871e2 23450->23456 23471 987045 29 API calls 23450->23471 23453 9871dd 23472 9870fb GetStdHandle GetFileType 23453->23472 23454 9871f3 ___FrameUnwindToState 23454->23442 23473 9871fe LeaveCriticalSection _abort 23456->23473 23457->23448 23459 988f90 ___FrameUnwindToState 23458->23459 23460 988f9d 23459->23460 23461 988fb4 23459->23461 23482 985e2e 20 API calls _free 23460->23482 23474 9876c7 EnterCriticalSection 23461->23474 23464 988fc0 23470 988fec 23464->23470 23475 988ed5 23464->23475 23465 988fa2 23483 985d0d 26 API calls pre_c_initialization 23465->23483 23468 988fac ___FrameUnwindToState 23468->23450 23484 989013 LeaveCriticalSection _abort 23470->23484 23471->23453 23472->23456 23473->23454 23474->23464 23476 985a7d pre_c_initialization 20 API calls 23475->23476 23478 988ee7 23476->23478 23477 988ef4 23479 9859b2 _free 20 API calls 23477->23479 23478->23477 23481 987998 11 API calls 23478->23481 23480 988f46 23479->23480 23480->23464 23481->23478 23482->23465 23483->23468 23484->23468 23486 97db43 GetStartupInfoW 23485->23486 23486->23324 23488 988552 23487->23488 23489 98855b 23487->23489 23492 988448 23488->23492 23489->23327 23491->23327 23493 98630e pre_c_initialization 38 API calls 23492->23493 23494 988455 23493->23494 23512 988567 23494->23512 23496 98845d 23521 9881dc 23496->23521 23499 988474 23499->23489 23500 9859ec __vswprintf_c_l 21 API calls 23501 988485 23500->23501 23502 9884b7 23501->23502 23528 988609 23501->23528 23505 9859b2 _free 20 API calls 23502->23505 23505->23499 23506 9884b2 23538 985e2e 20 API calls _free 23506->23538 23508 9884fb 23508->23502 23539 9880b2 26 API calls 23508->23539 23509 9884cf 23509->23508 23510 9859b2 _free 20 API calls 23509->23510 23510->23508 23513 988573 ___FrameUnwindToState 23512->23513 23514 98630e pre_c_initialization 38 API calls 23513->23514 23516 98857d 23514->23516 23517 988601 ___FrameUnwindToState 23516->23517 23520 9859b2 _free 20 API calls 23516->23520 23540 985a3a 38 API calls _abort 23516->23540 23541 9876c7 EnterCriticalSection 23516->23541 23542 9885f8 LeaveCriticalSection _abort 23516->23542 23517->23496 23520->23516 23522 982626 __fassign 38 API calls 23521->23522 23523 9881ee 23522->23523 23524 9881fd GetOEMCP 23523->23524 23525 98820f 23523->23525 23527 988226 23524->23527 23526 988214 GetACP 23525->23526 23525->23527 23526->23527 23527->23499 23527->23500 23529 9881dc 40 API calls 23528->23529 23531 988628 23529->23531 23530 98862f 23532 97d763 ___delayLoadHelper2@8 5 API calls 23530->23532 23531->23530 23533 988679 IsValidCodePage 23531->23533 23537 98869e ___scrt_fastfail 23531->23537 23534 9884aa 23532->23534 23533->23530 23535 98868b GetCPInfo 23533->23535 23534->23506 23534->23509 23535->23530 23535->23537 23543 9882b4 GetCPInfo 23537->23543 23538->23502 23539->23502 23541->23516 23542->23516 23544 988398 23543->23544 23550 9882ee 23543->23550 23547 97d763 ___delayLoadHelper2@8 5 API calls 23544->23547 23549 988444 23547->23549 23549->23530 23553 9893e4 23550->23553 23552 9875bc __vswprintf_c_l 43 API calls 23552->23544 23554 982626 __fassign 38 API calls 23553->23554 23555 989404 MultiByteToWideChar 23554->23555 23557 9894da 23555->23557 23558 989442 23555->23558 23559 97d763 ___delayLoadHelper2@8 5 API calls 23557->23559 23561 9859ec __vswprintf_c_l 21 API calls 23558->23561 23564 989463 __vswprintf_c_l ___scrt_fastfail 23558->23564 23562 98834f 23559->23562 23560 9894d4 23572 987607 20 API calls _free 23560->23572 23561->23564 23567 9875bc 23562->23567 23564->23560 23565 9894a8 MultiByteToWideChar 23564->23565 23565->23560 23566 9894c4 GetStringTypeW 23565->23566 23566->23560 23568 982626 __fassign 38 API calls 23567->23568 23569 9875cf 23568->23569 23573 98739f 23569->23573 23572->23557 23575 9873ba __vswprintf_c_l 23573->23575 23574 9873e0 MultiByteToWideChar 23576 98740a 23574->23576 23577 987594 23574->23577 23575->23574 23580 9859ec __vswprintf_c_l 21 API calls 23576->23580 23584 98742b __vswprintf_c_l 23576->23584 23578 97d763 ___delayLoadHelper2@8 5 API calls 23577->23578 23579 9875a7 23578->23579 23579->23552 23580->23584 23581 9874e0 23609 987607 20 API calls _free 23581->23609 23582 987474 MultiByteToWideChar 23582->23581 23583 98748d 23582->23583 23600 9879fa 23583->23600 23584->23581 23584->23582 23588 9874ef 23590 9859ec __vswprintf_c_l 21 API calls 23588->23590 23593 987510 __vswprintf_c_l 23588->23593 23589 9874b7 23589->23581 23591 9879fa __vswprintf_c_l 11 API calls 23589->23591 23590->23593 23591->23581 23592 987585 23608 987607 20 API calls _free 23592->23608 23593->23592 23594 9879fa __vswprintf_c_l 11 API calls 23593->23594 23596 987564 23594->23596 23596->23592 23597 987573 WideCharToMultiByte 23596->23597 23597->23592 23598 9875b3 23597->23598 23610 987607 20 API calls _free 23598->23610 23601 987726 pre_c_initialization 5 API calls 23600->23601 23602 987a21 23601->23602 23605 987a2a 23602->23605 23611 987a82 10 API calls 3 library calls 23602->23611 23604 987a6a LCMapStringW 23604->23605 23606 97d763 ___delayLoadHelper2@8 5 API calls 23605->23606 23607 9874a4 23606->23607 23607->23581 23607->23588 23607->23589 23608->23581 23609->23577 23610->23581 23611->23604 23613 97cec0 23612->23613 23614 96f3af GetModuleHandleW 23613->23614 23615 96f41a 23614->23615 23616 96f3c9 GetProcAddress 23614->23616 23619 96f74f GetModuleFileNameW 23615->23619 23708 98461a 42 API calls __vswprintf_c_l 23615->23708 23617 96f3f2 GetProcAddress 23616->23617 23618 96f3e2 23616->23618 23617->23615 23620 96f3fe 23617->23620 23618->23617 23632 96f76a 23619->23632 23620->23615 23622 96f68d 23622->23619 23623 96f698 GetModuleFileNameW CreateFileW 23622->23623 23624 96f6c7 SetFilePointer 23623->23624 23625 96f743 CloseHandle 23623->23625 23624->23625 23626 96f6d7 ReadFile 23624->23626 23625->23619 23626->23625 23629 96f6f6 23626->23629 23627 96a930 GetVersionExW 23627->23632 23628 96f35b 2 API calls 23628->23632 23629->23625 23631 96f35b 2 API calls 23629->23631 23630 96f79f CompareStringW 23630->23632 23631->23629 23632->23627 23632->23628 23632->23630 23633 96f7d5 GetFileAttributesW 23632->23633 23634 96f7e9 23632->23634 23633->23632 23633->23634 23635 96f7f6 23634->23635 23638 96f828 23634->23638 23637 96f80e GetFileAttributesW 23635->23637 23639 96f822 23635->23639 23636 96f937 23660 978b8d GetCurrentDirectoryW 23636->23660 23637->23635 23637->23639 23638->23636 23640 96a930 GetVersionExW 23638->23640 23639->23638 23641 96f842 23640->23641 23642 96f8af 23641->23642 23643 96f849 23641->23643 23644 963f2b _swprintf 51 API calls 23642->23644 23645 96f35b 2 API calls 23643->23645 23646 96f8d7 AllocConsole 23644->23646 23647 96f853 23645->23647 23649 96f8e4 GetCurrentProcessId AttachConsole 23646->23649 23650 96f92f ExitProcess 23646->23650 23648 96f35b 2 API calls 23647->23648 23651 96f85d 23648->23651 23709 9820a3 23649->23709 23653 96d192 54 API calls 23651->23653 23655 96f878 23653->23655 23654 96f905 GetStdHandle WriteConsoleW Sleep FreeConsole 23654->23650 23656 963f2b _swprintf 51 API calls 23655->23656 23657 96f88b 23656->23657 23658 96d192 54 API calls 23657->23658 23659 96f89a 23658->23659 23659->23650 23660->23334 23662 96f35b 2 API calls 23661->23662 23663 979049 OleInitialize 23662->23663 23664 97906c GdiplusStartup SHGetMalloc 23663->23664 23664->23336 23666 970734 IsDBCSLeadByte 23665->23666 23666->23666 23667 97074c 23666->23667 23667->23338 23669 97a8dd 23668->23669 23670 97a9f3 23669->23670 23671 97a925 CharUpperW 23669->23671 23672 97a9a8 CharUpperW 23669->23672 23673 97a94c CharUpperW 23669->23673 23674 96e030 73 API calls 23669->23674 23670->23346 23670->23347 23671->23669 23672->23669 23673->23669 23674->23669 23676 97cec0 23675->23676 23677 97be16 SetEnvironmentVariableW 23676->23677 23679 97be39 23677->23679 23678 97be61 23678->23341 23679->23678 23680 97be55 SetEnvironmentVariableW 23679->23680 23680->23678 23682 979a96 23681->23682 23683 979a9f GetObjectW 23681->23683 23711 978bcf FindResourceW 23682->23711 23684 978abf 6 API calls 23683->23684 23686 979ab1 23684->23686 23688 979af2 23686->23688 23689 979ad2 23686->23689 23690 978bcf 13 API calls 23686->23690 23699 96caf7 23688->23699 23727 978b21 GetDC GetDeviceCaps ReleaseDC 23689->23727 23692 979ac7 23690->23692 23692->23689 23694 979acd DeleteObject 23692->23694 23693 979ada 23728 978ade GetDC GetDeviceCaps ReleaseDC 23693->23728 23694->23689 23696 979ae3 23729 978cf2 8 API calls ___scrt_fastfail 23696->23729 23698 979aea DeleteObject 23698->23688 23738 96cb1c 23699->23738 23703 96cb0a 23703->23357 23705 9790c3 GdiplusShutdown CoUninitialize 23704->23705 23705->23373 23706->23365 23707->23372 23708->23622 23710 9820ab 23709->23710 23710->23654 23710->23710 23712 978bf0 SizeofResource 23711->23712 23715 978c22 23711->23715 23713 978c04 LoadResource 23712->23713 23712->23715 23714 978c15 LockResource 23713->23714 23713->23715 23714->23715 23716 978c29 GlobalAlloc 23714->23716 23715->23683 23716->23715 23717 978c40 GlobalLock 23716->23717 23718 978cb7 GlobalFree 23717->23718 23719 978c4b __vswprintf_c_l 23717->23719 23718->23715 23720 978c53 CreateStreamOnHGlobal 23719->23720 23721 978cb0 GlobalUnlock 23720->23721 23722 978c6b 23720->23722 23721->23718 23730 978b64 GdipAlloc 23722->23730 23725 978c8f GdipCreateHBITMAPFromBitmap 23726 978ca5 23725->23726 23726->23721 23727->23693 23728->23696 23729->23698 23731 978b76 23730->23731 23732 978b83 23730->23732 23734 978923 23731->23734 23732->23721 23732->23725 23732->23726 23735 978944 GdipCreateBitmapFromStreamICM 23734->23735 23736 97894b GdipCreateBitmapFromStream 23734->23736 23737 978950 23735->23737 23736->23737 23737->23732 23739 96cb26 _wcschr __EH_prolog 23738->23739 23740 96cb52 GetModuleFileNameW 23739->23740 23741 96cb83 23739->23741 23742 96cb6c 23740->23742 23761 96978d 23741->23761 23742->23741 23744 969487 72 API calls 23746 96cb03 23744->23746 23745 96ccef 23747 969a30 70 API calls 23745->23747 23756 96cd39 23745->23756 23757 96ce98 GetModuleHandleW FindResourceW 23746->23757 23750 96cd09 ___std_exception_copy 23747->23750 23751 96995d 73 API calls 23750->23751 23750->23756 23754 96cd2f ___std_exception_copy 23751->23754 23753 96cbb3 23753->23745 23753->23756 23770 969b3b 23753->23770 23778 96995d 23753->23778 23786 969a30 23753->23786 23754->23756 23791 9706d7 MultiByteToWideChar 23754->23791 23756->23744 23758 96cec6 23757->23758 23760 96cec0 23757->23760 23759 96c96f 52 API calls 23758->23759 23759->23760 23760->23703 23762 969797 23761->23762 23763 9697ed CreateFileW 23762->23763 23764 96986b 23763->23764 23765 96981a GetLastError 23763->23765 23764->23753 23766 96b2c5 2 API calls 23765->23766 23767 96983a 23766->23767 23767->23764 23768 96983e CreateFileW GetLastError 23767->23768 23769 969862 23768->23769 23769->23764 23771 969b4e 23770->23771 23772 969b5f SetFilePointer 23770->23772 23774 969b98 23771->23774 23792 966e6a 68 API calls 23771->23792 23773 969b7d GetLastError 23772->23773 23772->23774 23773->23774 23776 969b87 23773->23776 23774->23753 23776->23774 23793 966e6a 68 API calls 23776->23793 23781 969974 23778->23781 23780 9699d5 23780->23753 23781->23780 23782 9699c7 23781->23782 23784 9699d7 23781->23784 23794 969663 23781->23794 23806 966e30 68 API calls 23782->23806 23784->23780 23785 969663 5 API calls 23784->23785 23785->23784 23807 9698e7 23786->23807 23789 969a5b 23789->23753 23791->23756 23792->23772 23793->23774 23795 969671 GetStdHandle 23794->23795 23796 96967c ReadFile 23794->23796 23795->23796 23797 969695 23796->23797 23798 9696b5 23796->23798 23799 96976a GetFileType 23797->23799 23798->23781 23800 96969c 23799->23800 23801 9696aa 23800->23801 23802 9696cc 23800->23802 23803 9696bd GetLastError 23800->23803 23804 969663 GetFileType 23801->23804 23802->23798 23805 9696dc GetLastError 23802->23805 23803->23798 23803->23802 23804->23798 23805->23798 23805->23801 23806->23780 23808 969952 23807->23808 23811 9698f3 23807->23811 23808->23789 23812 966e6a 68 API calls 23808->23812 23809 96992a SetFilePointer 23809->23808 23810 969948 GetLastError 23809->23810 23810->23808 23811->23809 23812->23789 23814 9848ed _abort 23813->23814 23815 984a3b _abort GetModuleHandleW 23814->23815 23823 984905 23814->23823 23817 9848f9 23815->23817 23817->23823 23850 984a7f GetModuleHandleExW 23817->23850 23818 9849ab 23839 9849eb 23818->23839 23822 984982 23826 98499a 23822->23826 23831 9856c0 _abort 5 API calls 23822->23831 23835 9876c7 EnterCriticalSection 23823->23835 23824 9849c8 23842 9849fa 23824->23842 23825 9849f4 23858 98f149 5 API calls ___delayLoadHelper2@8 23825->23858 23832 9856c0 _abort 5 API calls 23826->23832 23827 98490d 23827->23818 23827->23822 23836 985418 23827->23836 23831->23826 23832->23818 23835->23827 23859 985151 23836->23859 23878 98770f LeaveCriticalSection 23839->23878 23841 9849c4 23841->23824 23841->23825 23879 987b04 23842->23879 23845 984a28 23848 984a7f _abort 8 API calls 23845->23848 23846 984a08 GetPEB 23846->23845 23847 984a18 GetCurrentProcess TerminateProcess 23846->23847 23847->23845 23849 984a30 ExitProcess 23848->23849 23851 984aa9 GetProcAddress 23850->23851 23852 984acc 23850->23852 23853 984abe 23851->23853 23854 984adb 23852->23854 23855 984ad2 FreeLibrary 23852->23855 23853->23852 23856 97d763 ___delayLoadHelper2@8 5 API calls 23854->23856 23855->23854 23857 984ae5 23856->23857 23857->23823 23862 985100 23859->23862 23861 985175 23861->23822 23863 98510c ___FrameUnwindToState 23862->23863 23870 9876c7 EnterCriticalSection 23863->23870 23865 98511a 23871 9851a1 23865->23871 23869 985138 ___FrameUnwindToState 23869->23861 23870->23865 23874 9851c1 23871->23874 23875 9851c9 23871->23875 23872 97d763 ___delayLoadHelper2@8 5 API calls 23873 985127 23872->23873 23877 985145 LeaveCriticalSection _abort 23873->23877 23874->23872 23875->23874 23876 9859b2 _free 20 API calls 23875->23876 23876->23874 23877->23869 23878->23841 23880 987b29 23879->23880 23884 987b1f 23879->23884 23881 987726 pre_c_initialization 5 API calls 23880->23881 23881->23884 23882 97d763 ___delayLoadHelper2@8 5 API calls 23883 984a04 23882->23883 23883->23845 23883->23846 23884->23882 23928 9834f1 QueryPerformanceFrequency QueryPerformanceCounter 23990 986ef2 21 API calls 2 library calls 23930 9888ec GetCommandLineA GetCommandLineW 23932 98c0e4 51 API calls 24022 97ffea RaiseException 24023 97c3e9 19 API calls ___delayLoadHelper2@8 24025 97d716 20 API calls 24026 961714 79 API calls 23934 97b81f 72 API calls 24027 981b10 5 API calls 2 library calls 22031 969c18 22032 969c2b 22031->22032 22037 969c24 22031->22037 22033 969c31 GetStdHandle 22032->22033 22041 969c3c 22032->22041 22033->22041 22034 969c91 WriteFile 22034->22041 22035 969c61 WriteFile 22036 969c5c 22035->22036 22035->22041 22036->22035 22036->22041 22039 969d04 22043 966f23 68 API calls 22039->22043 22041->22034 22041->22035 22041->22036 22041->22037 22041->22039 22042 966d16 56 API calls 22041->22042 22042->22041 22043->22037 23993 98ee16 CloseHandle 22045 986417 22053 98783d 22045->22053 22048 98642b 22050 986433 22051 986440 22050->22051 22061 986443 11 API calls 22050->22061 22062 987726 22053->22062 22056 98787c TlsAlloc 22057 98786d 22056->22057 22058 97d763 ___delayLoadHelper2@8 5 API calls 22057->22058 22059 986421 22058->22059 22059->22048 22060 986392 20 API calls 2 library calls 22059->22060 22060->22050 22061->22048 22063 987752 22062->22063 22064 987756 22062->22064 22063->22064 22066 987776 22063->22066 22069 9877c2 22063->22069 22064->22056 22064->22057 22066->22064 22067 987782 GetProcAddress 22066->22067 22068 987792 __crt_fast_encode_pointer 22067->22068 22068->22064 22070 9877e3 LoadLibraryExW 22069->22070 22075 9877d8 22069->22075 22071 987800 GetLastError 22070->22071 22072 987818 22070->22072 22071->22072 22073 98780b LoadLibraryExW 22071->22073 22074 98782f FreeLibrary 22072->22074 22072->22075 22073->22072 22074->22075 22075->22063 23935 961019 29 API calls pre_c_initialization 23968 98550a 8 API calls ___vcrt_uninitialize 23939 97d002 38 API calls 2 library calls 24028 98c301 21 API calls __vswprintf_c_l 23996 987207 21 API calls 23969 97a536 93 API calls _swprintf 23970 97d533 46 API calls 6 library calls 23890 97c725 19 API calls ___delayLoadHelper2@8 23971 979122 73 API calls 23945 98f820 DeleteCriticalSection 23892 96192c 126 API calls __EH_prolog 23894 96de2a 23895 96de32 FreeLibrary 23894->23895 23896 96de3a 23894->23896 23895->23896 24029 97d72a 28 API calls 2 library calls 23972 970d28 26 API calls std::bad_exception::bad_exception 24030 97e750 51 API calls 2 library calls 24031 981f50 RtlUnwind 23973 97995e 104 API calls 23974 97955e 71 API calls 21973 97cd5b 21974 97cd65 21973->21974 21977 97cabb 21974->21977 22005 97c7c9 21977->22005 21979 97cad5 21980 97cb56 21979->21980 21981 97cb32 21979->21981 21985 97cbce LoadLibraryExA 21980->21985 21988 97cc2f 21980->21988 21989 97cc41 21980->21989 22000 97ccfd 21980->22000 22016 97ca39 11 API calls 3 library calls 21981->22016 21983 97cb3d RaiseException 22001 97cd2b 21983->22001 21987 97cbe1 GetLastError 21985->21987 21985->21988 21986 97cd3a 21990 97cbf4 21987->21990 21991 97cc0a 21987->21991 21988->21989 21993 97cc3a FreeLibrary 21988->21993 21992 97cc9f GetProcAddress 21989->21992 21989->22000 21990->21988 21990->21991 22017 97ca39 11 API calls 3 library calls 21991->22017 21995 97ccaf GetLastError 21992->21995 21992->22000 21993->21989 21997 97ccc2 21995->21997 21996 97cc15 RaiseException 21996->22001 21997->22000 22018 97ca39 11 API calls 3 library calls 21997->22018 22019 97ca39 11 API calls 3 library calls 22000->22019 22020 97d763 22001->22020 22002 97cce3 RaiseException 22003 97c7c9 ___delayLoadHelper2@8 11 API calls 22002->22003 22004 97ccfa 22003->22004 22004->22000 22006 97c7d5 22005->22006 22007 97c7fb 22005->22007 22027 97c877 8 API calls 2 library calls 22006->22027 22007->21979 22009 97c7da 22010 97c7f6 22009->22010 22028 97c9c9 VirtualQuery GetSystemInfo VirtualProtect DloadObtainSection DloadMakePermanentImageCommit 22009->22028 22029 97c7fc GetModuleHandleW GetProcAddress GetProcAddress 22010->22029 22013 97ca86 22014 97d763 ___delayLoadHelper2@8 5 API calls 22013->22014 22015 97cab7 22014->22015 22015->21979 22016->21983 22017->21996 22018->22002 22019->22001 22021 97d76e IsProcessorFeaturePresent 22020->22021 22022 97d76c 22020->22022 22024 97dd57 22021->22024 22022->21986 22030 97dd1b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22024->22030 22026 97de3a 22026->21986 22027->22009 22028->22010 22029->22013 22030->22026 24032 97d759 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24002 979645 92 API calls 22192 979b4e 22193 979b58 __EH_prolog 22192->22193 22352 9612e7 22193->22352 22196 97a22f 22432 97b8bb 22196->22432 22197 979b9a 22200 979ba7 22197->22200 22201 979c10 22197->22201 22256 979b86 22197->22256 22202 979bac 22200->22202 22207 979be3 22200->22207 22205 979caf GetDlgItemTextW 22201->22205 22210 979c2a 22201->22210 22211 96d192 54 API calls 22202->22211 22202->22256 22203 97a24d SendMessageW 22204 97a25b 22203->22204 22208 97a275 GetDlgItem SendMessageW 22204->22208 22209 97a264 SendDlgItemMessageW 22204->22209 22206 979ce6 22205->22206 22205->22207 22214 979cfe GetDlgItem 22206->22214 22350 979cef 22206->22350 22212 979c04 KiUserCallbackDispatcher 22207->22212 22207->22256 22450 978b8d GetCurrentDirectoryW 22208->22450 22209->22208 22215 96d192 54 API calls 22210->22215 22219 979bc6 22211->22219 22212->22256 22216 979d12 SendMessageW SendMessageW 22214->22216 22217 979d38 SetFocus 22214->22217 22218 979c4c SetDlgItemTextW 22215->22218 22216->22217 22222 979d48 22217->22222 22236 979d54 22217->22236 22221 979c5a 22218->22221 22470 961227 SHGetMalloc 22219->22470 22220 97a2a7 GetDlgItem 22224 97a2c6 SetWindowTextW 22220->22224 22225 97a2c0 22220->22225 22231 979c67 GetMessageW 22221->22231 22244 979c8d TranslateMessage DispatchMessageW 22221->22244 22221->22256 22227 96d192 54 API calls 22222->22227 22451 978fc7 GetClassNameW 22224->22451 22225->22224 22232 979d52 22227->22232 22228 979bcd 22233 979bd1 SetDlgItemTextW 22228->22233 22228->22256 22229 97a1cf 22234 96d192 54 API calls 22229->22234 22231->22221 22231->22256 22362 97b70d GetDlgItem 22232->22362 22233->22256 22237 97a1df SetDlgItemTextW 22234->22237 22242 96d192 54 API calls 22236->22242 22239 97a1f3 22237->22239 22243 96d192 54 API calls 22239->22243 22241 979da9 22370 969d1e 22241->22370 22246 979d86 22242->22246 22247 97a21c 22243->22247 22244->22221 22245 97a311 22250 97a341 22245->22250 22254 96d192 54 API calls 22245->22254 22251 963f2b _swprintf 51 API calls 22246->22251 22252 96d192 54 API calls 22247->22252 22249 97aa44 91 API calls 22249->22245 22255 97aa44 91 API calls 22250->22255 22266 97a3f9 22250->22266 22251->22232 22252->22256 22260 97a324 SetDlgItemTextW 22254->22260 22261 97a35c 22255->22261 22257 97a4a9 22262 97a4b2 EnableWindow 22257->22262 22263 97a4bb 22257->22263 22258 979de5 22376 979022 SetCurrentDirectoryW 22258->22376 22259 979dde GetLastError 22259->22258 22265 96d192 54 API calls 22260->22265 22270 97a36e 22261->22270 22287 97a393 22261->22287 22262->22263 22267 97a4d8 22263->22267 22485 9612a4 GetDlgItem EnableWindow 22263->22485 22269 97a338 SetDlgItemTextW 22265->22269 22266->22257 22284 97a487 22266->22284 22298 96d192 54 API calls 22266->22298 22275 97a4ff 22267->22275 22279 97a4f7 SendMessageW 22267->22279 22268 979dfb 22273 979e0e 22268->22273 22274 979e04 GetLastError 22268->22274 22269->22250 22483 97859b 6 API calls 22270->22483 22271 97a3ec 22276 97aa44 91 API calls 22271->22276 22282 979e26 GetTickCount 22273->22282 22283 979e99 22273->22283 22328 979e89 22273->22328 22274->22273 22275->22256 22280 96d192 54 API calls 22275->22280 22276->22266 22278 97a4ce 22486 9612a4 GetDlgItem EnableWindow 22278->22486 22279->22275 22285 97a518 SetDlgItemTextW 22280->22285 22291 963f2b _swprintf 51 API calls 22282->22291 22289 979eb1 GetModuleFileNameW 22283->22289 22290 97a06d 22283->22290 22484 97859b 6 API calls 22284->22484 22285->22256 22286 97a387 22286->22287 22287->22271 22299 97aa44 91 API calls 22287->22299 22288 97a0d2 22392 9612c2 GetDlgItem ShowWindow 22288->22392 22471 96decc 22289->22471 22290->22207 22303 96d192 54 API calls 22290->22303 22296 979e43 22291->22296 22294 97a0e2 22393 9612c2 GetDlgItem ShowWindow 22294->22393 22377 969541 22296->22377 22297 97a4a6 22297->22257 22298->22266 22300 97a3c1 22299->22300 22300->22271 22304 97a3ca DialogBoxParamW 22300->22304 22307 97a081 22303->22307 22304->22207 22304->22271 22305 97a0ec 22308 96d192 54 API calls 22305->22308 22306 963f2b _swprintf 51 API calls 22309 979efd CreateFileMappingW 22306->22309 22310 963f2b _swprintf 51 API calls 22307->22310 22312 97a0f6 SetDlgItemTextW 22308->22312 22313 979f5f GetCommandLineW 22309->22313 22344 979fdc __vswprintf_c_l 22309->22344 22314 97a09f 22310->22314 22394 9612c2 GetDlgItem ShowWindow 22312->22394 22318 979f70 22313->22318 22327 96d192 54 API calls 22314->22327 22315 979e69 22319 979e70 GetLastError 22315->22319 22320 979e77 22315->22320 22316 979fe7 ShellExecuteExW 22342 97a004 22316->22342 22475 9797e3 SHGetMalloc 22318->22475 22319->22320 22385 969487 22320->22385 22321 97a10a SetDlgItemTextW GetDlgItem 22324 97a123 GetWindowLongW SetWindowLongW 22321->22324 22325 97a13b 22321->22325 22324->22325 22395 97aa44 22325->22395 22326 979f8c 22476 9797e3 SHGetMalloc 22326->22476 22327->22207 22328->22283 22328->22288 22332 979f98 22477 9797e3 SHGetMalloc 22332->22477 22333 97a047 22333->22290 22338 97a05d UnmapViewOfFile CloseHandle 22333->22338 22334 97aa44 91 API calls 22336 97a157 22334->22336 22420 97bc77 22336->22420 22337 979fa4 22478 96e030 22337->22478 22338->22290 22341 979fbb MapViewOfFile 22341->22344 22342->22333 22345 97a033 Sleep 22342->22345 22344->22316 22345->22333 22345->22342 22350->22207 22350->22229 22353 9612f0 22352->22353 22354 961349 22352->22354 22355 961356 22353->22355 22487 96cf27 22353->22487 22505 96cf00 GetWindowLongW SetWindowLongW 22354->22505 22355->22196 22355->22197 22355->22256 22359 961325 GetDlgItem 22359->22355 22360 961335 22359->22360 22360->22355 22361 96133b SetWindowTextW 22360->22361 22361->22355 22363 97b769 SendMessageW SendMessageW 22362->22363 22364 97b739 22362->22364 22365 97b7a1 22363->22365 22366 97b7c0 SendMessageW SendMessageW SendMessageW 22363->22366 22367 97b744 ShowWindow SendMessageW SendMessageW 22364->22367 22365->22366 22368 97b7eb SendMessageW 22366->22368 22369 97b80a SendMessageW 22366->22369 22367->22363 22368->22369 22369->22241 22371 969d28 22370->22371 22372 969de2 22371->22372 22373 969db9 22371->22373 22509 969ed6 22371->22509 22372->22258 22372->22259 22373->22372 22374 969ed6 9 API calls 22373->22374 22374->22372 22376->22268 22378 96954b 22377->22378 22379 9695b5 CreateFileW 22378->22379 22380 9695a9 22378->22380 22379->22380 22381 96b2c5 2 API calls 22380->22381 22382 969607 22380->22382 22383 9695ee 22381->22383 22382->22315 22383->22382 22384 9695f2 CreateFileW 22383->22384 22384->22382 22386 9694bc 22385->22386 22387 9694ab 22385->22387 22386->22328 22387->22386 22388 9694b7 22387->22388 22389 9694be 22387->22389 22556 96963a 22388->22556 22561 9694f3 22389->22561 22392->22294 22393->22305 22394->22321 22396 97aa4e __EH_prolog 22395->22396 22397 97a149 22396->22397 22576 9796eb 22396->22576 22397->22334 22400 9796eb ExpandEnvironmentStringsW 22406 97aa85 _wcsrchr 22400->22406 22401 97ad85 SetWindowTextW 22401->22406 22406->22397 22406->22400 22406->22401 22417 97ab69 ___scrt_fastfail 22406->22417 22580 970b00 CompareStringW 22406->22580 22581 978b8d GetCurrentDirectoryW 22406->22581 22582 96a1f9 7 API calls 22406->22582 22585 96a182 FindClose 22406->22585 22586 979843 69 API calls ___std_exception_copy 22406->22586 22587 9820ce 22406->22587 22408 97ab76 SetFileAttributesW 22409 97ac31 GetFileAttributesW 22408->22409 22408->22417 22411 97ac3f DeleteFileW 22409->22411 22409->22417 22411->22417 22412 97af4f GetDlgItem SetWindowTextW SendMessageW 22412->22417 22414 963f2b _swprintf 51 API calls 22416 97ac74 GetFileAttributesW 22414->22416 22415 97af91 SendMessageW 22415->22406 22416->22417 22418 97ac85 MoveFileW 22416->22418 22417->22406 22417->22408 22417->22409 22417->22412 22417->22414 22417->22415 22583 96b150 52 API calls 2 library calls 22417->22583 22584 96a1f9 7 API calls 22417->22584 22418->22417 22419 97ac9d MoveFileExW 22418->22419 22419->22417 22421 97bc81 __EH_prolog 22420->22421 22611 96f1b7 69 API calls 22421->22611 22423 97bcb2 22612 965b87 69 API calls 22423->22612 22425 97bcd0 22613 967b10 73 API calls 2 library calls 22425->22613 22427 97bd14 22614 967c84 22427->22614 22429 97bd23 22623 967ba0 22429->22623 22433 97b8c8 22432->22433 23151 978abf 22433->23151 22436 97b8d5 GetWindow 22437 97a235 22436->22437 22440 97b8f1 22436->22440 22437->22203 22437->22204 22438 97b8fe GetClassNameW 23156 970b00 CompareStringW 22438->23156 22440->22437 22440->22438 22441 97b987 GetWindow 22440->22441 22442 97b926 GetWindowLongW 22440->22442 22441->22437 22441->22440 22442->22441 22443 97b936 SendMessageW 22442->22443 22443->22441 22444 97b94c GetObjectW 22443->22444 23157 978b21 GetDC GetDeviceCaps ReleaseDC 22444->23157 22446 97b961 23158 978ade GetDC GetDeviceCaps ReleaseDC 22446->23158 23159 978cf2 8 API calls ___scrt_fastfail 22446->23159 22449 97b971 SendMessageW DeleteObject 22449->22441 22450->22220 22452 97900d 22451->22452 22453 978fe8 22451->22453 22457 979484 22452->22457 23162 970b00 CompareStringW 22453->23162 22455 978ffb 22455->22452 22456 978fff FindWindowExW 22455->22456 22456->22452 22458 97948e __EH_prolog 22457->22458 22459 9613af 75 API calls 22458->22459 22460 9794b0 22459->22460 23163 961f0e 22460->23163 22463 9794ca 22466 96165f 79 API calls 22463->22466 22464 9794d9 22465 961927 126 API calls 22464->22465 22468 9794fb __vswprintf_c_l ___std_exception_copy 22465->22468 22467 9794d5 22466->22467 22467->22245 22467->22249 22469 96165f 79 API calls 22468->22469 22469->22467 22470->22228 22472 96ded5 22471->22472 22473 96deee 22471->22473 23171 96df43 22472->23171 22473->22306 22475->22326 22476->22332 22477->22337 22479 96e03f ___scrt_fastfail 22478->22479 22480 96e056 22478->22480 22479->22341 22481 96df43 73 API calls 22480->22481 22481->22479 22483->22286 22484->22297 22485->22278 22486->22267 22506 96c8de 22487->22506 22489 96cf4d GetWindowRect GetClientRect 22490 96d042 22489->22490 22493 96cfa7 22489->22493 22491 96d084 GetSystemMetrics GetWindow 22490->22491 22492 96d04c GetWindowTextW 22490->22492 22500 96d0a4 22491->22500 22494 96c96f 52 API calls 22492->22494 22493->22491 22497 96d008 GetWindowLongW 22493->22497 22496 96d078 SetWindowTextW 22494->22496 22495 961312 22495->22355 22495->22359 22496->22491 22499 96d032 GetWindowRect 22497->22499 22498 96d0b0 GetWindowTextW 22498->22500 22499->22490 22500->22495 22500->22498 22501 96c96f 52 API calls 22500->22501 22502 96d0f6 GetWindowRect 22500->22502 22503 96d16b GetWindow 22500->22503 22504 96d0e3 SetWindowTextW 22501->22504 22502->22503 22503->22495 22503->22500 22504->22500 22505->22355 22507 96c96f 52 API calls 22506->22507 22508 96c906 _wcschr 22507->22508 22508->22489 22510 969ee3 22509->22510 22511 969f07 22510->22511 22512 969efa CreateDirectoryW 22510->22512 22522 969e4f 22511->22522 22512->22511 22516 969f3a 22512->22516 22515 969f4d GetLastError 22519 969f49 22515->22519 22516->22519 22535 96a113 22516->22535 22519->22371 22520 969f23 22520->22515 22521 969f27 CreateDirectoryW 22520->22521 22521->22515 22521->22516 22543 969e63 22522->22543 22525 96b2c5 22526 96b2d2 22525->22526 22534 96b2dc 22526->22534 22553 96b45f CharUpperW 22526->22553 22528 96b2eb 22554 96b48b CharUpperW 22528->22554 22530 96b2fa 22531 96b375 GetCurrentDirectoryW 22530->22531 22532 96b2fe 22530->22532 22531->22534 22555 96b45f CharUpperW 22532->22555 22534->22520 22536 97cec0 22535->22536 22537 96a120 SetFileAttributesW 22536->22537 22538 96a136 22537->22538 22539 96a163 22537->22539 22540 96b2c5 2 API calls 22538->22540 22539->22519 22541 96a14a 22540->22541 22541->22539 22542 96a14e SetFileAttributesW 22541->22542 22542->22539 22551 97cec0 22543->22551 22546 969e81 22548 96b2c5 2 API calls 22546->22548 22547 969e58 22547->22515 22547->22525 22549 969e95 22548->22549 22549->22547 22550 969e99 GetFileAttributesW 22549->22550 22550->22547 22552 969e70 GetFileAttributesW 22551->22552 22552->22546 22552->22547 22553->22528 22554->22530 22555->22534 22557 969647 22556->22557 22558 969643 22556->22558 22557->22558 22567 969dfc 22557->22567 22558->22386 22562 9694ff 22561->22562 22565 96951d 22561->22565 22564 96950b CloseHandle 22562->22564 22562->22565 22563 96953c 22563->22386 22564->22565 22565->22563 22575 966d3c 67 API calls 22565->22575 22568 97cec0 22567->22568 22569 969e09 DeleteFileW 22568->22569 22570 969661 22569->22570 22571 969e1c 22569->22571 22570->22386 22572 96b2c5 2 API calls 22571->22572 22573 969e30 22572->22573 22573->22570 22574 969e34 DeleteFileW 22573->22574 22574->22570 22575->22563 22577 9796f5 22576->22577 22578 9797a8 ExpandEnvironmentStringsW 22577->22578 22579 9797cb 22577->22579 22578->22579 22579->22406 22580->22406 22581->22406 22582->22406 22583->22417 22584->22417 22585->22406 22586->22406 22588 985ada 22587->22588 22589 985af2 22588->22589 22590 985ae7 22588->22590 22592 985afa 22589->22592 22598 985b03 pre_c_initialization 22589->22598 22600 9859ec 22590->22600 22593 9859b2 _free 20 API calls 22592->22593 22597 985aef 22593->22597 22594 985b08 22607 985e2e 20 API calls _free 22594->22607 22595 985b2d HeapReAlloc 22595->22597 22595->22598 22597->22406 22598->22594 22598->22595 22608 984689 7 API calls 2 library calls 22598->22608 22601 985a2a 22600->22601 22605 9859fa pre_c_initialization 22600->22605 22610 985e2e 20 API calls _free 22601->22610 22603 985a15 RtlAllocateHeap 22604 985a28 22603->22604 22603->22605 22604->22597 22605->22601 22605->22603 22609 984689 7 API calls 2 library calls 22605->22609 22607->22597 22608->22598 22609->22605 22610->22604 22611->22423 22612->22425 22613->22427 22615 967c8e 22614->22615 22616 967cf8 22615->22616 22649 96a195 22615->22649 22620 967d62 22616->22620 22621 96a195 8 API calls 22616->22621 22627 9681ed 22616->22627 22618 967da4 22618->22429 22620->22618 22655 96135c 67 API calls 22620->22655 22621->22616 22624 967bae 22623->22624 22626 967bb5 22623->22626 22625 970e0f 79 API calls 22624->22625 22625->22626 22628 9681f7 __EH_prolog 22627->22628 22656 9613af 22628->22656 22630 968212 22664 969bf2 22630->22664 22636 968241 22784 96165f 22636->22784 22637 9682dc 22683 968385 22637->22683 22641 96833c 22687 961ebf 22641->22687 22644 96823d 22644->22636 22644->22637 22647 96a195 8 API calls 22644->22647 22788 96b71b CompareStringW 22644->22788 22645 968347 22645->22636 22691 963a0d 22645->22691 22701 9683eb 22645->22701 22647->22644 22650 96a1aa 22649->22650 22654 96a1ae 22650->22654 23139 96a2c3 22650->23139 22652 96a1be 22653 96a1c3 FindClose 22652->22653 22652->22654 22653->22654 22654->22615 22655->22618 22657 9613b4 __EH_prolog 22656->22657 22790 96c463 22657->22790 22659 9613eb 22663 961444 ___scrt_fastfail 22659->22663 22796 97cdac 22659->22796 22663->22630 22665 969bfd 22664->22665 22666 968228 22665->22666 22821 966e22 67 API calls 22665->22821 22666->22636 22668 9619e2 22666->22668 22669 9619ec __EH_prolog 22668->22669 22675 961a2e 22669->22675 22676 961a15 22669->22676 22822 96138d 22669->22822 22671 961b47 22825 96135c 67 API calls 22671->22825 22673 963a0d 90 API calls 22678 961b9e 22673->22678 22674 961b57 22674->22673 22674->22676 22675->22671 22675->22674 22675->22676 22676->22644 22677 961be8 22677->22676 22682 961c1b 22677->22682 22826 96135c 67 API calls 22677->22826 22678->22677 22680 963a0d 90 API calls 22678->22680 22680->22678 22681 963a0d 90 API calls 22681->22682 22682->22676 22682->22681 22684 968392 22683->22684 22844 96ffa6 GetSystemTime SystemTimeToFileTime 22684->22844 22686 9682f6 22686->22641 22789 9706b6 65 API calls 22686->22789 22688 961ec4 __EH_prolog 22687->22688 22689 961ef8 22688->22689 22846 961927 22688->22846 22689->22645 22692 963a1d 22691->22692 22693 963a19 22691->22693 22694 963a3c 22692->22694 22695 963a4a 22692->22695 22693->22645 22699 963a7c 22694->22699 23075 9631f0 78 API calls 3 library calls 22694->23075 23076 962759 90 API calls 3 library calls 22695->23076 22698 963a48 22698->22699 23077 961fbf 67 API calls 22698->23077 22699->22645 22702 9683f5 __EH_prolog 22701->22702 22703 96842e 22702->22703 22732 968432 22702->22732 23101 9777e6 93 API calls 22702->23101 22704 968457 22703->22704 22708 9684e0 22703->22708 22703->22732 22705 968479 22704->22705 22704->22732 23102 967a2f 150 API calls 22704->23102 22705->22732 23103 9777e6 93 API calls 22705->23103 22708->22732 23078 965d68 22708->23078 22711 96856b 22711->22732 23086 9680da 22711->23086 22714 9686cf 22715 96a195 8 API calls 22714->22715 22716 968734 22714->22716 22715->22716 23090 967c11 22716->23090 22718 96c5cd 73 API calls 22722 96878f _memcmp 22718->22722 22719 9688b9 22720 96898c 22719->22720 22727 968908 22719->22727 22725 9689e7 22720->22725 22736 968997 22720->22736 22721 9688b2 23106 96135c 67 API calls 22721->23106 22722->22718 22722->22719 22722->22721 22722->22732 23104 9680a6 75 API calls 22722->23104 23105 96135c 67 API calls 22722->23105 22735 968979 22725->22735 23109 967f88 89 API calls 22725->23109 22726 9689e5 22729 969487 72 API calls 22726->22729 22730 969e4f 4 API calls 22727->22730 22727->22735 22728 969487 72 API calls 22728->22732 22729->22732 22733 968940 22730->22733 22732->22645 22733->22735 23107 9691b1 89 API calls 22733->23107 22734 968a52 22747 968abd 22734->22747 22780 969005 22734->22780 23110 96976a 22734->23110 22735->22726 22735->22734 22736->22726 23108 967dc4 93 API calls ___InternalCxxFrameHandler 22736->23108 22737 96a6f9 8 API calls 22741 968b0c 22737->22741 22739 968a95 22739->22747 23114 966f5f 67 API calls 22739->23114 22743 96a6f9 8 API calls 22741->22743 22748 968b22 22743->22748 22745 968aab 23115 966f23 68 API calls 22745->23115 22747->22737 22749 968be5 22748->22749 23116 9698b9 SetFilePointer GetLastError SetEndOfFile 22748->23116 22750 968d46 22749->22750 22751 968c40 22749->22751 22755 968d6c 22750->22755 22756 968d58 22750->22756 22771 968c70 22750->22771 22752 968cb2 22751->22752 22754 968c50 22751->22754 22753 9680da CharUpperW 22752->22753 22764 968ccd 22753->22764 22759 968c96 22754->22759 22765 968c5e 22754->22765 22758 971fa8 68 API calls 22755->22758 22757 969120 119 API calls 22756->22757 22757->22771 22761 968d85 22758->22761 22759->22771 23118 9677d4 101 API calls 22759->23118 22762 971c3f 119 API calls 22761->22762 22762->22771 22766 968cf6 22764->22766 22767 968cfd 22764->22767 22764->22771 23117 966f5f 67 API calls 22765->23117 23119 967586 77 API calls ___InternalCxxFrameHandler 22766->23119 23120 96905e 85 API calls __EH_prolog 22767->23120 22773 968e94 22771->22773 23121 966f5f 67 API calls 22771->23121 22774 968f2b 22773->22774 22773->22780 23122 969bba SetEndOfFile 22773->23122 23096 969a62 22774->23096 22777 968f85 22778 9694f3 68 API calls 22777->22778 22779 968f90 22778->22779 22779->22780 22781 96a113 4 API calls 22779->22781 22780->22728 22782 968fef 22781->22782 22782->22780 23123 966f5f 67 API calls 22782->23123 22786 961671 22784->22786 23138 96c506 79 API calls 22786->23138 22788->22644 22789->22641 22791 96c46d __EH_prolog 22790->22791 22792 97cdac new 8 API calls 22791->22792 22793 96c4b0 22792->22793 22794 97cdac new 8 API calls 22793->22794 22795 96c4d4 22794->22795 22795->22659 22797 97cdb1 ___std_exception_copy 22796->22797 22798 961431 22797->22798 22808 984689 7 API calls 2 library calls 22797->22808 22809 97d7dc RaiseException Concurrency::cancel_current_task new 22797->22809 22810 97d7bf RaiseException Concurrency::cancel_current_task 22797->22810 22798->22663 22802 96acb6 22798->22802 22803 96acc0 __EH_prolog 22802->22803 22811 96de12 73 API calls 22803->22811 22805 96acd2 22812 96adce 22805->22812 22808->22797 22811->22805 22813 96ade0 ___scrt_fastfail 22812->22813 22816 96fcd4 22813->22816 22819 96fc94 GetCurrentProcess GetProcessAffinityMask 22816->22819 22820 96ad48 22819->22820 22820->22663 22821->22666 22827 961736 22822->22827 22824 9613a9 22824->22675 22825->22676 22826->22682 22828 96174c 22827->22828 22839 9617a4 __vswprintf_c_l 22827->22839 22829 961775 22828->22829 22840 966d8f 67 API calls __vswprintf_c_l 22828->22840 22831 9617cb 22829->22831 22836 961791 ___std_exception_copy 22829->22836 22833 9820ce 22 API calls 22831->22833 22832 96176b 22841 966dc7 68 API calls 22832->22841 22835 9617d2 22833->22835 22835->22839 22843 966dc7 68 API calls 22835->22843 22836->22839 22842 966dc7 68 API calls 22836->22842 22839->22824 22840->22832 22841->22829 22842->22839 22843->22839 22845 96ffd6 __vswprintf_c_l 22844->22845 22845->22686 22847 96192c __EH_prolog 22846->22847 22848 961965 22847->22848 22850 961995 22847->22850 22853 961940 22847->22853 22849 963a0d 90 API calls 22848->22849 22849->22853 22855 963e39 22850->22855 22853->22689 22858 963e42 22855->22858 22856 963a0d 90 API calls 22856->22858 22858->22856 22859 9619b1 22858->22859 22872 96f944 22858->22872 22859->22853 22860 961dd2 22859->22860 22861 961ddc __EH_prolog 22860->22861 22880 963a90 22861->22880 22863 961e05 22864 961736 69 API calls 22863->22864 22865 961e8c 22863->22865 22866 961e1c 22864->22866 22865->22853 22910 9618ad 69 API calls 22866->22910 22868 961e34 22870 961e40 22868->22870 22911 9706d7 MultiByteToWideChar 22868->22911 22912 9618ad 69 API calls 22870->22912 22873 96f94b 22872->22873 22874 96f966 22873->22874 22878 966d8a RaiseException Concurrency::cancel_current_task 22873->22878 22876 96f977 SetThreadExecutionState 22874->22876 22879 966d8a RaiseException Concurrency::cancel_current_task 22874->22879 22876->22858 22878->22874 22879->22876 22881 963a9a __EH_prolog 22880->22881 22882 963ab0 22881->22882 22883 963acc 22881->22883 22949 96135c 67 API calls 22882->22949 22884 963d0c 22883->22884 22888 963af8 22883->22888 22968 96135c 67 API calls 22884->22968 22887 963abb 22887->22863 22888->22887 22913 970bce 22888->22913 22890 963b30 22917 971fa8 22890->22917 22892 963b79 22894 963c04 22892->22894 22909 963b70 22892->22909 22952 96c5cd 22892->22952 22893 963b75 22893->22892 22951 961fa5 69 API calls 22893->22951 22930 96a6f9 22894->22930 22896 963b65 22950 96135c 67 API calls 22896->22950 22897 963b47 22897->22892 22897->22893 22897->22896 22898 963c17 22903 963c92 22898->22903 22904 963c88 22898->22904 22958 971c3f 22903->22958 22934 969120 22904->22934 22907 963c90 22907->22909 22967 966f5f 67 API calls 22907->22967 22945 970e0f 22909->22945 22910->22868 22911->22870 22912->22865 22914 970bd8 __EH_prolog 22913->22914 22969 96fb54 22914->22969 22916 970cd8 22916->22890 22918 971fb7 22917->22918 22920 971fc1 22917->22920 22980 966dc7 68 API calls 22918->22980 22921 972001 22920->22921 22923 972006 ___std_exception_copy 22920->22923 22929 97205f ___scrt_fastfail 22920->22929 22982 98006c RaiseException 22921->22982 22922 972116 22983 98006c RaiseException 22922->22983 22923->22922 22926 97203b 22923->22926 22923->22929 22981 971ec9 68 API calls 3 library calls 22926->22981 22927 972139 22929->22897 22929->22929 22931 96a706 22930->22931 22933 96a710 22930->22933 22932 97cdac new 8 API calls 22931->22932 22932->22933 22933->22898 22935 96912a __EH_prolog 22934->22935 22984 967c6b 22935->22984 22938 96138d 69 API calls 22939 96913c 22938->22939 22987 96c6a8 22939->22987 22941 969196 22941->22907 22942 96c6a8 114 API calls 22944 96914e 22942->22944 22944->22941 22944->22942 22996 96c860 90 API calls __vswprintf_c_l 22944->22996 22946 970e31 22945->22946 23006 96fc3c 22946->23006 22948 970e4a 22948->22887 22949->22887 22950->22909 22951->22892 22953 96c600 22952->22953 22954 96c5ee 22952->22954 22956 966182 73 API calls 22953->22956 23020 966182 22954->23020 22957 96c5f8 22956->22957 22957->22894 22959 971c48 22958->22959 22961 971c71 22958->22961 22960 971c65 22959->22960 22962 971c67 22959->22962 22964 971c5d 22959->22964 22960->22907 22961->22960 23055 97421c 119 API calls 2 library calls 22961->23055 23054 974f34 114 API calls 22962->23054 23041 975983 22964->23041 22967->22909 22968->22887 22978 97cdf0 22969->22978 22971 96fb5e EnterCriticalSection 22972 96fba2 LeaveCriticalSection 22971->22972 22973 96fb7d 22971->22973 22972->22916 22974 97cdac new 8 API calls 22973->22974 22975 96fb87 22974->22975 22976 96fb9d 22975->22976 22979 96f982 71 API calls 22975->22979 22976->22972 22978->22971 22979->22976 22980->22920 22981->22929 22982->22922 22983->22927 22997 96a930 22984->22997 22992 96c6bd __vswprintf_c_l 22987->22992 22988 96c807 22989 96c82f 22988->22989 23000 96c647 22988->23000 22991 96f944 2 API calls 22989->22991 22994 96c7fe 22991->22994 22992->22988 22992->22994 23004 96a7e1 84 API calls 22992->23004 23005 9777e6 93 API calls 22992->23005 22994->22944 22996->22944 22998 96a944 GetVersionExW 22997->22998 22999 967c70 22997->22999 22998->22999 22999->22938 23001 96c6a1 23000->23001 23002 96c650 23000->23002 23001->22989 23002->23001 23003 97066e PeekMessageW GetMessageW TranslateMessage DispatchMessageW SendDlgItemMessageW 23002->23003 23003->23001 23004->22992 23005->22992 23007 96fc43 EnterCriticalSection 23006->23007 23008 96fc91 23006->23008 23009 96fc88 LeaveCriticalSection 23007->23009 23010 96fc5d 23007->23010 23008->22948 23009->23008 23010->23009 23013 96fa23 23010->23013 23012 96fc7b 23012->23009 23014 96fdb7 72 API calls 23013->23014 23015 96fa45 ReleaseSemaphore 23014->23015 23016 96fa65 23015->23016 23017 96fa83 DeleteCriticalSection CloseHandle CloseHandle 23015->23017 23018 96fb19 70 API calls 23016->23018 23017->23012 23019 96fa6f CloseHandle 23018->23019 23019->23016 23019->23017 23021 9661a1 23020->23021 23028 96621d 23020->23028 23022 96decc 73 API calls 23021->23022 23021->23028 23023 9661c9 23022->23023 23031 9708f3 WideCharToMultiByte 23023->23031 23025 9661dc 23026 9661e1 23025->23026 23027 96621f 23025->23027 23026->23028 23032 966551 23026->23032 23040 96626a 73 API calls 2 library calls 23027->23040 23028->22957 23031->23025 23034 96656e _memcmp 23032->23034 23039 9666bd __vswprintf_c_l ___scrt_fastfail 23032->23039 23033 96de4b 73 API calls 23033->23034 23034->23033 23035 966757 __vswprintf_c_l 23034->23035 23037 9665c1 __vswprintf_c_l _strlen 23034->23037 23036 96df86 73 API calls 23035->23036 23036->23039 23038 96df86 73 API calls 23037->23038 23038->23039 23039->23028 23040->23028 23056 9721e5 23041->23056 23043 96c6a8 114 API calls 23047 975994 ___BuildCatchObject __vswprintf_c_l 23043->23047 23044 975d66 23074 973ef0 91 API calls __vswprintf_c_l 23044->23074 23046 975d76 __vswprintf_c_l 23046->22960 23047->23043 23047->23044 23060 96fab9 23047->23060 23066 972b39 114 API calls 23047->23066 23067 975db8 114 API calls 23047->23067 23068 96fdb7 23047->23068 23072 972592 91 API calls __vswprintf_c_l 23047->23072 23073 9763f1 119 API calls __vswprintf_c_l 23047->23073 23054->22960 23055->22960 23058 9721ef ___std_exception_copy __EH_prolog ___scrt_fastfail 23056->23058 23057 9722da 23057->23047 23058->23057 23059 966dc7 68 API calls 23058->23059 23059->23058 23061 96fac5 23060->23061 23062 96faca 23060->23062 23063 96fbbd 77 API calls 23061->23063 23064 96fae3 23062->23064 23065 96fdb7 72 API calls 23062->23065 23063->23062 23064->23047 23065->23064 23066->23047 23067->23047 23069 96fdd1 ResetEvent ReleaseSemaphore 23068->23069 23070 96fdfc 23068->23070 23071 96fb19 70 API calls 23069->23071 23070->23047 23071->23070 23072->23047 23073->23047 23074->23046 23075->22698 23076->22698 23077->22699 23079 965d76 23078->23079 23124 965c95 23079->23124 23082 965da9 23083 965dea 23082->23083 23085 965de1 23082->23085 23129 96a9a0 CharUpperW CompareStringW CompareStringW 23082->23129 23083->23085 23130 96f133 CompareStringW 23083->23130 23085->22711 23087 9680f8 23086->23087 23088 968199 CharUpperW 23087->23088 23089 9681ac 23088->23089 23089->22714 23091 967c20 23090->23091 23092 967c60 23091->23092 23136 966f05 67 API calls 23091->23136 23092->22722 23094 967c58 23137 96135c 67 API calls 23094->23137 23097 969a73 23096->23097 23100 969a82 23096->23100 23098 969a79 FlushFileBuffers 23097->23098 23097->23100 23098->23100 23099 969afb SetFileTime 23099->22777 23100->23099 23101->22703 23102->22705 23103->22732 23104->22722 23105->22722 23106->22719 23107->22735 23108->22726 23109->22735 23111 969773 GetFileType 23110->23111 23112 969770 23110->23112 23113 969781 23111->23113 23112->22739 23113->22739 23114->22745 23115->22747 23116->22749 23117->22771 23118->22771 23119->22771 23120->22771 23121->22773 23122->22774 23123->22780 23131 965b92 23124->23131 23127 965b92 3 API calls 23128 965cb6 23127->23128 23128->23082 23129->23082 23130->23085 23134 965b9c 23131->23134 23132 965c84 23132->23127 23132->23128 23134->23132 23135 96a9a0 CharUpperW CompareStringW CompareStringW 23134->23135 23135->23134 23136->23094 23137->23092 23140 96a2cd 23139->23140 23141 96a35d FindNextFileW 23140->23141 23142 96a2eb FindFirstFileW 23140->23142 23143 96a37c 23141->23143 23144 96a368 GetLastError 23141->23144 23145 96a304 23142->23145 23150 96a341 23142->23150 23143->23150 23144->23143 23146 96b2c5 2 API calls 23145->23146 23147 96a31d 23146->23147 23148 96a336 GetLastError 23147->23148 23149 96a321 FindFirstFileW 23147->23149 23148->23150 23149->23148 23149->23150 23150->22652 23160 978ade GetDC GetDeviceCaps ReleaseDC 23151->23160 23153 978ac6 23154 978ad2 23153->23154 23161 978b21 GetDC GetDeviceCaps ReleaseDC 23153->23161 23154->22436 23154->22437 23156->22440 23157->22446 23158->22446 23159->22449 23160->23153 23161->23154 23162->22455 23164 969bf2 67 API calls 23163->23164 23165 961f1a 23164->23165 23166 961f1e 23165->23166 23167 9619e2 90 API calls 23165->23167 23166->22463 23166->22464 23168 961f2b 23167->23168 23168->23166 23170 96135c 67 API calls 23168->23170 23170->23166 23172 96df54 __vswprintf_c_l 23171->23172 23175 96df86 23172->23175 23176 96df92 23175->23176 23179 96df9c 23175->23179 23185 96df05 23176->23185 23178 96e006 GetCurrentProcessId 23180 96df7e 23178->23180 23179->23178 23181 96dfbc 23179->23181 23180->22473 23181->23180 23191 966d8f 67 API calls __vswprintf_c_l 23181->23191 23183 96dfd7 ___InternalCxxFrameHandler 23192 966d8a RaiseException Concurrency::cancel_current_task 23183->23192 23186 96df3d 23185->23186 23187 96df0e 23185->23187 23186->23179 23193 96f35b 23187->23193 23190 96df1e GetProcAddress GetProcAddress 23190->23186 23191->23183 23192->23180 23194 97cec0 23193->23194 23195 96f368 GetSystemDirectoryW 23194->23195 23196 96f380 23195->23196 23197 96df18 23195->23197 23198 96f391 LoadLibraryW 23196->23198 23197->23186 23197->23190 23198->23197 23953 96604b 73 API calls 23215 97b076 23217 97b07b 23215->23217 23226 97aa98 _wcsrchr 23215->23226 23216 9796eb ExpandEnvironmentStringsW 23216->23226 23217->23226 23241 97b9a9 23217->23241 23219 97b641 23221 97ad85 SetWindowTextW 23221->23226 23224 9820ce 22 API calls 23224->23226 23226->23216 23226->23219 23226->23221 23226->23224 23237 97ab69 ___scrt_fastfail 23226->23237 23240 970b00 CompareStringW 23226->23240 23264 978b8d GetCurrentDirectoryW 23226->23264 23265 96a1f9 7 API calls 23226->23265 23268 96a182 FindClose 23226->23268 23269 979843 69 API calls ___std_exception_copy 23226->23269 23228 97ab76 SetFileAttributesW 23229 97ac31 GetFileAttributesW 23228->23229 23228->23237 23231 97ac3f DeleteFileW 23229->23231 23229->23237 23231->23237 23232 97af4f GetDlgItem SetWindowTextW SendMessageW 23232->23237 23234 963f2b _swprintf 51 API calls 23236 97ac74 GetFileAttributesW 23234->23236 23235 97af91 SendMessageW 23235->23226 23236->23237 23238 97ac85 MoveFileW 23236->23238 23237->23226 23237->23228 23237->23229 23237->23232 23237->23234 23237->23235 23266 96b150 52 API calls 2 library calls 23237->23266 23267 96a1f9 7 API calls 23237->23267 23238->23237 23239 97ac9d MoveFileExW 23238->23239 23239->23237 23240->23226 23243 97b9b3 ___scrt_fastfail 23241->23243 23242 97bc0b 23242->23226 23243->23242 23244 97ba9e 23243->23244 23270 970b00 CompareStringW 23243->23270 23246 969e4f 4 API calls 23244->23246 23247 97bab3 23246->23247 23248 97bad2 ShellExecuteExW 23247->23248 23271 96ae70 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23247->23271 23248->23242 23255 97bae5 23248->23255 23250 97baca 23250->23248 23251 97bb20 23272 97be68 WaitForSingleObject PeekMessageW WaitForSingleObject 23251->23272 23252 97bb76 CloseHandle 23253 97bb84 23252->23253 23254 97bb8f 23252->23254 23273 970b00 CompareStringW 23253->23273 23254->23242 23260 97bc06 ShowWindow 23254->23260 23255->23251 23255->23252 23258 97bb1a ShowWindow 23255->23258 23258->23251 23259 97bb38 23259->23252 23261 97bb4b GetExitCodeProcess 23259->23261 23260->23242 23261->23252 23262 97bb5e 23261->23262 23262->23252 23264->23226 23265->23226 23266->23237 23267->23237 23268->23226 23269->23226 23270->23244 23271->23250 23272->23259 23273->23254 24034 984b7a 52 API calls 2 library calls 24005 984e74 55 API calls _free 24036 98d774 IsProcessorFeaturePresent 23958 961067 75 API calls pre_c_initialization 24006 980e6a 48 API calls 23979 978962 GdipDisposeImage GdipFree ___InternalCxxFrameHandler

                                  Executed Functions

                                  Function 0097C130 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 199filesleeptimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0096F3A5: GetModuleHandleW.KERNEL32 ref: 0096F3BD
                                    • Part of subcall function 0096F3A5: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0096F3D5
                                    • Part of subcall function 0096F3A5: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0096F3F8
                                    • Part of subcall function 00978B8D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00978B95
                                    • Part of subcall function 00979035: OleInitialize.OLE32(00000000), ref: 0097904E
                                    • Part of subcall function 00979035: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00979085
                                    • Part of subcall function 00979035: SHGetMalloc.SHELL32(009A20E8), ref: 0097908F
                                    • Part of subcall function 00970710: GetCPInfo.KERNEL32(00000000,?), ref: 00970721
                                    • Part of subcall function 00970710: IsDBCSLeadByte.KERNEL32(00000000), ref: 00970735
                                  • GetCommandLineW.KERNEL32 ref: 0097C178
                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0097C19F
                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0097C1B0
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0097C1EA
                                    • Part of subcall function 0097BE09: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0097BE1F
                                    • Part of subcall function 0097BE09: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0097BE5B
                                  • CloseHandle.KERNEL32(00000000), ref: 0097C1F3
                                  • GetModuleFileNameW.KERNEL32(00000000,009B7938,00000800), ref: 0097C20E
                                  • SetEnvironmentVariableW.KERNEL32(sfxname,009B7938), ref: 0097C220
                                  • GetLocalTime.KERNEL32(?), ref: 0097C227
                                  • _swprintf.LIBCMT ref: 0097C266
                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0097C278
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0097C27B
                                  • LoadIconW.USER32(00000000,00000064), ref: 0097C292
                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00019B4E,00000000), ref: 0097C2E3
                                  • Sleep.KERNEL32(?), ref: 0097C311
                                  • DeleteObject.GDI32 ref: 0097C350
                                  • DeleteObject.GDI32(?), ref: 0097C35C
                                    • Part of subcall function 0097A8D3: CharUpperW.USER32(?,?,?,?,00001000), ref: 0097A92B
                                    • Part of subcall function 0097A8D3: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 0097A952
                                  • CloseHandle.KERNEL32 ref: 0097C39B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteObjectProcUpperView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                  • API String ID: 985665271-3710569615
                                  • Opcode ID: aef48a83a17b7af3dfe3f6a311a8819d519cad0e5d5e845e2f1393bf7045b315
                                  • Instruction ID: 5a4df5372811f47792050436e2214933d2246ca2e920a32cf3fd52833cf35c7b
                                  • Opcode Fuzzy Hash: aef48a83a17b7af3dfe3f6a311a8819d519cad0e5d5e845e2f1393bf7045b315
                                  • Instruction Fuzzy Hash: BF61E9B291C300AFD720ABA8AD49F6B37DCEFC9714F04842AF90892161DB758D04E7E1
                                  Function 0096A2C3 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 872 96a2c3-96a2e9 call 97cec0 875 96a35d-96a366 FindNextFileW 872->875 876 96a2eb-96a2fe FindFirstFileW 872->876 877 96a37c-96a37e 875->877 878 96a368-96a376 GetLastError 875->878 879 96a384-96a42d call 96f160 call 96b952 call 9701af * 3 876->879 880 96a304-96a31f call 96b2c5 876->880 877->879 881 96a432-96a445 877->881 878->877 879->881 887 96a336-96a33f GetLastError 880->887 888 96a321-96a334 FindFirstFileW 880->888 889 96a350 887->889 890 96a341-96a344 887->890 888->879 888->887 893 96a352-96a358 889->893 890->889 892 96a346-96a349 890->892 892->889 895 96a34b-96a34e 892->895 893->881 895->893
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,0096A1BE,000000FF,?,?), ref: 0096A2F8
                                  • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0096A1BE,000000FF,?,?), ref: 0096A32E
                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0096A1BE,000000FF,?,?), ref: 0096A336
                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,0096A1BE,000000FF,?,?), ref: 0096A35E
                                  • GetLastError.KERNEL32(?,?,?,?,0096A1BE,000000FF,?,?), ref: 0096A36A
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: FileFind$ErrorFirstLast$Next
                                  • String ID:
                                  • API String ID: 869497890-0
                                  • Opcode ID: aa208f8a5de1dc3d01a8f53d8ec6ffdb2f1adca21c3f244b8b4b866b53c89afc
                                  • Instruction ID: ed87b1862e4ceb347b179319f6c787e509e6849c3df0b6c21fd3a6b59ca6aa7c
                                  • Opcode Fuzzy Hash: aa208f8a5de1dc3d01a8f53d8ec6ffdb2f1adca21c3f244b8b4b866b53c89afc
                                  • Instruction Fuzzy Hash: 3D414172608245AFC324DF68C885ADAF7E8BF89350F044A2AF5E9D3240D735A9548F92
                                  Function 009849FA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,009849D0,?,00997F60,0000000C,00984B27,?,00000002,00000000), ref: 00984A1B
                                  • TerminateProcess.KERNEL32(00000000,?,009849D0,?,00997F60,0000000C,00984B27,?,00000002,00000000), ref: 00984A22
                                  • ExitProcess.KERNEL32 ref: 00984A34
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 5e543f360493271c1de618d45eea2c6f8a5116898c26643e95ab3ff79e78f456
                                  • Instruction ID: 4840b41dbc68f8cc56f92f134283e33740169054f5b7d0a229c6cb49dd988bd5
                                  • Opcode Fuzzy Hash: 5e543f360493271c1de618d45eea2c6f8a5116898c26643e95ab3ff79e78f456
                                  • Instruction Fuzzy Hash: BAE08C32064118AFCF11BF68DD09B883B69FF80342F000015F8198B232CB36DD92EB40
                                  Function 0096F3A5 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 257 96f3a5-96f3c7 call 97cec0 GetModuleHandleW 260 96f41a-96f681 257->260 261 96f3c9-96f3e0 GetProcAddress 257->261 264 96f687-96f692 call 98461a 260->264 265 96f74f-96f780 GetModuleFileNameW call 96b8dc call 96f160 260->265 262 96f3f2-96f3fc GetProcAddress 261->262 263 96f3e2-96f3ef 261->263 262->260 266 96f3fe-96f415 262->266 263->262 264->265 271 96f698-96f6c5 GetModuleFileNameW CreateFileW 264->271 277 96f782-96f78c call 96a930 265->277 266->260 274 96f6c7-96f6d5 SetFilePointer 271->274 275 96f743-96f74a CloseHandle 271->275 274->275 278 96f6d7-96f6f4 ReadFile 274->278 275->265 283 96f78e-96f792 call 96f35b 277->283 284 96f799 277->284 278->275 280 96f6f6-96f71b 278->280 282 96f738-96f741 call 96ef59 280->282 282->275 292 96f71d-96f737 call 96f35b 282->292 289 96f797 283->289 287 96f79b-96f79d 284->287 290 96f7bf-96f7e1 call 96b952 GetFileAttributesW 287->290 291 96f79f-96f7bd CompareStringW 287->291 289->287 294 96f7e3-96f7e7 290->294 299 96f7eb 290->299 291->290 291->294 292->282 294->277 298 96f7e9 294->298 300 96f7ef-96f7f4 298->300 299->300 301 96f7f6 300->301 302 96f828-96f82a 300->302 303 96f7f8-96f81a call 96b952 GetFileAttributesW 301->303 304 96f937-96f941 302->304 305 96f830-96f847 call 96b926 call 96a930 302->305 310 96f824 303->310 311 96f81c-96f820 303->311 315 96f8af-96f8e2 call 963f2b AllocConsole 305->315 316 96f849-96f8aa call 96f35b * 2 call 96d192 call 963f2b call 96d192 call 978cca 305->316 310->302 311->303 313 96f822 311->313 313->302 322 96f8e4-96f929 GetCurrentProcessId AttachConsole call 9820a3 GetStdHandle WriteConsoleW Sleep FreeConsole 315->322 323 96f92f-96f931 ExitProcess 315->323 316->323 322->323
                                  APIs
                                  • GetModuleHandleW.KERNEL32 ref: 0096F3BD
                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0096F3D5
                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0096F3F8
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0096F6A3
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0096F6BB
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0096F6CD
                                  • ReadFile.KERNEL32(00000000,?,00007FFE,00990858,00000000), ref: 0096F6EC
                                  • CloseHandle.KERNEL32(00000000), ref: 0096F744
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0096F75A
                                  • CompareStringW.KERNEL32(00000400,00001001,009908A4,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 0096F7B4
                                  • GetFileAttributesW.KERNEL32(?,?,00990870,00000800,?,00000000,?,00000800), ref: 0096F7DD
                                  • GetFileAttributesW.KERNEL32(?,?,00990930,00000800), ref: 0096F816
                                    • Part of subcall function 0096F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0096F376
                                    • Part of subcall function 0096F35B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,0096DF18,Crypt32.dll,?,0096DF9C,?,0096DF7E,?,?,?,?), ref: 0096F398
                                  • _swprintf.LIBCMT ref: 0096F886
                                  • _swprintf.LIBCMT ref: 0096F8D2
                                    • Part of subcall function 00963F2B: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00963F3E
                                  • AllocConsole.KERNEL32 ref: 0096F8DA
                                  • GetCurrentProcessId.KERNEL32 ref: 0096F8E4
                                  • AttachConsole.KERNEL32(00000000), ref: 0096F8EB
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 0096F911
                                  • WriteConsoleW.KERNEL32(00000000), ref: 0096F918
                                  • Sleep.KERNEL32(00002710), ref: 0096F923
                                  • FreeConsole.KERNEL32 ref: 0096F929
                                  • ExitProcess.KERNEL32 ref: 0096F931
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                  • API String ID: 1201351596-3298887752
                                  • Opcode ID: 991c5a793075d16ab2e07cc43557bb1e870ab1401dca10f58ab04722282eecef
                                  • Instruction ID: 4f22d903ffef0cbdd8fff76ee997c2e82a7f9e893db4421343f8f7a706ed0377
                                  • Opcode Fuzzy Hash: 991c5a793075d16ab2e07cc43557bb1e870ab1401dca10f58ab04722282eecef
                                  • Instruction Fuzzy Hash: 58D16FB15083849FDB30DF58D849B9FBBECEFC4304F50492DE5A996280D7B09548CBA2
                                  Function 0097AA44 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 404 97aa44-97aa5c call 97cdf0 call 97cec0 409 97b644-97b651 404->409 410 97aa62-97aa8c call 9796eb 404->410 410->409 413 97aa92-97aa97 410->413 414 97aa98-97aaa6 413->414 415 97aaa7-97aab7 call 9793b9 414->415 418 97aab9 415->418 419 97aabb-97aad0 call 970b00 418->419 422 97aad2-97aad6 419->422 423 97aadd-97aae0 419->423 422->419 424 97aad8 422->424 425 97aae6 423->425 426 97b610-97b63b call 9796eb 423->426 424->426 428 97aaed-97aaf0 425->428 429 97ad7d-97ad7f 425->429 430 97acdc-97acde 425->430 431 97ad9a-97ad9c 425->431 426->414 441 97b641-97b643 426->441 428->426 432 97aaf6-97ab63 call 978b8d call 96b5be call 96a16c call 96a2a6 call 966fa3 call 96a1f9 428->432 429->426 436 97ad85-97ad95 SetWindowTextW 429->436 430->426 434 97ace4-97acf0 430->434 431->426 433 97ada2-97ada9 431->433 505 97ab69-97ab6f 432->505 506 97acc8-97acd7 call 96a182 432->506 433->426 438 97adaf-97adc8 433->438 439 97ad04-97ad09 434->439 440 97acf2-97ad03 call 984644 434->440 436->426 443 97add0-97adde call 9820a3 438->443 444 97adca 438->444 446 97ad13-97ad1e call 979843 439->446 447 97ad0b-97ad11 439->447 440->439 441->409 443->426 460 97ade4-97aded 443->460 444->443 451 97ad23-97ad25 446->451 447->451 456 97ad27-97ad2e call 9820a3 451->456 457 97ad30-97ad50 call 9820a3 call 9820ce 451->457 456->457 478 97ad52-97ad59 457->478 479 97ad69-97ad6b 457->479 464 97ae16-97ae19 460->464 465 97adef-97adf3 460->465 470 97ae1f-97ae22 464->470 471 97aefe-97af0c call 96f160 464->471 465->464 469 97adf5-97adfd 465->469 469->426 475 97ae03-97ae11 call 96f160 469->475 476 97ae24-97ae29 470->476 477 97ae2f-97ae4a 470->477 488 97af0e-97af22 call 9802bb 471->488 475->488 476->471 476->477 490 97ae94-97ae9b 477->490 491 97ae4c-97ae86 477->491 484 97ad60-97ad68 call 984644 478->484 485 97ad5b-97ad5d 478->485 479->426 487 97ad71-97ad78 call 9820be 479->487 484->479 485->484 487->426 507 97af24-97af28 488->507 508 97af2f-97af8b call 96f160 call 979591 GetDlgItem SetWindowTextW SendMessageW call 9820d9 488->508 497 97ae9d-97aeb5 call 9820a3 490->497 498 97aec9-97aeec call 9820a3 * 2 490->498 527 97ae8a-97ae8c 491->527 528 97ae88 491->528 497->498 521 97aeb7-97aec4 call 96f138 497->521 498->488 533 97aeee-97aefc call 96f138 498->533 513 97ab76-97ab8b SetFileAttributesW 505->513 506->426 507->508 514 97af2a-97af2c 507->514 508->426 546 97af91-97afa3 SendMessageW 508->546 515 97ac31-97ac3d GetFileAttributesW 513->515 516 97ab91-97abc4 call 96b150 call 96ae45 call 9820a3 513->516 514->508 524 97ac3f-97ac4e DeleteFileW 515->524 525 97acad-97acc2 call 96a1f9 515->525 551 97abd7-97abe5 call 96b57e 516->551 552 97abc6-97abd5 call 9820a3 516->552 521->498 524->525 532 97ac50-97ac53 524->532 525->506 544 97ab71 525->544 527->490 528->527 537 97ac57-97ac83 call 963f2b GetFileAttributesW 532->537 533->488 549 97ac55-97ac56 537->549 550 97ac85-97ac9b MoveFileW 537->550 544->513 546->426 549->537 550->525 553 97ac9d-97aca7 MoveFileExW 550->553 551->506 558 97abeb-97ac2a call 9820a3 call 97de40 551->558 552->551 552->558 553->525 558->515
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0097AA49
                                    • Part of subcall function 009796EB: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 009797B3
                                  • SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,0097A35C,?,00000000), ref: 0097AB7E
                                  • GetFileAttributesW.KERNEL32(?), ref: 0097AC38
                                  • DeleteFileW.KERNEL32(?), ref: 0097AC46
                                  • SetWindowTextW.USER32(?,?), ref: 0097AD8F
                                  • _wcsrchr.LIBVCRUNTIME ref: 0097AF19
                                  • GetDlgItem.USER32(?,00000066), ref: 0097AF54
                                  • SetWindowTextW.USER32(00000000,?), ref: 0097AF64
                                  • SendMessageW.USER32(00000000,00000143,00000000,009A412A), ref: 0097AF78
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0097AFA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
                                  • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                  • API String ID: 3676479488-312220925
                                  • Opcode ID: c6217235f58e9e279cd3622fa45c8584069758b551a51dc0f7b9dadd4798259e
                                  • Instruction ID: 8c8515d2a0869c89e38c9e280b3ada4a1e942d42076464196fb39eb97a5974c3
                                  • Opcode Fuzzy Hash: c6217235f58e9e279cd3622fa45c8584069758b551a51dc0f7b9dadd4798259e
                                  • Instruction Fuzzy Hash: 5EE18F73904219AAEF25ABA4DD45EEE737CEF85350F1084A6F509E3081EF749B84CB61
                                  Function 0097B9A9 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 621 97b9a9-97b9c1 call 97cec0 624 97b9c7-97b9d3 call 9820a3 621->624 625 97bc0d-97bc15 621->625 624->625 628 97b9d9-97ba01 call 97de40 624->628 631 97ba03 628->631 632 97ba0b-97ba18 628->632 631->632 633 97ba1c-97ba25 632->633 634 97ba1a 632->634 635 97ba27-97ba29 633->635 636 97ba5d 633->636 634->633 638 97ba31-97ba34 635->638 637 97ba61-97ba63 636->637 639 97ba65-97ba68 637->639 640 97ba6a-97ba6c 637->640 641 97bbc1-97bbc6 638->641 642 97ba3a-97ba42 638->642 639->640 645 97ba7f-97ba91 call 96b0ec 639->645 640->645 646 97ba6e-97ba75 640->646 643 97bbbb-97bbbf 641->643 644 97bbc8 641->644 647 97bbda-97bbe2 642->647 648 97ba48-97ba4e 642->648 643->641 649 97bbcd-97bbd1 643->649 644->649 656 97ba93-97baa0 call 970b00 645->656 657 97baaa-97bab5 call 969e4f 645->657 646->645 651 97ba77 646->651 652 97bbe4-97bbe6 647->652 653 97bbea-97bbf2 647->653 648->647 650 97ba54-97ba5b 648->650 649->647 650->636 650->638 651->645 652->653 653->637 656->657 664 97baa2 656->664 662 97bab7-97bace call 96ae70 657->662 663 97bad2-97badf ShellExecuteExW 657->663 662->663 666 97bae5-97baf8 663->666 667 97bc0b-97bc0c 663->667 664->657 669 97bb0b-97bb0d 666->669 670 97bafa-97bb01 666->670 667->625 672 97bb20-97bb3f call 97be68 669->672 673 97bb0f-97bb18 669->673 670->669 671 97bb03-97bb09 670->671 671->669 674 97bb76-97bb82 CloseHandle 671->674 672->674 688 97bb41-97bb49 672->688 673->672 683 97bb1a-97bb1e ShowWindow 673->683 675 97bb84-97bb91 call 970b00 674->675 676 97bb93-97bba1 674->676 675->676 689 97bbf7 675->689 681 97bba3-97bba5 676->681 682 97bbfe-97bc00 676->682 681->682 687 97bba7-97bbad 681->687 682->667 686 97bc02-97bc04 682->686 683->672 686->667 690 97bc06-97bc09 ShowWindow 686->690 687->682 691 97bbaf-97bbb9 687->691 688->674 692 97bb4b-97bb5c GetExitCodeProcess 688->692 689->682 690->667 691->682 692->674 693 97bb5e-97bb68 692->693 694 97bb6f 693->694 695 97bb6a 693->695 694->674 695->694
                                  APIs
                                  • ShellExecuteExW.SHELL32(000001C0), ref: 0097BAD7
                                  • ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 0097BB1C
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0097BB54
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0097BB7A
                                  • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 0097BC09
                                    • Part of subcall function 00970B00: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0096AC99,?,?,?,0096AC48,?,-00000002,?,00000000,?), ref: 00970B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                  • String ID: $.exe$.inf
                                  • API String ID: 3686203788-2452507128
                                  • Opcode ID: 893814297ba6dbe68473ad788ae2c8afab0dc6d9a79df68df2664c4cea63f7ca
                                  • Instruction ID: 1f959035379ca8bf4466ee078877d56c96f7623329535a5b97a9bbb1444c5f55
                                  • Opcode Fuzzy Hash: 893814297ba6dbe68473ad788ae2c8afab0dc6d9a79df68df2664c4cea63f7ca
                                  • Instruction Fuzzy Hash: 4851D0325193809ADB31AF14D940BBBBBEDEF85704F08881DF9C993164EBB19D44DB92
                                  Function 0098739F Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 791 98739f-9873b8 792 9873ba-9873ca call 98b9ae 791->792 793 9873ce-9873d3 791->793 792->793 803 9873cc 792->803 794 9873e0-987404 MultiByteToWideChar 793->794 795 9873d5-9873dd 793->795 797 98740a-987416 794->797 798 987597-9875aa call 97d763 794->798 795->794 800 987418-987429 797->800 801 98746a 797->801 804 987448-987459 call 9859ec 800->804 805 98742b-98743a call 98f160 800->805 807 98746c-98746e 801->807 803->793 810 98758c 804->810 819 98745f 804->819 805->810 818 987440-987446 805->818 807->810 811 987474-987487 MultiByteToWideChar 807->811 813 98758e-987595 call 987607 810->813 811->810 812 98748d-98749f call 9879fa 811->812 820 9874a4-9874a8 812->820 813->798 822 987465-987468 818->822 819->822 820->810 823 9874ae-9874b5 820->823 822->807 824 9874ef-9874fb 823->824 825 9874b7-9874bc 823->825 827 9874fd-98750e 824->827 828 987547 824->828 825->813 826 9874c2-9874c4 825->826 826->810 829 9874ca-9874e4 call 9879fa 826->829 831 987529-98753a call 9859ec 827->831 832 987510-98751f call 98f160 827->832 830 987549-98754b 828->830 829->813 844 9874ea 829->844 835 98754d-987566 call 9879fa 830->835 836 987585-98758b call 987607 830->836 831->836 843 98753c 831->843 832->836 847 987521-987527 832->847 835->836 849 987568-98756f 835->849 836->810 848 987542-987545 843->848 844->810 847->848 848->830 850 9875ab-9875b1 849->850 851 987571-987572 849->851 852 987573-987583 WideCharToMultiByte 850->852 851->852 852->836 853 9875b3-9875ba call 987607 852->853 853->813
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00982FB2,00982FB2,?,?,?,009875F0,00000001,00000001,F5E85006), ref: 009873F9
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009875F0,00000001,00000001,F5E85006,?,?,?), ref: 0098747F
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00987579
                                  • __freea.LIBCMT ref: 00987586
                                    • Part of subcall function 009859EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0098239A,?,0000015D,?,?,?,?,00982F19,000000FF,00000000,?,?), ref: 00985A1E
                                  • __freea.LIBCMT ref: 0098758F
                                  • __freea.LIBCMT ref: 009875B4
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: f3c5ffa39e0392e77a4e85a815d72d529ca946410ab28080523550ea718f0312
                                  • Instruction ID: 44000d3f6f011a4bb692e4ebd18a6b97ad16ad2160f1eadf40d452a7016891cb
                                  • Opcode Fuzzy Hash: f3c5ffa39e0392e77a4e85a815d72d529ca946410ab28080523550ea718f0312
                                  • Instruction Fuzzy Hash: BC51A372618216ABDB25AEA4CC41FBBBBAAEB84750F354629FC04D7250EB35DC409790
                                  Function 0096FA23 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0096FDB7: ResetEvent.KERNEL32(?,00721FD0,0096FA45,009A1E74,00721FD0,?,-00000001,0098F605,000000FF,?,0096FC7B,?,?,0096A5F0,?), ref: 0096FDD7
                                    • Part of subcall function 0096FDB7: ReleaseSemaphore.KERNEL32(?,?,00000000,?,-00000001,0098F605,000000FF,?,0096FC7B,?,?,0096A5F0,?), ref: 0096FDEB
                                  • ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 0096FA57
                                  • CloseHandle.KERNEL32(00721FD4,00721FD4), ref: 0096FA71
                                  • DeleteCriticalSection.KERNEL32(00722170), ref: 0096FA8A
                                  • CloseHandle.KERNEL32(?), ref: 0096FA96
                                  • CloseHandle.KERNEL32(?), ref: 0096FAA2
                                    • Part of subcall function 0096FB19: WaitForSingleObject.KERNEL32(?,000000FF,0096FCF9,?,?,0096FD6E,?,?,?,?,?,0096FD58), ref: 0096FB1F
                                    • Part of subcall function 0096FB19: GetLastError.KERNEL32(?,?,0096FD6E,?,?,?,?,?,0096FD58), ref: 0096FB2B
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                  • String ID:
                                  • API String ID: 1868215902-0
                                  • Opcode ID: 3c70a53a22f36cd6d810e99d4d8313ca43d3fb12bce49b6989ab335042f1c743
                                  • Instruction ID: 732c1efe5fab289ddc33759459dabaff4685e96519fbeabd4ae2f91cab68922c
                                  • Opcode Fuzzy Hash: 3c70a53a22f36cd6d810e99d4d8313ca43d3fb12bce49b6989ab335042f1c743
                                  • Instruction Fuzzy Hash: 52017132144B44EFC7219F68ED59FC6BBEAFF86710F00452AF2AE92560DB716800DB61
                                  Function 00979035 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0096F35B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0096F376
                                    • Part of subcall function 0096F35B: LoadLibraryW.KERNEL32(?,?,?,?,00000800,?,0096DF18,Crypt32.dll,?,0096DF9C,?,0096DF7E,?,?,?,?), ref: 0096F398
                                  • OleInitialize.OLE32(00000000), ref: 0097904E
                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00979085
                                  • SHGetMalloc.SHELL32(009A20E8), ref: 0097908F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                  • String ID: riched20.dll
                                  • API String ID: 3498096277-3360196438
                                  • Opcode ID: d61a6c9c050516c294bf59a2a84d853a1797abd026f677f22bcc805191fe19aa
                                  • Instruction ID: 4bbefe34943e59d8ecea427d62cc30153d2dc8710a19566c6e638704567790bb
                                  • Opcode Fuzzy Hash: d61a6c9c050516c294bf59a2a84d853a1797abd026f677f22bcc805191fe19aa
                                  • Instruction Fuzzy Hash: 0EF03CB1800109ABCB10AFADD8499AEFBBCEB84314F00415AE814A2210C7B45645CBA1
                                  Function 0097991D Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0097992E
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0097993F
                                  • TranslateMessage.USER32(?), ref: 00979949
                                  • DispatchMessageW.USER32(?), ref: 00979953
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: Message$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 4217535847-0
                                  • Opcode ID: f5493d2ff6f875e37d1558f434ba5b60e0319f0cbd24cd97fe1df21ee82013dd
                                  • Instruction ID: 2e545da66d46550c58d23c82cb141ec81ef0562183dcff0104b583fef0200281
                                  • Opcode Fuzzy Hash: f5493d2ff6f875e37d1558f434ba5b60e0319f0cbd24cd97fe1df21ee82013dd
                                  • Instruction Fuzzy Hash: 20E0ED72C1612EA78B20ABEAAD4CDDB7F6CEE062657004016B519D2400D6689505D7F1
                                  Function 0096FBBD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00010000,Function_0000FD4F,?,00000000,00000000), ref: 0096FBE1
                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 0096FC28
                                    • Part of subcall function 00966D8F: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00966DAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                  • String ID: CreateThread failed
                                  • API String ID: 2655393344-3849766595
                                  • Opcode ID: 5295d32be4a856495b5f3e8cc8f6336a0ae74c9a1016f5a0a8690545277758b5
                                  • Instruction ID: 86b0033aec91877dd5e408be629779cf75a21490ab81129e08dc57a51607e5b3
                                  • Opcode Fuzzy Hash: 5295d32be4a856495b5f3e8cc8f6336a0ae74c9a1016f5a0a8690545277758b5
                                  • Instruction Fuzzy Hash: 6701D6B63483096FD6246F6CBC66F66739DEBD1755F20043EF992961C0CAA16841C6A0
                                  Function 00963A90 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: c0871c9c7892688cf2b7bfb5b20169b7e0cf8d664dd8348d0ec1ebd196402b8d
                                  • Instruction ID: adf78f6ec1ba37409d75349ac7aaddc596ee1b1e5b244e2d1fbc3c7f8898aede
                                  • Opcode Fuzzy Hash: c0871c9c7892688cf2b7bfb5b20169b7e0cf8d664dd8348d0ec1ebd196402b8d
                                  • Instruction Fuzzy Hash: 43619C71504F44AADB21DB34CC91AEBB7E8AF54301F44892EE5EB87242DB366A48CF51
                                  Function 009882B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 009882D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: Info
                                  • String ID:
                                  • API String ID: 1807457897-3916222277
                                  • Opcode ID: 89420b352763455b216a8a62aac443f271d7b85a8dd7ff2ae3ff006500e4f342
                                  • Instruction ID: 9d64b6b911734f3ea16b1c10d7c92a42c5ccd66dbfba403b4fb0d2372e1448e8
                                  • Opcode Fuzzy Hash: 89420b352763455b216a8a62aac443f271d7b85a8dd7ff2ae3ff006500e4f342
                                  • Instruction Fuzzy Hash: 28415A7150834C9BDB229E288C84BFBBBFDEB45704F5408EEE58A87242D6399945CF70
                                  Function 0096192C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: CMT
                                  • API String ID: 3519838083-2756464174
                                  • Opcode ID: c1505c19419cb4a6b3bc1dcdfdfce292d3a5e6bb89f1c973b4075596adaa6051
                                  • Instruction ID: 61998844630448b91790ef77fbc5a28e6da364a436990537e7007e31792935a9
                                  • Opcode Fuzzy Hash: c1505c19419cb4a6b3bc1dcdfdfce292d3a5e6bb89f1c973b4075596adaa6051
                                  • Instruction Fuzzy Hash: 2611E2B1A00245AFCB18DF65D4A1ABEFBFEFF85340F08441AE88697341DB359850DBA0
                                  Function 009879FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F5E85006,00000001,?,000000FF), ref: 00987A6B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: String
                                  • String ID: LCMapStringEx
                                  • API String ID: 2568140703-3893581201
                                  • Opcode ID: b5fc80cda1f6ea83e133fa35a1a5977b346fa2c2943e5a4fb2fedb407c808e07
                                  • Instruction ID: 457d4ccf4046c6a5c197e5bf40cea2ddc635aae8e07a9bad72ab4bfdac8c115b
                                  • Opcode Fuzzy Hash: b5fc80cda1f6ea83e133fa35a1a5977b346fa2c2943e5a4fb2fedb407c808e07
                                  • Instruction Fuzzy Hash: 76011376545209BBCF06AF94DC45EAE7FA2EF88750F108115FE1866260D636CA30EB80
                                  Function 00987998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0098708B), ref: 009879E3
                                  Strings
                                  • InitializeCriticalSectionEx, xrefs: 009879B3
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: CountCriticalInitializeSectionSpin
                                  • String ID: InitializeCriticalSectionEx
                                  • API String ID: 2593887523-3084827643
                                  • Opcode ID: 8a6ef54ec09e7f81e13d37640bb8328c1156dfb9ddb216587351bdd55038ea9c
                                  • Instruction ID: 0b804cec59104990ac8107bf5eacad147c8bc6ad4ab99867241d011449d911a5
                                  • Opcode Fuzzy Hash: 8a6ef54ec09e7f81e13d37640bb8328c1156dfb9ddb216587351bdd55038ea9c
                                  • Instruction Fuzzy Hash: 21F0E975A49208FBCF116F98DD45D9EBF65EF84720F108116FC1957260DA728E10E7C0
                                  Function 0098783D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: Alloc
                                  • String ID: FlsAlloc
                                  • API String ID: 2773662609-671089009
                                  • Opcode ID: 8eb26e3aaa73af3e0faef72f53a17b5173ca99024a7f601178db86e832548ee1
                                  • Instruction ID: 49bcc4e83cad9bb2e36507839a96fed2564293354f5adb31f0c72f309788d404
                                  • Opcode Fuzzy Hash: 8eb26e3aaa73af3e0faef72f53a17b5173ca99024a7f601178db86e832548ee1
                                  • Instruction Fuzzy Hash: 07E0EC71B4A2147B8714BFA89C4596EBB98DBC4711F104056FD1557340D9754E00D7C5
                                  Function 009613B4 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 009613B4
                                    • Part of subcall function 00965F9E: __EH_prolog.LIBCMT ref: 00965FA3
                                    • Part of subcall function 0096C463: __EH_prolog.LIBCMT ref: 0096C468
                                    • Part of subcall function 0096C463: new.LIBCMT ref: 0096C4AB
                                    • Part of subcall function 0096C463: new.LIBCMT ref: 0096C4CF
                                  • new.LIBCMT ref: 0096142C
                                    • Part of subcall function 0096ACB6: __EH_prolog.LIBCMT ref: 0096ACBB
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 48657e2cd372c68e3e96ee64f6396c308ebda895f912f979108804e57f057098
                                  • Instruction ID: 853720e678e47823884f39841fe408354d55069e1d3366b669e2b195b738b0dc
                                  • Opcode Fuzzy Hash: 48657e2cd372c68e3e96ee64f6396c308ebda895f912f979108804e57f057098
                                  • Instruction Fuzzy Hash: 5F4125B0805B40DED720CF798485AE6FBE5FF28300F54492EE5EE87282CB326554CB15
                                  Function 00969A62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00967436,?,?,?), ref: 00969A7C
                                  • SetFileTime.KERNEL32(?,?,?,?), ref: 00969B2C
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: File$BuffersFlushTime
                                  • String ID:
                                  • API String ID: 1392018926-0
                                  • Opcode ID: 2f20e1865a27744d8f68c180c640c7e3531f8f6cf94cc371f27f1a51353e95f9
                                  • Instruction ID: 69ff7c53244c00e553ca2edc80abe79549bf228766a57212805acfa5a9707660
                                  • Opcode Fuzzy Hash: 2f20e1865a27744d8f68c180c640c7e3531f8f6cf94cc371f27f1a51353e95f9
                                  • Instruction Fuzzy Hash: 6721D331258245AFC710DFA8C891ABABBECAF96704F48091DB8D587141D339ED4CD791
                                  Function 009698E7 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNEL32(000000FF,?,?,?), ref: 0096993B
                                  • GetLastError.KERNEL32 ref: 00969948
                                    • Part of subcall function 009696FA: __EH_prolog.LIBCMT ref: 009696FF
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: ErrorFileH_prologLastPointer
                                  • String ID:
                                  • API String ID: 4236474358-0
                                  • Opcode ID: 6dcedcc89ae97722c7afb679f162067a57d170e83fc507a515987f99d832c7b7
                                  • Instruction ID: 0b30bb622b659ddc2a75ec752d5af2a21ca34fb10c2606c66c111db95a665ed7
                                  • Opcode Fuzzy Hash: 6dcedcc89ae97722c7afb679f162067a57d170e83fc507a515987f99d832c7b7
                                  • Instruction Fuzzy Hash: 6901D4322112069B8F188E1A9C44AAF776DFF92330704862DF92ACB290D730EC11E760
                                  Function 00985ADA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00985AFB
                                    • Part of subcall function 009859EC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0098239A,?,0000015D,?,?,?,?,00982F19,000000FF,00000000,?,?), ref: 00985A1E
                                  • HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,0099CBE8,009617D2,?,?,?,?,00000000,?,009613A9,?,?), ref: 00985B37
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: Heap$AllocAllocate_free
                                  • String ID:
                                  • API String ID: 2447670028-0
                                  • Opcode ID: 39662c302826197406e1ed8e29006229f78fe6b41d5c0d08d1bcfdc07728f6f8
                                  • Instruction ID: de471f73604231deeee377a9d442b0a20e7c721fb8d3c25a95f42ba6de1c0d31
                                  • Opcode Fuzzy Hash: 39662c302826197406e1ed8e29006229f78fe6b41d5c0d08d1bcfdc07728f6f8
                                  • Instruction Fuzzy Hash: 16F0F632351D15AADB313B26AC05F6B376C8FE1771B134116F818D6390EA74DD08D361
                                  Function 0096A113 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesW.KERNEL32(?,00000000,00000001,?,00969F49,?,?,?,00969DE2,?,00000001,00000000,?,?), ref: 0096A127
                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00969F49,?,?,?,00969DE2,?,00000001,00000000,?,?), ref: 0096A158
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 6c68d450e8eeb7677c706aa30e50fc81e1e1b39315af8cb5930e5701dcfb98e6
                                  • Instruction ID: 264b7003e786f4c360b22aa464105ce6dde2e2d7450d50073df43eb3fb2bba40
                                  • Opcode Fuzzy Hash: 6c68d450e8eeb7677c706aa30e50fc81e1e1b39315af8cb5930e5701dcfb98e6
                                  • Instruction Fuzzy Hash: 01F0A0312441096FDF115F64DC01BDA776DAF04381F048051B988D6060DB32CE99EB50
                                  Function 0097C0CF Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: ItemText_swprintf
                                  • String ID:
                                  • API String ID: 3011073432-0
                                  • Opcode ID: 1479aedb03c7bd8f97c08a11feba4ea34ecc38912753ef61231358c694f285c4
                                  • Instruction ID: 89eabbae716ad9c359ab45d0c440ea1f1aa3cded2616be8ff17f034dceb66596
                                  • Opcode Fuzzy Hash: 1479aedb03c7bd8f97c08a11feba4ea34ecc38912753ef61231358c694f285c4
                                  • Instruction Fuzzy Hash: C5F0EC73954308B7EB21B7748C06F9A371DDB05741F04845AF609960A2D5715E20A7E1
                                  Function 00978923 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00978944
                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0097894B
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: BitmapCreateFromGdipStream
                                  • String ID:
                                  • API String ID: 1918208029-0
                                  • Opcode ID: 570322568bc120a5ddde57ff4c31eed7295b8436fc2b903ecc43059fefb6cec5
                                  • Instruction ID: f926fe61f056c665d8a2672dd9df23fd185f6a6efe51c6a48e905421c2bbf326
                                  • Opcode Fuzzy Hash: 570322568bc120a5ddde57ff4c31eed7295b8436fc2b903ecc43059fefb6cec5
                                  • Instruction Fuzzy Hash: DCE0ED76901218EBCB60DF99C5057EABBF8EB08361F10C46EE84993641E6756E04AB92
                                  Function 0097909D Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • GdiplusShutdown.GDIPLUS(?,?,?,0098F605,000000FF), ref: 009790C6
                                  • CoUninitialize.COMBASE(?,?,?,0098F605,000000FF), ref: 009790CB
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: GdiplusShutdownUninitialize
                                  • String ID:
                                  • API String ID: 3856339756-0
                                  • Opcode ID: 75a8a90341007f074b50355d7b4c3e020dd2eda26d0106ffc1bd593b1c0725d4
                                  • Instruction ID: a5de930f5e0ee1023d525011df3882359b7bde1d7690cff4d368a929065dd8e2
                                  • Opcode Fuzzy Hash: 75a8a90341007f074b50355d7b4c3e020dd2eda26d0106ffc1bd593b1c0725d4
                                  • Instruction Fuzzy Hash: 5AE01272558654DFC311DB4CDD05B45B7E9FB49B20F104769F41993760DB346C00CB95
                                  Function 009612C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: ItemShowWindow
                                  • String ID:
                                  • API String ID: 3351165006-0
                                  • Opcode ID: 02ea3fa75593d055f3ce1f9aabbcf42230ff1388764bfdb17da16148d96de110
                                  • Instruction ID: dac4d4fac232897f581d4cb21a2093d15c37331b7c4a0d0cb9698d2651b78cb7
                                  • Opcode Fuzzy Hash: 02ea3fa75593d055f3ce1f9aabbcf42230ff1388764bfdb17da16148d96de110
                                  • Instruction Fuzzy Hash: 0CC0123206C100BFCB010B74DC09C2EBBE9DB99211F00C905B4A5C0070C238C010EB52
                                  Function 009619E2 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: bc96c98c3b6e6703c0ebe1312a32603334cb44b236731d83072e91c7bd29b525
                                  • Instruction ID: 289a1d80bb51f4bb5adb27b3c6670a6717c1df40f8124a623da9ee6bd3a245f6
                                  • Opcode Fuzzy Hash: bc96c98c3b6e6703c0ebe1312a32603334cb44b236731d83072e91c7bd29b525
                                  • Instruction Fuzzy Hash: 68B1E370A00646AFEB29CFB8C445BBDFBB9FF45304F1C425AE49693281C735A964CB91
                                  Function 009681ED Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 009681F2
                                    • Part of subcall function 009613AF: __EH_prolog.LIBCMT ref: 009613B4
                                    • Part of subcall function 009613AF: new.LIBCMT ref: 0096142C
                                    • Part of subcall function 009619E2: __EH_prolog.LIBCMT ref: 009619E7
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 5201d9ed43e243b4a3e28a420b6548e8a1411f0ea256faebb40d1a9e563af933
                                  • Instruction ID: ebefb4ae773a01cda36da5b450bbc29387229ecd9a171bb416eee6264f46adc1
                                  • Opcode Fuzzy Hash: 5201d9ed43e243b4a3e28a420b6548e8a1411f0ea256faebb40d1a9e563af933
                                  • Instruction Fuzzy Hash: 8941A0729406589ADB24EB60C865FEA73ADAF90700F0405EAE48AA3192DF745FC8DB50
                                  Function 009721E5 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: ee43d497dc27b46f9dc1c8050342e86776a9c6bce82f1da2093b6f164566a67c
                                  • Instruction ID: 99bb4cfc6a1408d482a07c62b90d16daae6b568e0d3cd335c6f9be33731aef34
                                  • Opcode Fuzzy Hash: ee43d497dc27b46f9dc1c8050342e86776a9c6bce82f1da2093b6f164566a67c
                                  • Instruction Fuzzy Hash: E221E1B2E51215ABDB149FB88C41B6A77ACFF48314F00863AE51DEB682D7749D00C6A8
                                  Function 00969120 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: fcff81c6c39c3413feb0635d034ef76a002a5c613a662f1147191cc4f87e3940
                                  • Instruction ID: ac46e4d9945e3ca5a546a88d1bccdcad6e05586604339391fb85fe56537c3e81
                                  • Opcode Fuzzy Hash: fcff81c6c39c3413feb0635d034ef76a002a5c613a662f1147191cc4f87e3940
                                  • Instruction Fuzzy Hash: A611A5B3E0452A9BCF22AF98CD91AEEB739FFC9740F154126F80577211CA348D1087A4
                                  Function 00985A7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0098633C,00000001,00000364,?,00982203,?,?,0099CBE8), ref: 00985ABE
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 7fb83fa31d108e158200fd180ef14bd3b887fa68c9126f213751f82b298c9d0f
                                  • Instruction ID: 6ae163d5eba7c54e8985d8e4c11fc22b7bd1120c6ad0c4cd3b0bd2415138431c
                                  • Opcode Fuzzy Hash: 7fb83fa31d108e158200fd180ef14bd3b887fa68c9126f213751f82b298c9d0f
                                  • Instruction Fuzzy Hash: 87F02431105A206BDB297B219CC5B2A374CAF81361F1B4211A82997380DA24DC0887E1
                                  Function 009859EC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,0098239A,?,0000015D,?,?,?,?,00982F19,000000FF,00000000,?,?), ref: 00985A1E
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: c03369806170a600f091f2ea22d1e165aeff187b62312748ae6a70b9dfb74515
                                  • Instruction ID: 585a5215da3132955b57e3ebf8f0b734003d22c5403fc9e9d0b624fbd114dbbd
                                  • Opcode Fuzzy Hash: c03369806170a600f091f2ea22d1e165aeff187b62312748ae6a70b9dfb74515
                                  • Instruction Fuzzy Hash: C8E0E531165A219BE62437659DC579A364C9F813B1F030325AC1AD3390EB50CD08C7A1
                                  Function 0096A195 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindClose.KERNEL32(00000000,000000FF,?,?), ref: 0096A1C4
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: ccb8935a225c6d9e171918c830feba4dcd8ed058a1e3dd80592155c743ae0d75
                                  • Instruction ID: 98e46b3bbc9a136681c711580ff3cf93a1b51374c34006ddb0a81d437a9b5290
                                  • Opcode Fuzzy Hash: ccb8935a225c6d9e171918c830feba4dcd8ed058a1e3dd80592155c743ae0d75
                                  • Instruction Fuzzy Hash: 67F0823140C790EECA225BB48805BCBBB996F56331F048E4AF1FE621D2C27554D99B22
                                  Function 0096F944 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 0096F979
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1557582306.0000000000961000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00960000, based on PE: true
                                  • Associated: 00000009.00000002.1556229385.0000000000960000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1558808220.0000000000990000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.000000000099E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1559355541.00000000009BA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                  • Associated: 00000009.00000002.1560267667.00000000009BC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_960000_zdfhrgzd.jbxd
                                  Similarity
                                  • API ID: ExecutionStateThread
                                  • String ID:
                                  • API String ID: 2211380416-0
                                  • Opcode ID: 343549fd6937348839a4f08ac753315f70a522b775d26493f38f61cc4ad47cde
                                  • Instruction ID: 7ea61de54b93107d15b98282b57dfcbf8c9429605201c6bcda8fa1e9d1470981
                                  • Opcode Fuzzy Hash: 343549fd6937348839a4f08ac753315f70a522b775d26493f38f61cc4ad47cde
                                  • Instruction Fuzzy Hash: 01D02E42B1811067EA21332C3C2BBFD260A5FC2351F0C003AB049672C2CA850842E2A2