Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FGTFTj8GLM.exe

Overview

General Information

Sample name:FGTFTj8GLM.exe
renamed because original name is a hash value
Original sample name:00c955b38cfa57eb92373787b496bbe4fd868d930308ea64bdc865f1d720e6d2.exe
Analysis ID:1587650
MD5:d99576b8f02f430202d411d76d0320bc
SHA1:32de07f5fc411c93311511bf6009881f0cda4d49
SHA256:00c955b38cfa57eb92373787b496bbe4fd868d930308ea64bdc865f1d720e6d2
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FGTFTj8GLM.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\FGTFTj8GLM.exe" MD5: D99576B8F02F430202D411D76D0320BC)
    • svchost.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\FGTFTj8GLM.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1776618710.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1776205623.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\FGTFTj8GLM.exe", CommandLine: "C:\Users\user\Desktop\FGTFTj8GLM.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FGTFTj8GLM.exe", ParentImage: C:\Users\user\Desktop\FGTFTj8GLM.exe, ParentProcessId: 7692, ParentProcessName: FGTFTj8GLM.exe, ProcessCommandLine: "C:\Users\user\Desktop\FGTFTj8GLM.exe", ProcessId: 7748, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\FGTFTj8GLM.exe", CommandLine: "C:\Users\user\Desktop\FGTFTj8GLM.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FGTFTj8GLM.exe", ParentImage: C:\Users\user\Desktop\FGTFTj8GLM.exe, ParentProcessId: 7692, ParentProcessName: FGTFTj8GLM.exe, ProcessCommandLine: "C:\Users\user\Desktop\FGTFTj8GLM.exe", ProcessId: 7748, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: FGTFTj8GLM.exeReversingLabs: Detection: 83%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1776618710.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1776205623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: FGTFTj8GLM.exeJoe Sandbox ML: detected
          Source: FGTFTj8GLM.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: FGTFTj8GLM.exe, 00000000.00000003.1361195149.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1362366262.0000000004070000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1363892170.0000000004070000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1776753415.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1425536731.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1776753415.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1423578450.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: FGTFTj8GLM.exe, 00000000.00000003.1361195149.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1362366262.0000000004070000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1363892170.0000000004070000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1776753415.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1425536731.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1776753415.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1423578450.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D74696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D74696
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D7C9C7
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7C93C FindFirstFileW,FindClose,0_2_00D7C93C
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D7F200
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D7F35D
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D7F65E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D73A2B
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D73D4E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D7BF27
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D825E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00D825E2
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D8425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00D8425A
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D84458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00D84458
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D8425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00D8425A
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D70219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00D70219
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D9CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00D9CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1776618710.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1776205623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: This is a third-party compiled AutoIt script.0_2_00D13B4C
          Source: FGTFTj8GLM.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: FGTFTj8GLM.exe, 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e94b9d87-f
          Source: FGTFTj8GLM.exe, 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1f98bd70-4
          Source: FGTFTj8GLM.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0e5557b2-a
          Source: FGTFTj8GLM.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4f54c542-2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C8C3 NtClose,2_2_0042C8C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B20 NtClose,LdrInitializeThunk,2_2_03472B20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473590 NtCreateMutant,LdrInitializeThunk,2_2_03473590
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474320 NtSetContextThread,2_2_03474320
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474630 NtSuspendThread,2_2_03474630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B40 NtQueryInformationFile,2_2_03472B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtEnumerateValueKey,2_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BC0 NtQueryInformationProcess,2_2_03472BC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtQueryValueKey,2_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BB0 NtAllocateVirtualMemory,2_2_03472BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472A70 NtWaitForSingleObject,2_2_03472A70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472A90 NtReadFile,2_2_03472A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWriteFile,2_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F50 NtProtectVirtualMemory,2_2_03472F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtQuerySection,2_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F70 NtResumeThread,2_2_03472F70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F20 NtCreateProcessEx,2_2_03472F20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FD0 NtOpenDirectoryObject,2_2_03472FD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtCreateFile,2_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E40 NtReadVirtualMemory,2_2_03472E40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E60 NtAdjustPrivilegesToken,2_2_03472E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EF0 NtCreateSection,2_2_03472EF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtQueueApcThread,2_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D70 NtEnumerateKey,2_2_03472D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtWriteVirtualMemory,2_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D90 NtDelayExecution,2_2_03472D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtQueryInformationToken,2_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C20 NtCreateKey,2_2_03472C20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C30 NtFreeVirtualMemory,2_2_03472C30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtSetInformationFile,2_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CD0 NtMapViewOfSection,2_2_03472CD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtUnmapViewOfSection,2_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C80 NtQueryVirtualMemory,2_2_03472C80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CB0 NtOpenProcess,2_2_03472CB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473050 NtSetValueKey,2_2_03473050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473980 NtGetContextThread,2_2_03473980
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D40 NtOpenThread,2_2_03473D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473CE0 NtOpenProcessToken,2_2_03473CE0
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D740B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00D740B1
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D68858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00D68858
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00D7545F
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3DBB50_2_00D3DBB5
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D1FE400_2_00D1FE40
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D9804A0_2_00D9804A
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D1E0600_2_00D1E060
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D241400_2_00D24140
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D324050_2_00D32405
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D465220_2_00D46522
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D4267E0_2_00D4267E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D906650_2_00D90665
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D268430_2_00D26843
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D1E8000_2_00D1E800
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3283A0_2_00D3283A
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D489DF0_2_00D489DF
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D90AE20_2_00D90AE2
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D46A940_2_00D46A94
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D28A0E0_2_00D28A0E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D78B130_2_00D78B13
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D6EB070_2_00D6EB07
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3CD610_2_00D3CD61
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D470060_2_00D47006
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D231900_2_00D23190
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D2710E0_2_00D2710E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D112870_2_00D11287
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D333C70_2_00D333C7
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3F4190_2_00D3F419
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D316C40_2_00D316C4
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D256800_2_00D25680
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D378D30_2_00D378D3
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D258C00_2_00D258C0
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D31BB80_2_00D31BB8
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D49D050_2_00D49D05
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D31FD00_2_00D31FD0
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3BFE60_2_00D3BFE6
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_017E0F100_2_017E0F10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101432_2_00410143
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041694E2_2_0041694E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004169532_2_00416953
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1332_2_0040E133
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032502_2_00403250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E27F2_2_0040E27F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2832_2_0040E283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024E02_2_004024E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EEA32_2_0042EEA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040277A2_2_0040277A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF1A2_2_0040FF1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF232_2_0040FF23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027802_2_00402780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3602_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350012E2_2_0350012E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034300C02_2_034300C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE0962_2_034EE096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7402_2_0343C740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F67772_2_034F6777
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647102_2_03464710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034427B02_2_034427B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A7B02_2_0344A7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6502_2_0345C650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E02_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA6E02_2_034FA6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A5462_2_0350A546
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A52_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEB402_2_034BEB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B702_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEA7B2_2_034FEA7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA002_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCA332_2_034FCA33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE02_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2AE02_2_034E2AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429102_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FE9C62_2_034FE9C6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E08452_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D22_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268882_2_03426888
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DC8AF2_2_034DC8AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8B02_2_0346E8B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F482_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CF502_2_0344CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F082_2_03482F08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEFDF2_2_034FEFDF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0E7D2_2_034E0E7D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E002_2_03452E00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0ECD2_2_034F0ECD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343AD602_2_0343AD60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350AD0B2_2_0350AD0B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458D2F2_2_03458D2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440DC92_2_03440DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EEC6C2_2_034EEC6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430C722_2_03430C72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AC702_2_0344AC70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6C892_2_034F6C89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEC802_2_034FEC80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF3502_2_034FF350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D30C2_2_0342D30C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034313E02_2_034313E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD3A02_2_034AD3A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F126C2_2_034F126C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348721A2_2_0348721A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452102_2_03445210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2302_2_0345B230
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347514C2_2_0347514C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD1402_2_034DD140
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F71112_2_034F7111
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1202_2_0344B120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1322_2_0342F132
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470302_2_03447030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7162_2_034FF716
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B97D22_2_034B97D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B57902_2_034B5790
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ED6662_2_034ED666
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B360C2_2_034B360C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD63C2_2_034DD63C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E16332_2_034E1633
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF5E92_2_034FF5E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75E62_2_034F75E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D54A02_2_034D54A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB4E2_2_034FFB4E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB402_2_0345FB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBD92_2_0347DBD9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D1B902_2_034D1B90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485A802_2_03485A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFAA92_2_034FFAA9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F79132_2_034F7913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438502_2_03443850
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034498C02_2_034498C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B8C02_2_0345B8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F18FA2_2_034F18FA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF8922_2_034FF892
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F022_2_03441F02
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E3FC02_2_034E3FC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1FE62_2_034F1FE6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF832_2_034FFF83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BFE602_2_034BFE60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DFE042_2_034DFE04
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449E202_2_03449E20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F9EF22_2_034F9EF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFD472_2_034FFD47
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F3D422_2_034F3D42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D6C2_2_034F7D6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FD802_2_0345FD80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C7CF82_2_034C7CF8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D9CA82_2_034D9CA8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443CB02_2_03443CB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AE5B2 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B930 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487C84 appears 102 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BEE30 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475110 appears 58 times
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: String function: 00D30D27 appears 70 times
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: String function: 00D17F41 appears 35 times
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: String function: 00D38B40 appears 42 times
          Source: FGTFTj8GLM.exe, 00000000.00000003.1360870686.000000000414D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs FGTFTj8GLM.exe
          Source: FGTFTj8GLM.exe, 00000000.00000003.1362196969.0000000003FF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs FGTFTj8GLM.exe
          Source: FGTFTj8GLM.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7A2D5 GetLastError,FormatMessageW,0_2_00D7A2D5
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D68713 AdjustTokenPrivileges,CloseHandle,0_2_00D68713
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D68CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00D68CC3
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00D7B59E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D8F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00D8F121
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D886D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00D886D0
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D14FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D14FE9
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeFile created: C:\Users\user\AppData\Local\Temp\autB4AF.tmpJump to behavior
          Source: FGTFTj8GLM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: FGTFTj8GLM.exeReversingLabs: Detection: 83%
          Source: unknownProcess created: C:\Users\user\Desktop\FGTFTj8GLM.exe "C:\Users\user\Desktop\FGTFTj8GLM.exe"
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FGTFTj8GLM.exe"
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FGTFTj8GLM.exe"Jump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: ntmarta.dllJump to behavior
          Source: FGTFTj8GLM.exeStatic file information: File size 1222656 > 1048576
          Source: FGTFTj8GLM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: FGTFTj8GLM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: FGTFTj8GLM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: FGTFTj8GLM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: FGTFTj8GLM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: FGTFTj8GLM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: FGTFTj8GLM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: FGTFTj8GLM.exe, 00000000.00000003.1361195149.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1362366262.0000000004070000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1363892170.0000000004070000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1776753415.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1425536731.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1776753415.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1423578450.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: FGTFTj8GLM.exe, 00000000.00000003.1361195149.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1362366262.0000000004070000.00000004.00001000.00020000.00000000.sdmp, FGTFTj8GLM.exe, 00000000.00000003.1363892170.0000000004070000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1776753415.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1425536731.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1776753415.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1423578450.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: FGTFTj8GLM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: FGTFTj8GLM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: FGTFTj8GLM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: FGTFTj8GLM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: FGTFTj8GLM.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D8C304 LoadLibraryA,GetProcAddress,0_2_00D8C304
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D38B85 push ecx; ret 0_2_00D38B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419050 push esp; retf 2_2_00419056
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414263 push ebp; retf 2_2_0041444B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040739C push ds; iretd 2_2_004073A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004034F0 push eax; ret 2_2_004034F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041ED70 push F3E5F1E9h; retf 2_2_0041EDAA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D532 push 00000016h; ret 2_2_0040D543
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AD3D push esp; ret 2_2_0040AD53
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401E68 push ds; retf 2_2_00401E6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416693 push ds; retf 2_2_004166BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004166B2 push ds; retf 2_2_004166BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017CE push ds; ret 2_2_004017E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401FB8 push ds; ret 2_2_00401FD6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343092D push ecx; mov dword ptr [esp], ecx2_2_03430936
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D14A35
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00D955FD
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D333C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D333C7
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeAPI/Special instruction interceptor: Address: 17E0B34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E rdtsc 2_2_0347092E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99102
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeAPI coverage: 4.5 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7752Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D74696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D74696
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D7C9C7
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7C93C FindFirstFileW,FindClose,0_2_00D7C93C
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D7F200
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D7F35D
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D7F65E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D73A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D73A2B
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D73D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D73D4E
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D7BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D7BF27
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D14AFE
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeAPI call chain: ExitProcess graph end nodegraph_0-98210
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E rdtsc 2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004178E3 LdrLoadDll,2_2_004178E3
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D841FD BlockInput,0_2_00D841FD
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D13B4C
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D45CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00D45CCC
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D8C304 LoadLibraryA,GetProcAddress,0_2_00D8C304
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_017DF750 mov eax, dword ptr fs:[00000030h]0_2_017DF750
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_017E0DA0 mov eax, dword ptr fs:[00000030h]0_2_017E0DA0
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_017E0E00 mov eax, dword ptr fs:[00000030h]0_2_017E0E00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E348 mov eax, dword ptr fs:[00000030h]2_2_0342E348
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E348 mov eax, dword ptr fs:[00000030h]2_2_0342E348
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E348 mov eax, dword ptr fs:[00000030h]2_2_0342E348
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4340 mov eax, dword ptr fs:[00000030h]2_2_034E4340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E360 mov eax, dword ptr fs:[00000030h]2_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E360 mov eax, dword ptr fs:[00000030h]2_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E360 mov eax, dword ptr fs:[00000030h]2_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428367 mov eax, dword ptr fs:[00000030h]2_2_03428367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428367 mov eax, dword ptr fs:[00000030h]2_2_03428367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428367 mov eax, dword ptr fs:[00000030h]2_2_03428367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0363 mov eax, dword ptr fs:[00000030h]2_2_034B0363
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D631E mov eax, dword ptr fs:[00000030h]2_2_034D631E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034683C2 mov eax, dword ptr fs:[00000030h]2_2_034683C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034683C2 mov eax, dword ptr fs:[00000030h]2_2_034683C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034683C2 mov eax, dword ptr fs:[00000030h]2_2_034683C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43CA mov eax, dword ptr fs:[00000030h]2_2_034D43CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43CA mov eax, dword ptr fs:[00000030h]2_2_034D43CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034523CA mov eax, dword ptr fs:[00000030h]2_2_034523CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E3E0 mov eax, dword ptr fs:[00000030h]2_2_0342E3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E3E0 mov eax, dword ptr fs:[00000030h]2_2_0342E3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E3E0 mov eax, dword ptr fs:[00000030h]2_2_0342E3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C3E7 mov eax, dword ptr fs:[00000030h]2_2_0342C3E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A3E0 mov eax, dword ptr fs:[00000030h]2_2_0345A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A3E0 mov eax, dword ptr fs:[00000030h]2_2_0345A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A3E0 mov eax, dword ptr fs:[00000030h]2_2_0345A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A3F0 mov eax, dword ptr fs:[00000030h]2_2_0346A3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE381 mov eax, dword ptr fs:[00000030h]2_2_034BE381
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663BF mov eax, dword ptr fs:[00000030h]2_2_034663BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC3B0 mov eax, dword ptr fs:[00000030h]2_2_034BC3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E244 mov eax, dword ptr fs:[00000030h]2_2_0346E244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E244 mov eax, dword ptr fs:[00000030h]2_2_0346E244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440251 mov eax, dword ptr fs:[00000030h]2_2_03440251
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440251 mov eax, dword ptr fs:[00000030h]2_2_03440251
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440251 mov eax, dword ptr fs:[00000030h]2_2_03440251
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346425B mov ecx, dword ptr fs:[00000030h]2_2_0346425B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346425B mov eax, dword ptr fs:[00000030h]2_2_0346425B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346425B mov eax, dword ptr fs:[00000030h]2_2_0346425B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F820E mov eax, dword ptr fs:[00000030h]2_2_034F820E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F820E mov eax, dword ptr fs:[00000030h]2_2_034F820E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342820B mov eax, dword ptr fs:[00000030h]2_2_0342820B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A220 mov eax, dword ptr fs:[00000030h]2_2_0342A220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440220 mov eax, dword ptr fs:[00000030h]2_2_03440220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440220 mov eax, dword ptr fs:[00000030h]2_2_03440220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A2CB mov eax, dword ptr fs:[00000030h]2_2_0346A2CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A2CB mov eax, dword ptr fs:[00000030h]2_2_0346A2CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A2CB mov eax, dword ptr fs:[00000030h]2_2_0346A2CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C2D0 mov ecx, dword ptr fs:[00000030h]2_2_0342C2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC2D0 mov eax, dword ptr fs:[00000030h]2_2_034AC2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE2FD mov eax, dword ptr fs:[00000030h]2_2_034BE2FD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034542FF mov eax, dword ptr fs:[00000030h]2_2_034542FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034542FF mov eax, dword ptr fs:[00000030h]2_2_034542FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B42F5 mov eax, dword ptr fs:[00000030h]2_2_034B42F5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450280 mov ecx, dword ptr fs:[00000030h]2_2_03450280
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0291 mov eax, dword ptr fs:[00000030h]2_2_034B0291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0291 mov eax, dword ptr fs:[00000030h]2_2_034B0291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470145 mov eax, dword ptr fs:[00000030h]2_2_03470145
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0147 mov eax, dword ptr fs:[00000030h]2_2_034B0147
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0147 mov eax, dword ptr fs:[00000030h]2_2_034B0147
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0147 mov eax, dword ptr fs:[00000030h]2_2_034B0147
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A167 mov eax, dword ptr fs:[00000030h]2_2_0342A167
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A167 mov eax, dword ptr fs:[00000030h]2_2_0342A167
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A167 mov eax, dword ptr fs:[00000030h]2_2_0342A167
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C116 mov eax, dword ptr fs:[00000030h]2_2_0342C116
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034361D9 mov eax, dword ptr fs:[00000030h]2_2_034361D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034341E0 mov eax, dword ptr fs:[00000030h]2_2_034341E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034341E0 mov eax, dword ptr fs:[00000030h]2_2_034341E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034341E0 mov eax, dword ptr fs:[00000030h]2_2_034341E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034641FF mov eax, dword ptr fs:[00000030h]2_2_034641FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1A9 mov eax, dword ptr fs:[00000030h]2_2_034AE1A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601B8 mov eax, dword ptr fs:[00000030h]2_2_034601B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA050 mov eax, dword ptr fs:[00000030h]2_2_034BA050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438069 mov eax, dword ptr fs:[00000030h]2_2_03438069
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343200A mov eax, dword ptr fs:[00000030h]2_2_0343200A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC000 mov ecx, dword ptr fs:[00000030h]2_2_034BC000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA03A mov eax, dword ptr fs:[00000030h]2_2_034EA03A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034360D4 mov eax, dword ptr fs:[00000030h]2_2_034360D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034360D4 mov eax, dword ptr fs:[00000030h]2_2_034360D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034600E4 mov eax, dword ptr fs:[00000030h]2_2_034600E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C60A0 mov eax, dword ptr fs:[00000030h]2_2_034C60A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0B3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0B0 mov eax, dword ptr fs:[00000030h]2_2_0342C0B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720B0 mov ecx, dword ptr fs:[00000030h]2_2_034720B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C740 mov eax, dword ptr fs:[00000030h]2_2_0343C740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345275D mov eax, dword ptr fs:[00000030h]2_2_0345275D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345275D mov eax, dword ptr fs:[00000030h]2_2_0345275D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345275D mov eax, dword ptr fs:[00000030h]2_2_0345275D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4750 mov eax, dword ptr fs:[00000030h]2_2_034E4750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4750 mov eax, dword ptr fs:[00000030h]2_2_034E4750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE760 mov eax, dword ptr fs:[00000030h]2_2_034DE760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343477B mov eax, dword ptr fs:[00000030h]2_2_0343477B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343477B mov eax, dword ptr fs:[00000030h]2_2_0343477B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346670D mov esi, dword ptr fs:[00000030h]2_2_0346670D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346670D mov eax, dword ptr fs:[00000030h]2_2_0346670D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346670D mov eax, dword ptr fs:[00000030h]2_2_0346670D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472710 mov eax, dword ptr fs:[00000030h]2_2_03472710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472710 mov eax, dword ptr fs:[00000030h]2_2_03472710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343072F mov eax, dword ptr fs:[00000030h]2_2_0343072F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456730 mov eax, dword ptr fs:[00000030h]2_2_03456730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456730 mov eax, dword ptr fs:[00000030h]2_2_03456730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D47C4 mov eax, dword ptr fs:[00000030h]2_2_034D47C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D47C4 mov eax, dword ptr fs:[00000030h]2_2_034D47C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D47C4 mov eax, dword ptr fs:[00000030h]2_2_034D47C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D47C4 mov eax, dword ptr fs:[00000030h]2_2_034D47C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D47C4 mov eax, dword ptr fs:[00000030h]2_2_034D47C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D47C4 mov eax, dword ptr fs:[00000030h]2_2_034D47C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D47C4 mov ecx, dword ptr fs:[00000030h]2_2_034D47C4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CC7C0 mov eax, dword ptr fs:[00000030h]2_2_034CC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CC7C0 mov eax, dword ptr fs:[00000030h]2_2_034CC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347D9 mov eax, dword ptr fs:[00000030h]2_2_034347D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347D9 mov eax, dword ptr fs:[00000030h]2_2_034347D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A7F0 mov eax, dword ptr fs:[00000030h]2_2_0346A7F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC790 mov eax, dword ptr fs:[00000030h]2_2_034BC790
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov ecx, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B47AF mov eax, dword ptr fs:[00000030h]2_2_034B47AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034427B0 mov ecx, dword ptr fs:[00000030h]2_2_034427B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C666 mov eax, dword ptr fs:[00000030h]2_2_0346C666
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466670 mov eax, dword ptr fs:[00000030h]2_2_03466670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434610 mov eax, dword ptr fs:[00000030h]2_2_03434610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434610 mov eax, dword ptr fs:[00000030h]2_2_03434610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC612 mov eax, dword ptr fs:[00000030h]2_2_034AC612
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC612 mov eax, dword ptr fs:[00000030h]2_2_034AC612
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A620 mov eax, dword ptr fs:[00000030h]2_2_0346A620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A620 mov eax, dword ptr fs:[00000030h]2_2_0346A620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504620 mov eax, dword ptr fs:[00000030h]2_2_03504620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462634 mov eax, dword ptr fs:[00000030h]2_2_03462634
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6C0 mov eax, dword ptr fs:[00000030h]2_2_0346C6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F86C8 mov eax, dword ptr fs:[00000030h]2_2_034F86C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F86C8 mov eax, dword ptr fs:[00000030h]2_2_034F86C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034306D0 mov eax, dword ptr fs:[00000030h]2_2_034306D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034606D0 mov eax, dword ptr fs:[00000030h]2_2_034606D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D86D2 mov eax, dword ptr fs:[00000030h]2_2_034D86D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E46EB mov eax, dword ptr fs:[00000030h]2_2_034E46EB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E46EB mov eax, dword ptr fs:[00000030h]2_2_034E46EB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6E0 mov eax, dword ptr fs:[00000030h]2_2_0346C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6E0 mov eax, dword ptr fs:[00000030h]2_2_0346C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C66E0 mov eax, dword ptr fs:[00000030h]2_2_034C66E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C66E0 mov eax, dword ptr fs:[00000030h]2_2_034C66E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE6E0 mov eax, dword ptr fs:[00000030h]2_2_034DE6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA6E0 mov eax, dword ptr fs:[00000030h]2_2_034FA6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034386F0 mov eax, dword ptr fs:[00000030h]2_2_034386F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034626FC mov eax, dword ptr fs:[00000030h]2_2_034626FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034626FC mov ecx, dword ptr fs:[00000030h]2_2_034626FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034626FC mov eax, dword ptr fs:[00000030h]2_2_034626FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A687 mov ebx, dword ptr fs:[00000030h]2_2_0346A687
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A687 mov eax, dword ptr fs:[00000030h]2_2_0346A687
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430690 mov eax, dword ptr fs:[00000030h]2_2_03430690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464548 mov eax, dword ptr fs:[00000030h]2_2_03464548
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436550 mov eax, dword ptr fs:[00000030h]2_2_03436550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8553 mov esi, dword ptr fs:[00000030h]2_2_034B8553
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8553 mov eax, dword ptr fs:[00000030h]2_2_034B8553
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8553 mov eax, dword ptr fs:[00000030h]2_2_034B8553
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E55C mov eax, dword ptr fs:[00000030h]2_2_0346E55C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432560 mov eax, dword ptr fs:[00000030h]2_2_03432560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6560 mov eax, dword ptr fs:[00000030h]2_2_034C6560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA573 mov eax, dword ptr fs:[00000030h]2_2_034FA573
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432502 mov eax, dword ptr fs:[00000030h]2_2_03432502
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432502 mov ecx, dword ptr fs:[00000030h]2_2_03432502
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4508 mov eax, dword ptr fs:[00000030h]2_2_034D4508
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4508 mov eax, dword ptr fs:[00000030h]2_2_034D4508
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC51C mov eax, dword ptr fs:[00000030h]2_2_034BC51C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454521 mov eax, dword ptr fs:[00000030h]2_2_03454521
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454521 mov eax, dword ptr fs:[00000030h]2_2_03454521
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346652A mov eax, dword ptr fs:[00000030h]2_2_0346652A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346652A mov eax, dword ptr fs:[00000030h]2_2_0346652A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346652A mov eax, dword ptr fs:[00000030h]2_2_0346652A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034725D9 mov eax, dword ptr fs:[00000030h]2_2_034725D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034665E0 mov eax, dword ptr fs:[00000030h]2_2_034665E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034685E0 mov eax, dword ptr fs:[00000030h]2_2_034685E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE5F0 mov eax, dword ptr fs:[00000030h]2_2_034DE5F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E58F mov eax, dword ptr fs:[00000030h]2_2_0346E58F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E58F mov eax, dword ptr fs:[00000030h]2_2_0346E58F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE580 mov eax, dword ptr fs:[00000030h]2_2_034BE580
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E597 mov eax, dword ptr fs:[00000030h]2_2_0344E597
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A590 mov eax, dword ptr fs:[00000030h]2_2_0346A590
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A590 mov eax, dword ptr fs:[00000030h]2_2_0346A590
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5AD mov eax, dword ptr fs:[00000030h]2_2_0346C5AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5AD mov eax, dword ptr fs:[00000030h]2_2_0346C5AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325AC mov eax, dword ptr fs:[00000030h]2_2_034325AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C5B0 mov eax, dword ptr fs:[00000030h]2_2_0344C5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC5B1 mov eax, dword ptr fs:[00000030h]2_2_034BC5B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464470 mov ecx, dword ptr fs:[00000030h]2_2_03464470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE412 mov eax, dword ptr fs:[00000030h]2_2_034BE412
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE412 mov eax, dword ptr fs:[00000030h]2_2_034BE412
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6410 mov eax, dword ptr fs:[00000030h]2_2_034C6410
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6410 mov eax, dword ptr fs:[00000030h]2_2_034C6410
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343642B mov eax, dword ptr fs:[00000030h]2_2_0343642B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342642D mov eax, dword ptr fs:[00000030h]2_2_0342642D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC43D mov eax, dword ptr fs:[00000030h]2_2_034BC43D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B84CA mov eax, dword ptr fs:[00000030h]2_2_034B84CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C84CB mov eax, dword ptr fs:[00000030h]2_2_034C84CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034384D0 mov eax, dword ptr fs:[00000030h]2_2_034384D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034384D0 mov eax, dword ptr fs:[00000030h]2_2_034384D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B04E6 mov eax, dword ptr fs:[00000030h]2_2_034B04E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA484 mov eax, dword ptr fs:[00000030h]2_2_034FA484
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE4A8 mov eax, dword ptr fs:[00000030h]2_2_034AE4A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE4A8 mov eax, dword ptr fs:[00000030h]2_2_034AE4A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304A5 mov ecx, dword ptr fs:[00000030h]2_2_034304A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC4B2 mov eax, dword ptr fs:[00000030h]2_2_034BC4B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430B4D mov eax, dword ptr fs:[00000030h]2_2_03430B4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430B4D mov eax, dword ptr fs:[00000030h]2_2_03430B4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430B4D mov eax, dword ptr fs:[00000030h]2_2_03430B4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438B70 mov eax, dword ptr fs:[00000030h]2_2_03438B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438B70 mov eax, dword ptr fs:[00000030h]2_2_03438B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438B70 mov eax, dword ptr fs:[00000030h]2_2_03438B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B08 mov eax, dword ptr fs:[00000030h]2_2_03504B08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B2E mov eax, dword ptr fs:[00000030h]2_2_03440B2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B2E mov eax, dword ptr fs:[00000030h]2_2_03440B2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB3E mov eax, dword ptr fs:[00000030h]2_2_0342CB3E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450B3B mov eax, dword ptr fs:[00000030h]2_2_03450B3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450B3B mov eax, dword ptr fs:[00000030h]2_2_03450B3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450B3B mov eax, dword ptr fs:[00000030h]2_2_03450B3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CBC0 mov eax, dword ptr fs:[00000030h]2_2_0346CBC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436BD0 mov eax, dword ptr fs:[00000030h]2_2_03436BD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436BD0 mov eax, dword ptr fs:[00000030h]2_2_03436BD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436BD0 mov eax, dword ptr fs:[00000030h]2_2_03436BD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342EBE0 mov eax, dword ptr fs:[00000030h]2_2_0342EBE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D6BEE mov ebx, dword ptr fs:[00000030h]2_2_034D6BEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D6BEE mov eax, dword ptr fs:[00000030h]2_2_034D6BEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B87 mov eax, dword ptr fs:[00000030h]2_2_03504B87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E6B97 mov eax, dword ptr fs:[00000030h]2_2_034E6B97
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBBC mov eax, dword ptr fs:[00000030h]2_2_0345EBBC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA40 mov eax, dword ptr fs:[00000030h]2_2_034BCA40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA40 mov eax, dword ptr fs:[00000030h]2_2_034BCA40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA40 mov eax, dword ptr fs:[00000030h]2_2_034BCA40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430A50 mov eax, dword ptr fs:[00000030h]2_2_03430A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A50 mov edx, dword ptr fs:[00000030h]2_2_03468A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CAA50 mov eax, dword ptr fs:[00000030h]2_2_034CAA50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CAA50 mov eax, dword ptr fs:[00000030h]2_2_034CAA50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E6A70 mov ecx, dword ptr fs:[00000030h]2_2_034E6A70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0A1F mov eax, dword ptr fs:[00000030h]2_2_034B0A1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0A1F mov eax, dword ptr fs:[00000030h]2_2_034B0A1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0A1F mov eax, dword ptr fs:[00000030h]2_2_034B0A1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438A20 mov eax, dword ptr fs:[00000030h]2_2_03438A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438A20 mov eax, dword ptr fs:[00000030h]2_2_03438A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA2F mov eax, dword ptr fs:[00000030h]2_2_0346CA2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA2F mov eax, dword ptr fs:[00000030h]2_2_0346CA2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA2F mov eax, dword ptr fs:[00000030h]2_2_0346CA2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4AD2 mov eax, dword ptr fs:[00000030h]2_2_034D4AD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EAE0 mov eax, dword ptr fs:[00000030h]2_2_0345EAE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EAE0 mov eax, dword ptr fs:[00000030h]2_2_0345EAE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0AF0 mov eax, dword ptr fs:[00000030h]2_2_034D0AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2AF0 mov eax, dword ptr fs:[00000030h]2_2_034D2AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2AF0 mov eax, dword ptr fs:[00000030h]2_2_034D2AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464A90 mov eax, dword ptr fs:[00000030h]2_2_03464A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464A90 mov eax, dword ptr fs:[00000030h]2_2_03464A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAAE mov eax, dword ptr fs:[00000030h]2_2_0346AAAE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAAE mov eax, dword ptr fs:[00000030h]2_2_0346AAAE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E6AA0 mov eax, dword ptr fs:[00000030h]2_2_034E6AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F894E mov eax, dword ptr fs:[00000030h]2_2_034F894E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F894E mov eax, dword ptr fs:[00000030h]2_2_034F894E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350494D mov eax, dword ptr fs:[00000030h]2_2_0350494D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4977 mov eax, dword ptr fs:[00000030h]2_2_034B4977
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4977 mov eax, dword ptr fs:[00000030h]2_2_034B4977
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C890B mov eax, dword ptr fs:[00000030h]2_2_034C890B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E mov eax, dword ptr fs:[00000030h]2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E mov edx, dword ptr fs:[00000030h]2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E mov eax, dword ptr fs:[00000030h]2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343092D mov eax, dword ptr fs:[00000030h]2_2_0343092D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343092D mov eax, dword ptr fs:[00000030h]2_2_0343092D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov ecx, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034409CB mov eax, dword ptr fs:[00000030h]2_2_034409CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034409CB mov eax, dword ptr fs:[00000030h]2_2_034409CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869DA mov eax, dword ptr fs:[00000030h]2_2_034869DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869DA mov eax, dword ptr fs:[00000030h]2_2_034869DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869DA mov eax, dword ptr fs:[00000030h]2_2_034869DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C9E4 mov eax, dword ptr fs:[00000030h]2_2_0346C9E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E9EE mov eax, dword ptr fs:[00000030h]2_2_0345E9EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C9F8 mov eax, dword ptr fs:[00000030h]2_2_0346C9F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035029EF mov eax, dword ptr fs:[00000030h]2_2_035029EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035029EF mov eax, dword ptr fs:[00000030h]2_2_035029EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464990 mov eax, dword ptr fs:[00000030h]2_2_03464990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0990 mov eax, dword ptr fs:[00000030h]2_2_034D0990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0990 mov eax, dword ptr fs:[00000030h]2_2_034D0990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034549A5 mov eax, dword ptr fs:[00000030h]2_2_034549A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034549A5 mov eax, dword ptr fs:[00000030h]2_2_034549A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869B2 mov eax, dword ptr fs:[00000030h]2_2_034869B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629B9 mov eax, dword ptr fs:[00000030h]2_2_034629B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629B9 mov eax, dword ptr fs:[00000030h]2_2_034629B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov ecx, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov eax, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov eax, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov eax, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430807 mov eax, dword ptr fs:[00000030h]2_2_03430807
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460814 mov eax, dword ptr fs:[00000030h]2_2_03460814
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B88C0 mov eax, dword ptr fs:[00000030h]2_2_034B88C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D2 mov eax, dword ptr fs:[00000030h]2_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D2 mov eax, dword ptr fs:[00000030h]2_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D2 mov eax, dword ptr fs:[00000030h]2_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034288E8 mov eax, dword ptr fs:[00000030h]2_2_034288E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034288E8 mov eax, dword ptr fs:[00000030h]2_2_034288E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E880 mov eax, dword ptr fs:[00000030h]2_2_0345E880
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E88B0 mov eax, dword ptr fs:[00000030h]2_2_034E88B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E88B0 mov eax, dword ptr fs:[00000030h]2_2_034E88B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C8B9 mov eax, dword ptr fs:[00000030h]2_2_0346C8B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C8B9 mov eax, dword ptr fs:[00000030h]2_2_0346C8B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CF40 mov eax, dword ptr fs:[00000030h]2_2_0346CF40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CF50 mov eax, dword ptr fs:[00000030h]2_2_0344CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CF50 mov eax, dword ptr fs:[00000030h]2_2_0344CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0F59 mov eax, dword ptr fs:[00000030h]2_2_034D0F59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0F59 mov eax, dword ptr fs:[00000030h]2_2_034D0F59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0F59 mov eax, dword ptr fs:[00000030h]2_2_034D0F59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462F58 mov eax, dword ptr fs:[00000030h]2_2_03462F58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462F58 mov eax, dword ptr fs:[00000030h]2_2_03462F58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EAF70 mov ecx, dword ptr fs:[00000030h]2_2_034EAF70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EEF07 mov eax, dword ptr fs:[00000030h]2_2_034EEF07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2F00 mov eax, dword ptr fs:[00000030h]2_2_034D2F00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CF10 mov eax, dword ptr fs:[00000030h]2_2_0346CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504F3D mov eax, dword ptr fs:[00000030h]2_2_03504F3D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345AFC2 mov eax, dword ptr fs:[00000030h]2_2_0345AFC2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov ecx, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DAFE0 mov eax, dword ptr fs:[00000030h]2_2_034DAFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DAFE0 mov eax, dword ptr fs:[00000030h]2_2_034DAFE0
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00D681F7
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D3A395
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3A364 SetUnhandledExceptionFilter,0_2_00D3A364

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 994008Jump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D68C93 LogonUserW,0_2_00D68C93
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D13B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D13B4C
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D14A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D14A35
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D74EC9 mouse_event,0_2_00D74EC9
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FGTFTj8GLM.exe"Jump to behavior
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D681F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00D681F7
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D74C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00D74C03
          Source: FGTFTj8GLM.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: FGTFTj8GLM.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D3886B cpuid 0_2_00D3886B
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D450D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D450D7
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D52230 GetUserNameW,0_2_00D52230
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D4418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00D4418A
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D14AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D14AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1776618710.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1776205623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: FGTFTj8GLM.exeBinary or memory string: WIN_81
          Source: FGTFTj8GLM.exeBinary or memory string: WIN_XP
          Source: FGTFTj8GLM.exeBinary or memory string: WIN_XPe
          Source: FGTFTj8GLM.exeBinary or memory string: WIN_VISTA
          Source: FGTFTj8GLM.exeBinary or memory string: WIN_7
          Source: FGTFTj8GLM.exeBinary or memory string: WIN_8
          Source: FGTFTj8GLM.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1776618710.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1776205623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D86596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00D86596
          Source: C:\Users\user\Desktop\FGTFTj8GLM.exeCode function: 0_2_00D86A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00D86A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          FGTFTj8GLM.exe83%ReversingLabsWin32.Trojan.AutoitInject
          FGTFTj8GLM.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1587650
            Start date and time:2025-01-10 16:25:33 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 15s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:FGTFTj8GLM.exe
            renamed because original name is a hash value
            Original Sample Name:00c955b38cfa57eb92373787b496bbe4fd868d930308ea64bdc865f1d720e6d2.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 49
            • Number of non-executed functions: 270
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • VT rate limit hit for: FGTFTj8GLM.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.net30562134305434372.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            Mmm7GmDcR4.exeGet hashmaliciousLummaCBrowse
            • 13.107.246.45
            https://na4.docusign.net/Signing/EmailStart.aspx?a=ffa78034-d960-4bb3-b2a2-bb62a1fc4a65&etti=24&acct=86dab687-685e-40aa-af52-e5c3fc07b508&er=04714c6d-cc25-4a21-be91-01e1c43a5f3fGet hashmaliciousHTMLPhisherBrowse
            • 13.107.246.45
            hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
            • 13.107.246.45
            RSLMZxqebl.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            nRNzqQOQwk.exeGet hashmaliciousGuLoaderBrowse
            • 13.107.246.45
            PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 13.107.246.45
            PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 13.107.246.45
            Shipping Document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
            • 13.107.246.45
            1712226379134618467.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\autB4AF.tmp

            Download File
            Process:C:\Users\user\Desktop\FGTFTj8GLM.exe
            File Type:data
            Category:dropped
            Size (bytes):288768
            Entropy (8bit):7.991218071635331
            Encrypted:true
            SSDEEP:6144:qHjnhexF86VSFjRkNkXUuGGgNZSKW+sqmxHObmCnsqlhDRWAs9V:qHjnheDEYcBGG3KWDrpO6FWhoV
            MD5:8C12DD2470E22ED012B5B5082E708118
            SHA1:FD622A0EF8BB400DB88D0A3B434D45AFEEC6B3FA
            SHA-256:80ADFCF88BF64FB1D20A7C21E704F7174772B522FF2F4B87BD712F512DA22F26
            SHA-512:10B5018D371225348E847E7FE5D7C058A6AD663EDAEACB2CED774714E1C619229BCF463AA82E3FBC3234D257BC93BB15D594AB1B13B7F356C3885AD1CABB4151
            Malicious:false
            Reputation:low
            Preview:.b.4M7DJ26D8..14.7DJ66D8.814N7DJ66D8I814N7DJ66D8I814N7DJ66D8.814@(.D6.M.h.0x..."_EdH;WVF/Zd)WX*W=.SQnE1$._*..wb.#X /.;I2m814N7DJO7M.tXV.sW#..V#.S...tW#.,...uXV.T...V#..QR\sW#.66D8I814.rDJz7E8.D.UN7DJ66D8.835E6OJ6`@8I814N7DJ.%D8I(14NG@J66.8I(14N5DJ06D8I814H7DJ66D8IH54N5DJ66D8K8q.N7TJ6&D8I8!4N'DJ66D8Y814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8gLTL:7DJ.b@8I(14Na@J6&D8I814N7DJ66D8i81TN7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814

            C:\Users\user\AppData\Local\Temp\nonhazardousness

            Download File
            Process:C:\Users\user\Desktop\FGTFTj8GLM.exe
            File Type:data
            Category:dropped
            Size (bytes):288768
            Entropy (8bit):7.991218071635331
            Encrypted:true
            SSDEEP:6144:qHjnhexF86VSFjRkNkXUuGGgNZSKW+sqmxHObmCnsqlhDRWAs9V:qHjnheDEYcBGG3KWDrpO6FWhoV
            MD5:8C12DD2470E22ED012B5B5082E708118
            SHA1:FD622A0EF8BB400DB88D0A3B434D45AFEEC6B3FA
            SHA-256:80ADFCF88BF64FB1D20A7C21E704F7174772B522FF2F4B87BD712F512DA22F26
            SHA-512:10B5018D371225348E847E7FE5D7C058A6AD663EDAEACB2CED774714E1C619229BCF463AA82E3FBC3234D257BC93BB15D594AB1B13B7F356C3885AD1CABB4151
            Malicious:false
            Reputation:low
            Preview:.b.4M7DJ26D8..14.7DJ66D8.814N7DJ66D8I814N7DJ66D8I814N7DJ66D8.814@(.D6.M.h.0x..."_EdH;WVF/Zd)WX*W=.SQnE1$._*..wb.#X /.;I2m814N7DJO7M.tXV.sW#..V#.S...tW#.,...uXV.T...V#..QR\sW#.66D8I814.rDJz7E8.D.UN7DJ66D8.835E6OJ6`@8I814N7DJ.%D8I(14NG@J66.8I(14N5DJ06D8I814H7DJ66D8IH54N5DJ66D8K8q.N7TJ6&D8I8!4N'DJ66D8Y814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8gLTL:7DJ.b@8I(14Na@J6&D8I814N7DJ66D8i81TN7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814N7DJ66D8I814

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.177644777614976
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:FGTFTj8GLM.exe
            File size:1'222'656 bytes
            MD5:d99576b8f02f430202d411d76d0320bc
            SHA1:32de07f5fc411c93311511bf6009881f0cda4d49
            SHA256:00c955b38cfa57eb92373787b496bbe4fd868d930308ea64bdc865f1d720e6d2
            SHA512:c58a4e7f0a287f569958acc8fed19518716b470b300f0056d13ad7e10d637a8758b2225f6686071a491d4b97cb13425ac64d5d68e6726cae647cf595c4a2a3cf
            SSDEEP:24576:xAHnh+eWsN3skA4RV1Hom2KXMmHaJ8kWroX7gzS5:Ih+ZkldoPK8YaJusX7gU
            TLSH:8245BE0273D1D036FFABA2739B6AF24156BD79254133852F13981DB9BD701B2223E663
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x42800a
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x676DBA7C [Thu Dec 26 20:20:12 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007F1C84B0350Dh
            jmp 00007F1C84AF62C4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F1C84AF644Ah
            cmp edi, eax
            jc 00007F1C84AF67AEh
            bt dword ptr [004C41FCh], 01h
            jnc 00007F1C84AF6449h
            rep movsb
            jmp 00007F1C84AF675Ch
            cmp ecx, 00000080h
            jc 00007F1C84AF6614h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F1C84AF6450h
            bt dword ptr [004BF324h], 01h
            jc 00007F1C84AF6920h
            bt dword ptr [004C41FCh], 00000000h
            jnc 00007F1C84AF65EDh
            test edi, 00000003h
            jne 00007F1C84AF65FEh
            test esi, 00000003h
            jne 00007F1C84AF65DDh
            bt edi, 02h
            jnc 00007F1C84AF644Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F1C84AF6453h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F1C84AF64A5h
            bt esi, 03h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD5 build 40629
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD5 build 40629

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x60048.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1290000x7134.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc80000x600480x602006d47ef2d9525abded7e9a9ca51d827c0False0.9310488459037711data7.902698109496335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1290000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xd07b80x5730fdata1.0003248071457571
            RT_GROUP_ICON0x127ac80x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x127b400x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x127b540x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x127b680x14dataEnglishGreat Britain1.25
            RT_VERSION0x127b7c0xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x127c580x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 10, 2025 16:26:21.957681894 CET1.1.1.1192.168.2.30x5432No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 10, 2025 16:26:21.957681894 CET1.1.1.1192.168.2.30x5432No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:10:26:26
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\FGTFTj8GLM.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\FGTFTj8GLM.exe"
            Imagebase:0xd10000
            File size:1'222'656 bytes
            MD5 hash:D99576B8F02F430202D411D76D0320BC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:10:26:27
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\FGTFTj8GLM.exe"
            Imagebase:0xfc0000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1776618710.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1776205623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.7%
              Dynamic/Decrypted Code Coverage:1.5%
              Signature Coverage:9.7%
              Total number of Nodes:2000
              Total number of Limit Nodes:184
              execution_graph 98019 d37e93 98020 d37e9f __setmode 98019->98020 98056 d3a048 GetStartupInfoW 98020->98056 98022 d37ea4 98058 d38dbc GetProcessHeap 98022->98058 98024 d37efc 98025 d37f07 98024->98025 98141 d37fe3 58 API calls 3 library calls 98024->98141 98059 d39d26 98025->98059 98028 d37f0d 98029 d37f18 __RTC_Initialize 98028->98029 98142 d37fe3 58 API calls 3 library calls 98028->98142 98080 d3d812 98029->98080 98032 d37f27 98033 d37f33 GetCommandLineW 98032->98033 98143 d37fe3 58 API calls 3 library calls 98032->98143 98099 d45173 GetEnvironmentStringsW 98033->98099 98037 d37f32 98037->98033 98039 d37f4d 98040 d37f58 98039->98040 98144 d332f5 58 API calls 3 library calls 98039->98144 98109 d44fa8 98040->98109 98043 d37f5e 98044 d37f69 98043->98044 98145 d332f5 58 API calls 3 library calls 98043->98145 98123 d3332f 98044->98123 98047 d37f71 98048 d37f7c __wwincmdln 98047->98048 98146 d332f5 58 API calls 3 library calls 98047->98146 98129 d1492e 98048->98129 98051 d37f90 98052 d37f9f 98051->98052 98147 d33598 58 API calls _doexit 98051->98147 98148 d33320 58 API calls _doexit 98052->98148 98055 d37fa4 __setmode 98057 d3a05e 98056->98057 98057->98022 98058->98024 98149 d333c7 36 API calls 2 library calls 98059->98149 98061 d39d2b 98150 d39f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 98061->98150 98063 d39d30 98064 d39d34 98063->98064 98152 d39fca TlsAlloc 98063->98152 98151 d39d9c 61 API calls 2 library calls 98064->98151 98067 d39d39 98067->98028 98068 d39d46 98068->98064 98069 d39d51 98068->98069 98153 d38a15 98069->98153 98072 d39d93 98161 d39d9c 61 API calls 2 library calls 98072->98161 98075 d39d98 98075->98028 98076 d39d72 98076->98072 98077 d39d78 98076->98077 98160 d39c73 58 API calls 4 library calls 98077->98160 98079 d39d80 GetCurrentThreadId 98079->98028 98081 d3d81e __setmode 98080->98081 98173 d39e4b 98081->98173 98083 d3d825 98084 d38a15 __calloc_crt 58 API calls 98083->98084 98086 d3d836 98084->98086 98085 d3d8a1 GetStartupInfoW 98093 d3d8b6 98085->98093 98096 d3d9e5 98085->98096 98086->98085 98087 d3d841 @_EH4_CallFilterFunc@8 __setmode 98086->98087 98087->98032 98088 d3daad 98182 d3dabd LeaveCriticalSection _doexit 98088->98182 98090 d38a15 __calloc_crt 58 API calls 98090->98093 98091 d3da32 GetStdHandle 98091->98096 98092 d3da45 GetFileType 98092->98096 98093->98090 98094 d3d904 98093->98094 98093->98096 98095 d3d938 GetFileType 98094->98095 98094->98096 98180 d3a06b InitializeCriticalSectionAndSpinCount 98094->98180 98095->98094 98096->98088 98096->98091 98096->98092 98181 d3a06b InitializeCriticalSectionAndSpinCount 98096->98181 98100 d45184 98099->98100 98101 d37f43 98099->98101 98222 d38a5d 58 API calls 2 library calls 98100->98222 98105 d44d6b GetModuleFileNameW 98101->98105 98103 d451aa _memmove 98104 d451c0 FreeEnvironmentStringsW 98103->98104 98104->98101 98106 d44d9f _wparse_cmdline 98105->98106 98108 d44ddf _wparse_cmdline 98106->98108 98223 d38a5d 58 API calls 2 library calls 98106->98223 98108->98039 98110 d44fc1 __NMSG_WRITE 98109->98110 98114 d44fb9 98109->98114 98111 d38a15 __calloc_crt 58 API calls 98110->98111 98119 d44fea __NMSG_WRITE 98111->98119 98112 d45041 98113 d32f95 _free 58 API calls 98112->98113 98113->98114 98114->98043 98115 d38a15 __calloc_crt 58 API calls 98115->98119 98116 d45066 98118 d32f95 _free 58 API calls 98116->98118 98118->98114 98119->98112 98119->98114 98119->98115 98119->98116 98120 d4507d 98119->98120 98224 d44857 58 API calls _memcpy_s 98119->98224 98225 d39006 IsProcessorFeaturePresent 98120->98225 98122 d45089 98122->98043 98124 d3333b __IsNonwritableInCurrentImage 98123->98124 98248 d3a711 98124->98248 98126 d33359 __initterm_e 98128 d33378 _doexit __IsNonwritableInCurrentImage 98126->98128 98251 d32f80 98126->98251 98128->98047 98130 d14948 98129->98130 98140 d149e7 98129->98140 98131 d14982 IsThemeActive 98130->98131 98286 d335ac 98131->98286 98135 d149ae 98298 d14a5b SystemParametersInfoW SystemParametersInfoW 98135->98298 98137 d149ba 98299 d13b4c 98137->98299 98139 d149c2 SystemParametersInfoW 98139->98140 98140->98051 98141->98025 98142->98029 98143->98037 98147->98052 98148->98055 98149->98061 98150->98063 98151->98067 98152->98068 98155 d38a1c 98153->98155 98156 d38a57 98155->98156 98158 d38a3a 98155->98158 98162 d45446 98155->98162 98156->98072 98159 d3a026 TlsSetValue 98156->98159 98158->98155 98158->98156 98170 d3a372 Sleep 98158->98170 98159->98076 98160->98079 98161->98075 98163 d45451 98162->98163 98164 d4546c 98162->98164 98163->98164 98165 d4545d 98163->98165 98167 d4547c RtlAllocateHeap 98164->98167 98168 d45462 98164->98168 98172 d335e1 DecodePointer 98164->98172 98171 d38d68 58 API calls __getptd_noexit 98165->98171 98167->98164 98167->98168 98168->98155 98170->98158 98171->98168 98172->98164 98174 d39e6f EnterCriticalSection 98173->98174 98175 d39e5c 98173->98175 98174->98083 98183 d39ed3 98175->98183 98177 d39e62 98177->98174 98207 d332f5 58 API calls 3 library calls 98177->98207 98180->98094 98181->98096 98182->98087 98184 d39edf __setmode 98183->98184 98185 d39f00 98184->98185 98186 d39ee8 98184->98186 98194 d39f21 __setmode 98185->98194 98211 d38a5d 58 API calls 2 library calls 98185->98211 98208 d3a3ab 58 API calls __NMSG_WRITE 98186->98208 98188 d39eed 98209 d3a408 58 API calls 6 library calls 98188->98209 98190 d39f15 98192 d39f2b 98190->98192 98193 d39f1c 98190->98193 98197 d39e4b __lock 58 API calls 98192->98197 98212 d38d68 58 API calls __getptd_noexit 98193->98212 98194->98177 98195 d39ef4 98210 d332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98195->98210 98199 d39f32 98197->98199 98201 d39f57 98199->98201 98202 d39f3f 98199->98202 98214 d32f95 98201->98214 98213 d3a06b InitializeCriticalSectionAndSpinCount 98202->98213 98205 d39f4b 98220 d39f73 LeaveCriticalSection _doexit 98205->98220 98208->98188 98209->98195 98211->98190 98212->98194 98213->98205 98215 d32fc7 _free 98214->98215 98216 d32f9e RtlFreeHeap 98214->98216 98215->98205 98216->98215 98217 d32fb3 98216->98217 98221 d38d68 58 API calls __getptd_noexit 98217->98221 98219 d32fb9 GetLastError 98219->98215 98220->98194 98221->98219 98222->98103 98223->98108 98224->98119 98226 d39011 98225->98226 98231 d38e99 98226->98231 98230 d3902c 98230->98122 98232 d38eb3 _memset __call_reportfault 98231->98232 98233 d38ed3 IsDebuggerPresent 98232->98233 98239 d3a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98233->98239 98236 d38f97 __call_reportfault 98240 d3c836 98236->98240 98237 d38fba 98238 d3a380 GetCurrentProcess TerminateProcess 98237->98238 98238->98230 98239->98236 98241 d3c840 IsProcessorFeaturePresent 98240->98241 98242 d3c83e 98240->98242 98244 d45b5a 98241->98244 98242->98237 98247 d45b09 5 API calls 2 library calls 98244->98247 98246 d45c3d 98246->98237 98247->98246 98249 d3a714 EncodePointer 98248->98249 98249->98249 98250 d3a72e 98249->98250 98250->98126 98254 d32e84 98251->98254 98253 d32f8b 98253->98128 98255 d32e90 __setmode 98254->98255 98262 d33457 98255->98262 98261 d32eb7 __setmode 98261->98253 98263 d39e4b __lock 58 API calls 98262->98263 98264 d32e99 98263->98264 98265 d32ec8 DecodePointer DecodePointer 98264->98265 98266 d32ea5 98265->98266 98267 d32ef5 98265->98267 98276 d32ec2 98266->98276 98267->98266 98279 d389e4 59 API calls _memcpy_s 98267->98279 98269 d32f58 EncodePointer EncodePointer 98269->98266 98270 d32f2c 98270->98266 98275 d32f46 EncodePointer 98270->98275 98281 d38aa4 61 API calls __realloc_crt 98270->98281 98271 d32f07 98271->98269 98271->98270 98280 d38aa4 61 API calls __realloc_crt 98271->98280 98274 d32f40 98274->98266 98274->98275 98275->98269 98282 d33460 98276->98282 98279->98271 98280->98270 98281->98274 98285 d39fb5 LeaveCriticalSection 98282->98285 98284 d32ec7 98284->98261 98285->98284 98287 d39e4b __lock 58 API calls 98286->98287 98288 d335b7 DecodePointer EncodePointer 98287->98288 98351 d39fb5 LeaveCriticalSection 98288->98351 98290 d149a7 98291 d33614 98290->98291 98292 d33638 98291->98292 98293 d3361e 98291->98293 98292->98135 98293->98292 98352 d38d68 58 API calls __getptd_noexit 98293->98352 98295 d33628 98353 d38ff6 9 API calls _memcpy_s 98295->98353 98297 d33633 98297->98135 98298->98137 98300 d13b59 __ftell_nolock 98299->98300 98354 d177c7 98300->98354 98304 d13b8c IsDebuggerPresent 98305 d4d4ad MessageBoxA 98304->98305 98306 d13b9a 98304->98306 98309 d4d4c7 98305->98309 98307 d13c73 98306->98307 98306->98309 98310 d13bb7 98306->98310 98308 d13c7a SetCurrentDirectoryW 98307->98308 98311 d13c87 Mailbox 98308->98311 98578 d17373 59 API calls Mailbox 98309->98578 98440 d173e5 98310->98440 98311->98139 98315 d13bd5 GetFullPathNameW 98456 d17d2c 98315->98456 98317 d13c10 98465 d20a8d 98317->98465 98318 d4d4d7 98319 d4d4ed SetCurrentDirectoryW 98318->98319 98319->98311 98322 d13c2e 98323 d13c38 98322->98323 98579 d74c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98322->98579 98481 d13a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98323->98481 98326 d4d50a 98326->98323 98329 d4d51b 98326->98329 98580 d14864 98329->98580 98330 d13c42 98332 d13c55 98330->98332 98489 d143db 98330->98489 98500 d20b30 98332->98500 98333 d4d523 98587 d17f41 98333->98587 98337 d13c60 98337->98307 98577 d144cb Shell_NotifyIconW _memset 98337->98577 98338 d4d530 98339 d4d55f 98338->98339 98340 d4d53a 98338->98340 98342 d17e0b 59 API calls 98339->98342 98591 d17e0b 98340->98591 98344 d4d55b GetForegroundWindow ShellExecuteW 98342->98344 98348 d4d58f Mailbox 98344->98348 98348->98307 98351->98290 98352->98295 98353->98297 98607 d30ff6 98354->98607 98356 d177e8 98357 d30ff6 Mailbox 59 API calls 98356->98357 98358 d13b63 GetCurrentDirectoryW 98357->98358 98359 d13778 98358->98359 98360 d177c7 59 API calls 98359->98360 98361 d1378e 98360->98361 98645 d13d43 98361->98645 98363 d137ac 98364 d14864 61 API calls 98363->98364 98365 d137c0 98364->98365 98366 d17f41 59 API calls 98365->98366 98367 d137cd 98366->98367 98659 d14f3d 98367->98659 98370 d4d3ae 98730 d797e5 98370->98730 98371 d137ee Mailbox 98683 d181a7 98371->98683 98374 d4d3cd 98377 d32f95 _free 58 API calls 98374->98377 98379 d4d3da 98377->98379 98381 d14faa 84 API calls 98379->98381 98383 d4d3e3 98381->98383 98387 d13ee2 59 API calls 98383->98387 98384 d17f41 59 API calls 98385 d1381a 98384->98385 98690 d18620 98385->98690 98389 d4d3fe 98387->98389 98388 d1382c Mailbox 98390 d17f41 59 API calls 98388->98390 98391 d13ee2 59 API calls 98389->98391 98392 d13852 98390->98392 98393 d4d41a 98391->98393 98394 d18620 69 API calls 98392->98394 98395 d14864 61 API calls 98393->98395 98397 d13861 Mailbox 98394->98397 98396 d4d43f 98395->98396 98398 d13ee2 59 API calls 98396->98398 98400 d177c7 59 API calls 98397->98400 98399 d4d44b 98398->98399 98401 d181a7 59 API calls 98399->98401 98402 d1387f 98400->98402 98403 d4d459 98401->98403 98694 d13ee2 98402->98694 98405 d13ee2 59 API calls 98403->98405 98407 d4d468 98405->98407 98413 d181a7 59 API calls 98407->98413 98409 d13899 98409->98383 98410 d138a3 98409->98410 98411 d3313d _W_store_winword 60 API calls 98410->98411 98412 d138ae 98411->98412 98412->98389 98414 d138b8 98412->98414 98415 d4d48a 98413->98415 98416 d3313d _W_store_winword 60 API calls 98414->98416 98417 d13ee2 59 API calls 98415->98417 98418 d138c3 98416->98418 98419 d4d497 98417->98419 98418->98393 98420 d138cd 98418->98420 98419->98419 98421 d3313d _W_store_winword 60 API calls 98420->98421 98422 d138d8 98421->98422 98422->98407 98423 d13919 98422->98423 98425 d13ee2 59 API calls 98422->98425 98423->98407 98424 d13926 98423->98424 98710 d1942e 98424->98710 98427 d138fc 98425->98427 98429 d181a7 59 API calls 98427->98429 98431 d1390a 98429->98431 98433 d13ee2 59 API calls 98431->98433 98433->98423 98435 d193ea 59 API calls 98437 d13961 98435->98437 98436 d19040 60 API calls 98436->98437 98437->98435 98437->98436 98438 d13ee2 59 API calls 98437->98438 98439 d139a7 Mailbox 98437->98439 98438->98437 98439->98304 98441 d173f2 __ftell_nolock 98440->98441 98442 d1740b 98441->98442 98443 d4ee4b _memset 98441->98443 99374 d148ae 98442->99374 98445 d4ee67 GetOpenFileNameW 98443->98445 98447 d4eeb6 98445->98447 98449 d17d2c 59 API calls 98447->98449 98451 d4eecb 98449->98451 98451->98451 98453 d17429 99402 d169ca 98453->99402 98457 d17da5 98456->98457 98458 d17d38 __NMSG_WRITE 98456->98458 98459 d17e8c 59 API calls 98457->98459 98460 d17d73 98458->98460 98461 d17d4e 98458->98461 98464 d17d56 _memmove 98459->98464 98463 d18189 59 API calls 98460->98463 99671 d18087 59 API calls Mailbox 98461->99671 98463->98464 98464->98317 98466 d20a9a __ftell_nolock 98465->98466 99672 d16ee0 98466->99672 98468 d20a9f 98469 d13c26 98468->98469 99683 d212fe 89 API calls 98468->99683 98469->98318 98469->98322 98471 d20aac 98471->98469 99684 d24047 91 API calls Mailbox 98471->99684 98473 d20ab5 98473->98469 98474 d20ab9 GetFullPathNameW 98473->98474 98475 d17d2c 59 API calls 98474->98475 98476 d20ae5 98475->98476 98477 d17d2c 59 API calls 98476->98477 98478 d20af2 98477->98478 98479 d550d5 _wcscat 98478->98479 98480 d17d2c 59 API calls 98478->98480 98480->98469 98482 d13ac2 LoadImageW RegisterClassExW 98481->98482 98483 d4d49c 98481->98483 99722 d13041 7 API calls 98482->99722 99723 d148fe LoadImageW EnumResourceNamesW 98483->99723 98486 d13b46 98488 d139e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98486->98488 98487 d4d4a5 98488->98330 98490 d14406 _memset 98489->98490 99724 d14213 98490->99724 98493 d1448b 98495 d144c1 Shell_NotifyIconW 98493->98495 98496 d144a5 Shell_NotifyIconW 98493->98496 98497 d144b3 98495->98497 98496->98497 99728 d1410d 98497->99728 98499 d144ba 98499->98332 98501 d550ed 98500->98501 98515 d20b55 98500->98515 99892 d7a0b5 89 API calls 4 library calls 98501->99892 98503 d20e5a 98503->98337 98505 d21044 98505->98503 98507 d21051 98505->98507 99890 d211f3 331 API calls Mailbox 98507->99890 98508 d20bab PeekMessageW 98576 d20b65 Mailbox 98508->98576 98510 d21058 LockWindowUpdate DestroyWindow GetMessageW 98510->98503 98513 d2108a 98510->98513 98512 d552ab Sleep 98512->98576 98516 d56082 TranslateMessage DispatchMessageW GetMessageW 98513->98516 98514 d20e44 98514->98503 99889 d211d0 10 API calls Mailbox 98514->99889 98515->98576 99893 d19fbd 60 API calls 98515->99893 99894 d668bf 331 API calls 98515->99894 98516->98516 98518 d560b2 98516->98518 98518->98503 98519 d20fa3 PeekMessageW 98519->98576 98520 d20fbf TranslateMessage DispatchMessageW 98520->98519 98521 d5517a TranslateAcceleratorW 98521->98519 98521->98576 98522 d30ff6 59 API calls Mailbox 98522->98576 98523 d20e73 timeGetTime 98523->98576 98524 d55c49 WaitForSingleObject 98526 d55c66 GetExitCodeProcess CloseHandle 98524->98526 98524->98576 98561 d210f5 98526->98561 98527 d20fdd Sleep 98560 d20fee Mailbox 98527->98560 98528 d181a7 59 API calls 98528->98576 98529 d177c7 59 API calls 98529->98560 98530 d55f22 Sleep 98530->98560 98532 d1b89c 304 API calls 98532->98576 98534 d30719 timeGetTime 98534->98560 98535 d210ae timeGetTime 99891 d19fbd 60 API calls 98535->99891 98539 d55fb9 GetExitCodeProcess 98540 d55fe5 CloseHandle 98539->98540 98541 d55fcf WaitForSingleObject 98539->98541 98540->98560 98541->98540 98541->98576 98544 d961ac 110 API calls 98544->98560 98545 d1b93d 109 API calls 98545->98560 98546 d55c9e 98546->98561 98547 d56041 Sleep 98547->98576 98548 d554a2 Sleep 98548->98576 98550 d17f41 59 API calls 98550->98560 98553 d19fbd 60 API calls 98553->98576 98556 d1a000 304 API calls 98556->98576 98560->98529 98560->98534 98560->98539 98560->98544 98560->98545 98560->98546 98560->98547 98560->98548 98560->98550 98560->98561 98560->98576 99919 d728f7 60 API calls 98560->99919 99920 d19fbd 60 API calls 98560->99920 99921 d18b13 69 API calls Mailbox 98560->99921 99922 d1b89c 331 API calls 98560->99922 99923 d66a50 60 API calls 98560->99923 99924 d754e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98560->99924 99925 d73e91 66 API calls Mailbox 98560->99925 98561->98337 98563 d7a0b5 89 API calls 98563->98576 98565 d19df0 59 API calls Mailbox 98565->98576 98566 d18620 69 API calls 98566->98576 98568 d666f4 59 API calls Mailbox 98568->98576 98569 d559ff VariantClear 98569->98576 98570 d55a95 VariantClear 98570->98576 98571 d18e34 59 API calls Mailbox 98571->98576 98572 d55843 VariantClear 98572->98576 98573 d67405 59 API calls 98573->98576 98574 d17f41 59 API calls 98574->98576 98575 d18b13 69 API calls 98575->98576 98576->98508 98576->98512 98576->98514 98576->98519 98576->98520 98576->98521 98576->98522 98576->98523 98576->98524 98576->98527 98576->98528 98576->98530 98576->98532 98576->98535 98576->98553 98576->98556 98576->98560 98576->98561 98576->98563 98576->98565 98576->98566 98576->98568 98576->98569 98576->98570 98576->98571 98576->98572 98576->98573 98576->98574 98576->98575 99751 d1e580 98576->99751 99758 d1e800 98576->99758 99789 d1f5c0 98576->99789 99808 d1fe40 98576->99808 99888 d131ce IsDialogMessageW GetClassLongW 98576->99888 99895 d9629f 59 API calls 98576->99895 99896 d79c9f 59 API calls Mailbox 98576->99896 99897 d6d9e3 59 API calls 98576->99897 99898 d19997 98576->99898 99916 d66665 59 API calls 2 library calls 98576->99916 99917 d18561 59 API calls 98576->99917 99918 d1843f 59 API calls Mailbox 98576->99918 98577->98307 98578->98318 98579->98326 98581 d41b90 __ftell_nolock 98580->98581 98582 d14871 GetModuleFileNameW 98581->98582 98583 d17f41 59 API calls 98582->98583 98584 d14897 98583->98584 98585 d148ae 60 API calls 98584->98585 98586 d148a1 Mailbox 98585->98586 98586->98333 98588 d17f50 __NMSG_WRITE _memmove 98587->98588 98589 d30ff6 Mailbox 59 API calls 98588->98589 98590 d17f8e 98589->98590 98590->98338 98592 d4f173 98591->98592 98593 d17e1f 98591->98593 98595 d18189 59 API calls 98592->98595 100280 d17db0 98593->100280 98597 d4f17e __NMSG_WRITE _memmove 98595->98597 98596 d17e2a 98598 d17c8e 98596->98598 98599 d4f094 98598->98599 98600 d17ca0 98598->98600 98610 d30ffe 98607->98610 98609 d31018 98609->98356 98610->98609 98612 d3101c std::exception::exception 98610->98612 98617 d3594c 98610->98617 98634 d335e1 DecodePointer 98610->98634 98635 d387db RaiseException 98612->98635 98614 d31046 98636 d38711 58 API calls _free 98614->98636 98616 d31058 98616->98356 98618 d359c7 98617->98618 98624 d35958 98617->98624 98643 d335e1 DecodePointer 98618->98643 98620 d359cd 98644 d38d68 58 API calls __getptd_noexit 98620->98644 98623 d3598b RtlAllocateHeap 98623->98624 98633 d359bf 98623->98633 98624->98623 98626 d359b3 98624->98626 98627 d35963 98624->98627 98631 d359b1 98624->98631 98640 d335e1 DecodePointer 98624->98640 98641 d38d68 58 API calls __getptd_noexit 98626->98641 98627->98624 98637 d3a3ab 58 API calls __NMSG_WRITE 98627->98637 98638 d3a408 58 API calls 6 library calls 98627->98638 98639 d332df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98627->98639 98642 d38d68 58 API calls __getptd_noexit 98631->98642 98633->98610 98634->98610 98635->98614 98636->98616 98637->98627 98638->98627 98640->98624 98641->98631 98642->98633 98643->98620 98644->98633 98646 d13d50 __ftell_nolock 98645->98646 98647 d17d2c 59 API calls 98646->98647 98658 d13eb6 Mailbox 98646->98658 98649 d13d82 98647->98649 98652 d13db8 Mailbox 98649->98652 98771 d17b52 98649->98771 98650 d17b52 59 API calls 98650->98652 98651 d13e89 98653 d17f41 59 API calls 98651->98653 98651->98658 98652->98650 98652->98651 98654 d17f41 59 API calls 98652->98654 98652->98658 98774 d13f84 98652->98774 98655 d13eaa 98653->98655 98654->98652 98656 d13f84 59 API calls 98655->98656 98656->98658 98658->98363 98784 d14d13 98659->98784 98664 d14f68 LoadLibraryExW 98794 d14cc8 98664->98794 98665 d4dd0f 98666 d14faa 84 API calls 98665->98666 98668 d4dd16 98666->98668 98670 d14cc8 3 API calls 98668->98670 98673 d4dd1e 98670->98673 98672 d14f8f 98672->98673 98674 d14f9b 98672->98674 98820 d1506b 98673->98820 98675 d14faa 84 API calls 98674->98675 98677 d137e6 98675->98677 98677->98370 98677->98371 98680 d4dd45 98828 d15027 98680->98828 98682 d4dd52 98684 d181b2 98683->98684 98685 d13801 98683->98685 99082 d180d7 59 API calls 2 library calls 98684->99082 98687 d193ea 98685->98687 98688 d30ff6 Mailbox 59 API calls 98687->98688 98689 d1380d 98688->98689 98689->98384 98691 d1862b 98690->98691 98693 d18652 98691->98693 99083 d18b13 69 API calls Mailbox 98691->99083 98693->98388 98695 d13f05 98694->98695 98696 d13eec 98694->98696 98698 d17d2c 59 API calls 98695->98698 98697 d181a7 59 API calls 98696->98697 98699 d1388b 98697->98699 98698->98699 98700 d3313d 98699->98700 98701 d33149 98700->98701 98702 d331be 98700->98702 98709 d3316e 98701->98709 99084 d38d68 58 API calls __getptd_noexit 98701->99084 99086 d331d0 60 API calls 3 library calls 98702->99086 98705 d331cb 98705->98409 98706 d33155 99085 d38ff6 9 API calls _memcpy_s 98706->99085 98708 d33160 98708->98409 98709->98409 98711 d19436 98710->98711 98712 d30ff6 Mailbox 59 API calls 98711->98712 98713 d19444 98712->98713 98714 d13936 98713->98714 99087 d1935c 59 API calls Mailbox 98713->99087 98716 d191b0 98714->98716 99088 d192c0 98716->99088 98718 d30ff6 Mailbox 59 API calls 98720 d13944 98718->98720 98719 d191bf 98719->98718 98719->98720 98721 d19040 98720->98721 98722 d4f5a5 98721->98722 98727 d19057 98721->98727 98722->98727 99098 d18d3b 59 API calls Mailbox 98722->99098 98724 d191a0 99097 d19e9c 60 API calls Mailbox 98724->99097 98725 d19158 98728 d30ff6 Mailbox 59 API calls 98725->98728 98727->98724 98727->98725 98729 d1915f 98727->98729 98728->98729 98729->98437 98731 d15045 85 API calls 98730->98731 98732 d79854 98731->98732 99099 d799be 98732->99099 98735 d1506b 74 API calls 98736 d79881 98735->98736 98737 d1506b 74 API calls 98736->98737 98738 d79891 98737->98738 98739 d1506b 74 API calls 98738->98739 98740 d798ac 98739->98740 98741 d1506b 74 API calls 98740->98741 98742 d798c7 98741->98742 98743 d15045 85 API calls 98742->98743 98744 d798de 98743->98744 98745 d3594c __crtGetStringTypeA_stat 58 API calls 98744->98745 98746 d798e5 98745->98746 98747 d3594c __crtGetStringTypeA_stat 58 API calls 98746->98747 98748 d798ef 98747->98748 98749 d1506b 74 API calls 98748->98749 98750 d79903 98749->98750 98751 d79393 GetSystemTimeAsFileTime 98750->98751 98752 d79916 98751->98752 98753 d79940 98752->98753 98754 d7992b 98752->98754 98756 d79946 98753->98756 98757 d799a5 98753->98757 98755 d32f95 _free 58 API calls 98754->98755 98758 d79931 98755->98758 99105 d78d90 98756->99105 98760 d32f95 _free 58 API calls 98757->98760 98761 d32f95 _free 58 API calls 98758->98761 98763 d4d3c1 98760->98763 98761->98763 98763->98374 98765 d14faa 98763->98765 98764 d32f95 _free 58 API calls 98764->98763 98766 d14fb4 98765->98766 98770 d14fbb 98765->98770 98767 d355d6 __fcloseall 83 API calls 98766->98767 98767->98770 98768 d14fdb FreeLibrary 98769 d14fca 98768->98769 98769->98374 98770->98768 98770->98769 98780 d17faf 98771->98780 98773 d17b5d 98773->98649 98775 d13f92 98774->98775 98779 d13fb4 _memmove 98774->98779 98778 d30ff6 Mailbox 59 API calls 98775->98778 98776 d30ff6 Mailbox 59 API calls 98777 d13fc8 98776->98777 98777->98652 98778->98779 98779->98776 98781 d17fc2 98780->98781 98783 d17fbf _memmove 98780->98783 98782 d30ff6 Mailbox 59 API calls 98781->98782 98782->98783 98783->98773 98833 d14d61 98784->98833 98787 d14d61 2 API calls 98790 d14d3a 98787->98790 98788 d14d53 98791 d3548b 98788->98791 98789 d14d4a FreeLibrary 98789->98788 98790->98788 98790->98789 98837 d354a0 98791->98837 98793 d14f5c 98793->98664 98793->98665 98997 d14d94 98794->98997 98797 d14ced 98798 d14d08 98797->98798 98799 d14cff FreeLibrary 98797->98799 98801 d14dd0 98798->98801 98799->98798 98800 d14d94 2 API calls 98800->98797 98802 d30ff6 Mailbox 59 API calls 98801->98802 98803 d14de5 98802->98803 99001 d1538e 98803->99001 98805 d14df1 _memmove 98806 d14e2c 98805->98806 98807 d14f21 98805->98807 98808 d14ee9 98805->98808 98809 d15027 69 API calls 98806->98809 99015 d79ba5 95 API calls 98807->99015 99004 d14fe9 CreateStreamOnHGlobal 98808->99004 98817 d14e35 98809->98817 98812 d1506b 74 API calls 98812->98817 98813 d14ec9 98813->98672 98815 d4dcd0 98816 d15045 85 API calls 98815->98816 98818 d4dce4 98816->98818 98817->98812 98817->98813 98817->98815 99010 d15045 98817->99010 98819 d1506b 74 API calls 98818->98819 98819->98813 98821 d4ddf6 98820->98821 98822 d1507d 98820->98822 99039 d35812 98822->99039 98825 d79393 99059 d791e9 98825->99059 98827 d793a9 98827->98680 98829 d15036 98828->98829 98830 d4ddb9 98828->98830 99064 d35e90 98829->99064 98832 d1503e 98832->98682 98834 d14d2e 98833->98834 98835 d14d6a LoadLibraryA 98833->98835 98834->98787 98834->98790 98835->98834 98836 d14d7b GetProcAddress 98835->98836 98836->98834 98839 d354ac __setmode 98837->98839 98838 d354bf 98886 d38d68 58 API calls __getptd_noexit 98838->98886 98839->98838 98841 d354f0 98839->98841 98856 d40738 98841->98856 98842 d354c4 98887 d38ff6 9 API calls _memcpy_s 98842->98887 98845 d354f5 98846 d3550b 98845->98846 98847 d354fe 98845->98847 98849 d35535 98846->98849 98850 d35515 98846->98850 98888 d38d68 58 API calls __getptd_noexit 98847->98888 98871 d40857 98849->98871 98889 d38d68 58 API calls __getptd_noexit 98850->98889 98851 d354cf @_EH4_CallFilterFunc@8 __setmode 98851->98793 98857 d40744 __setmode 98856->98857 98858 d39e4b __lock 58 API calls 98857->98858 98865 d40752 98858->98865 98859 d407c6 98891 d4084e 98859->98891 98860 d407cd 98896 d38a5d 58 API calls 2 library calls 98860->98896 98863 d40843 __setmode 98863->98845 98864 d407d4 98864->98859 98897 d3a06b InitializeCriticalSectionAndSpinCount 98864->98897 98865->98859 98865->98860 98867 d39ed3 __mtinitlocknum 58 API calls 98865->98867 98894 d36e8d 59 API calls __lock 98865->98894 98895 d36ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98865->98895 98867->98865 98869 d407fa EnterCriticalSection 98869->98859 98872 d40877 __wopenfile 98871->98872 98873 d40891 98872->98873 98885 d40a4c 98872->98885 98904 d33a0b 60 API calls 2 library calls 98872->98904 98902 d38d68 58 API calls __getptd_noexit 98873->98902 98875 d40896 98903 d38ff6 9 API calls _memcpy_s 98875->98903 98877 d40aaf 98899 d487f1 98877->98899 98878 d35540 98890 d35562 LeaveCriticalSection LeaveCriticalSection _fseek 98878->98890 98881 d40a45 98881->98885 98905 d33a0b 60 API calls 2 library calls 98881->98905 98883 d40a64 98883->98885 98906 d33a0b 60 API calls 2 library calls 98883->98906 98885->98873 98885->98877 98886->98842 98887->98851 98888->98851 98889->98851 98890->98851 98898 d39fb5 LeaveCriticalSection 98891->98898 98893 d40855 98893->98863 98894->98865 98895->98865 98896->98864 98897->98869 98898->98893 98907 d47fd5 98899->98907 98901 d4880a 98901->98878 98902->98875 98903->98878 98904->98881 98905->98883 98906->98885 98910 d47fe1 __setmode 98907->98910 98908 d47ff7 98994 d38d68 58 API calls __getptd_noexit 98908->98994 98910->98908 98912 d4802d 98910->98912 98911 d47ffc 98995 d38ff6 9 API calls _memcpy_s 98911->98995 98918 d4809e 98912->98918 98915 d48049 98996 d48072 LeaveCriticalSection __unlock_fhandle 98915->98996 98917 d48006 __setmode 98917->98901 98919 d480be 98918->98919 98920 d3471a __wsopen_nolock 58 API calls 98919->98920 98923 d480da 98920->98923 98921 d39006 __invoke_watson 8 API calls 98922 d487f0 98921->98922 98924 d47fd5 __wsopen_helper 103 API calls 98922->98924 98925 d48114 98923->98925 98931 d48137 98923->98931 98941 d48211 98923->98941 98926 d4880a 98924->98926 98927 d38d34 __free_osfhnd 58 API calls 98925->98927 98926->98915 98928 d48119 98927->98928 98929 d38d68 _memcpy_s 58 API calls 98928->98929 98930 d48126 98929->98930 98933 d38ff6 _memcpy_s 9 API calls 98930->98933 98932 d481f5 98931->98932 98940 d481d3 98931->98940 98934 d38d34 __free_osfhnd 58 API calls 98932->98934 98935 d48130 98933->98935 98936 d481fa 98934->98936 98935->98915 98937 d38d68 _memcpy_s 58 API calls 98936->98937 98938 d48207 98937->98938 98939 d38ff6 _memcpy_s 9 API calls 98938->98939 98939->98941 98942 d3d4d4 __alloc_osfhnd 61 API calls 98940->98942 98941->98921 98943 d482a1 98942->98943 98944 d482ce 98943->98944 98945 d482ab 98943->98945 98946 d47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98944->98946 98947 d38d34 __free_osfhnd 58 API calls 98945->98947 98957 d482f0 98946->98957 98948 d482b0 98947->98948 98949 d38d68 _memcpy_s 58 API calls 98948->98949 98951 d482ba 98949->98951 98950 d4836e GetFileType 98952 d48379 GetLastError 98950->98952 98953 d483bb 98950->98953 98955 d38d68 _memcpy_s 58 API calls 98951->98955 98956 d38d47 __dosmaperr 58 API calls 98952->98956 98964 d3d76a __set_osfhnd 59 API calls 98953->98964 98954 d4833c GetLastError 98958 d38d47 __dosmaperr 58 API calls 98954->98958 98955->98935 98959 d483a0 CloseHandle 98956->98959 98957->98950 98957->98954 98960 d47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98957->98960 98961 d48361 98958->98961 98959->98961 98962 d483ae 98959->98962 98963 d48331 98960->98963 98965 d38d68 _memcpy_s 58 API calls 98961->98965 98966 d38d68 _memcpy_s 58 API calls 98962->98966 98963->98950 98963->98954 98969 d483d9 98964->98969 98965->98941 98967 d483b3 98966->98967 98967->98961 98968 d48594 98968->98941 98971 d48767 CloseHandle 98968->98971 98969->98968 98970 d41b11 __lseeki64_nolock 60 API calls 98969->98970 98985 d4845a 98969->98985 98972 d48443 98970->98972 98973 d47f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98971->98973 98975 d38d34 __free_osfhnd 58 API calls 98972->98975 98991 d48462 98972->98991 98974 d4878e 98973->98974 98976 d48796 GetLastError 98974->98976 98977 d4861e 98974->98977 98975->98985 98978 d38d47 __dosmaperr 58 API calls 98976->98978 98977->98941 98979 d487a2 98978->98979 98983 d3d67d __free_osfhnd 59 API calls 98979->98983 98980 d40d2d __close_nolock 61 API calls 98980->98991 98981 d410ab 70 API calls __read_nolock 98981->98991 98982 d499f2 __chsize_nolock 82 API calls 98982->98991 98983->98977 98984 d3dac6 __write 78 API calls 98984->98985 98985->98968 98985->98984 98987 d41b11 60 API calls __lseeki64_nolock 98985->98987 98985->98991 98986 d48611 98988 d40d2d __close_nolock 61 API calls 98986->98988 98987->98985 98990 d48618 98988->98990 98989 d485fa 98989->98968 98993 d38d68 _memcpy_s 58 API calls 98990->98993 98991->98980 98991->98981 98991->98982 98991->98985 98991->98986 98991->98989 98992 d41b11 60 API calls __lseeki64_nolock 98991->98992 98992->98991 98993->98977 98994->98911 98995->98917 98996->98917 98998 d14ce1 98997->98998 98999 d14d9d LoadLibraryA 98997->98999 98998->98797 98998->98800 98999->98998 99000 d14dae GetProcAddress 98999->99000 99000->98998 99002 d30ff6 Mailbox 59 API calls 99001->99002 99003 d153a0 99002->99003 99003->98805 99005 d15003 FindResourceExW 99004->99005 99009 d15020 99004->99009 99006 d4dd5c LoadResource 99005->99006 99005->99009 99007 d4dd71 SizeofResource 99006->99007 99006->99009 99008 d4dd85 LockResource 99007->99008 99007->99009 99008->99009 99009->98806 99011 d4ddd4 99010->99011 99012 d15054 99010->99012 99016 d35a7d 99012->99016 99014 d15062 99014->98817 99015->98806 99017 d35a89 __setmode 99016->99017 99018 d35a9b 99017->99018 99020 d35ac1 99017->99020 99029 d38d68 58 API calls __getptd_noexit 99018->99029 99031 d36e4e 99020->99031 99021 d35aa0 99030 d38ff6 9 API calls _memcpy_s 99021->99030 99024 d35ac7 99037 d359ee 83 API calls 5 library calls 99024->99037 99026 d35ad6 99038 d35af8 LeaveCriticalSection LeaveCriticalSection _fseek 99026->99038 99028 d35aab __setmode 99028->99014 99029->99021 99030->99028 99032 d36e80 EnterCriticalSection 99031->99032 99033 d36e5e 99031->99033 99035 d36e76 99032->99035 99033->99032 99034 d36e66 99033->99034 99036 d39e4b __lock 58 API calls 99034->99036 99035->99024 99036->99035 99037->99026 99038->99028 99042 d3582d 99039->99042 99041 d1508e 99041->98825 99043 d35839 __setmode 99042->99043 99044 d3587c 99043->99044 99045 d35874 __setmode 99043->99045 99047 d3584f _memset 99043->99047 99046 d36e4e __lock_file 59 API calls 99044->99046 99045->99041 99048 d35882 99046->99048 99055 d38d68 58 API calls __getptd_noexit 99047->99055 99057 d3564d 72 API calls 5 library calls 99048->99057 99051 d35869 99056 d38ff6 9 API calls _memcpy_s 99051->99056 99052 d35898 99058 d358b6 LeaveCriticalSection LeaveCriticalSection _fseek 99052->99058 99055->99051 99056->99045 99057->99052 99058->99045 99062 d3543a GetSystemTimeAsFileTime 99059->99062 99061 d791f8 99061->98827 99063 d35468 __aulldiv 99062->99063 99063->99061 99065 d35e9c __setmode 99064->99065 99066 d35ec3 99065->99066 99067 d35eae 99065->99067 99069 d36e4e __lock_file 59 API calls 99066->99069 99078 d38d68 58 API calls __getptd_noexit 99067->99078 99071 d35ec9 99069->99071 99070 d35eb3 99079 d38ff6 9 API calls _memcpy_s 99070->99079 99080 d35b00 67 API calls 6 library calls 99071->99080 99074 d35ed4 99081 d35ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99074->99081 99076 d35ee6 99077 d35ebe __setmode 99076->99077 99077->98832 99078->99070 99079->99077 99080->99074 99081->99076 99082->98685 99083->98693 99084->98706 99085->98708 99086->98705 99087->98714 99089 d192c9 Mailbox 99088->99089 99090 d4f5c8 99089->99090 99095 d192d3 99089->99095 99091 d30ff6 Mailbox 59 API calls 99090->99091 99093 d4f5d4 99091->99093 99092 d192da 99092->98719 99095->99092 99096 d19df0 59 API calls Mailbox 99095->99096 99096->99095 99097->98729 99098->98727 99104 d799d2 __tzset_nolock _wcscmp 99099->99104 99100 d79866 99100->98735 99100->98763 99101 d1506b 74 API calls 99101->99104 99102 d79393 GetSystemTimeAsFileTime 99102->99104 99103 d15045 85 API calls 99103->99104 99104->99100 99104->99101 99104->99102 99104->99103 99106 d78d9b 99105->99106 99107 d78da9 99105->99107 99108 d3548b 115 API calls 99106->99108 99109 d78dee 99107->99109 99110 d3548b 115 API calls 99107->99110 99121 d78db2 99107->99121 99108->99107 99136 d7901b 74 API calls 3 library calls 99109->99136 99111 d78dd3 99110->99111 99111->99109 99114 d78ddc 99111->99114 99113 d78e32 99115 d78e57 99113->99115 99116 d78e36 99113->99116 99114->99121 99147 d355d6 99114->99147 99137 d78c33 58 API calls __crtGetStringTypeA_stat 99115->99137 99117 d78e43 99116->99117 99120 d355d6 __fcloseall 83 API calls 99116->99120 99117->99121 99123 d355d6 __fcloseall 83 API calls 99117->99123 99120->99117 99121->98764 99122 d78e5f 99124 d78e85 99122->99124 99125 d78e65 99122->99125 99123->99121 99138 d78eb5 90 API calls 99124->99138 99127 d78e72 99125->99127 99129 d355d6 __fcloseall 83 API calls 99125->99129 99127->99121 99130 d355d6 __fcloseall 83 API calls 99127->99130 99128 d78e8c 99139 d78f97 99128->99139 99129->99127 99130->99121 99132 d78ea0 99132->99121 99135 d355d6 __fcloseall 83 API calls 99132->99135 99134 d355d6 __fcloseall 83 API calls 99134->99132 99135->99121 99136->99113 99137->99122 99138->99128 99140 d78fa4 99139->99140 99142 d78faa 99139->99142 99141 d32f95 _free 58 API calls 99140->99141 99141->99142 99143 d78fbb 99142->99143 99145 d32f95 _free 58 API calls 99142->99145 99144 d78e93 99143->99144 99146 d32f95 _free 58 API calls 99143->99146 99144->99132 99144->99134 99145->99143 99146->99144 99148 d355e2 __setmode 99147->99148 99149 d355f6 99148->99149 99150 d3560e 99148->99150 99176 d38d68 58 API calls __getptd_noexit 99149->99176 99152 d36e4e __lock_file 59 API calls 99150->99152 99156 d35606 __setmode 99150->99156 99154 d35620 99152->99154 99153 d355fb 99177 d38ff6 9 API calls _memcpy_s 99153->99177 99160 d3556a 99154->99160 99156->99121 99161 d35579 99160->99161 99162 d3558d 99160->99162 99222 d38d68 58 API calls __getptd_noexit 99161->99222 99164 d35589 99162->99164 99179 d34c6d 99162->99179 99178 d35645 LeaveCriticalSection LeaveCriticalSection _fseek 99164->99178 99165 d3557e 99223 d38ff6 9 API calls _memcpy_s 99165->99223 99172 d355a7 99196 d40c52 99172->99196 99174 d355ad 99174->99164 99175 d32f95 _free 58 API calls 99174->99175 99175->99164 99176->99153 99177->99156 99178->99156 99180 d34c80 99179->99180 99184 d34ca4 99179->99184 99181 d34916 __stbuf 58 API calls 99180->99181 99180->99184 99182 d34c9d 99181->99182 99224 d3dac6 99182->99224 99185 d40dc7 99184->99185 99186 d40dd4 99185->99186 99188 d355a1 99185->99188 99187 d32f95 _free 58 API calls 99186->99187 99186->99188 99187->99188 99189 d34916 99188->99189 99190 d34920 99189->99190 99191 d34935 99189->99191 99334 d38d68 58 API calls __getptd_noexit 99190->99334 99191->99172 99193 d34925 99335 d38ff6 9 API calls _memcpy_s 99193->99335 99195 d34930 99195->99172 99197 d40c5e __setmode 99196->99197 99198 d40c82 99197->99198 99199 d40c6b 99197->99199 99201 d40d0d 99198->99201 99203 d40c92 99198->99203 99351 d38d34 58 API calls __getptd_noexit 99199->99351 99356 d38d34 58 API calls __getptd_noexit 99201->99356 99202 d40c70 99352 d38d68 58 API calls __getptd_noexit 99202->99352 99206 d40cb0 99203->99206 99207 d40cba 99203->99207 99353 d38d34 58 API calls __getptd_noexit 99206->99353 99209 d3d446 ___lock_fhandle 59 API calls 99207->99209 99212 d40cc0 99209->99212 99210 d40cb5 99357 d38d68 58 API calls __getptd_noexit 99210->99357 99213 d40cd3 99212->99213 99214 d40cde 99212->99214 99336 d40d2d 99213->99336 99354 d38d68 58 API calls __getptd_noexit 99214->99354 99215 d40c77 __setmode 99215->99174 99216 d40d19 99358 d38ff6 9 API calls _memcpy_s 99216->99358 99220 d40cd9 99355 d40d05 LeaveCriticalSection __unlock_fhandle 99220->99355 99222->99165 99223->99164 99225 d3dad2 __setmode 99224->99225 99226 d3daf6 99225->99226 99227 d3dadf 99225->99227 99229 d3db95 99226->99229 99232 d3db0a 99226->99232 99325 d38d34 58 API calls __getptd_noexit 99227->99325 99331 d38d34 58 API calls __getptd_noexit 99229->99331 99231 d3dae4 99326 d38d68 58 API calls __getptd_noexit 99231->99326 99233 d3db32 99232->99233 99234 d3db28 99232->99234 99252 d3d446 99233->99252 99327 d38d34 58 API calls __getptd_noexit 99234->99327 99235 d3db2d 99332 d38d68 58 API calls __getptd_noexit 99235->99332 99239 d3db38 99241 d3db4b 99239->99241 99242 d3db5e 99239->99242 99261 d3dbb5 99241->99261 99328 d38d68 58 API calls __getptd_noexit 99242->99328 99243 d3dba1 99333 d38ff6 9 API calls _memcpy_s 99243->99333 99244 d3daeb __setmode 99244->99184 99248 d3db57 99330 d3db8d LeaveCriticalSection __unlock_fhandle 99248->99330 99249 d3db63 99329 d38d34 58 API calls __getptd_noexit 99249->99329 99253 d3d452 __setmode 99252->99253 99254 d3d4a1 EnterCriticalSection 99253->99254 99256 d39e4b __lock 58 API calls 99253->99256 99255 d3d4c7 __setmode 99254->99255 99255->99239 99257 d3d477 99256->99257 99258 d3d48f 99257->99258 99259 d3a06b __alloc_osfhnd InitializeCriticalSectionAndSpinCount 99257->99259 99260 d3d4cb ___lock_fhandle LeaveCriticalSection 99258->99260 99259->99258 99260->99254 99262 d3dbc2 __ftell_nolock 99261->99262 99263 d3dc01 99262->99263 99264 d3dc20 99262->99264 99293 d3dbf6 99262->99293 99266 d38d34 __free_osfhnd 58 API calls 99263->99266 99267 d3dc78 99264->99267 99268 d3dc5c 99264->99268 99265 d3c836 __crtGetStringTypeA_stat 6 API calls 99269 d3e416 99265->99269 99270 d3dc06 99266->99270 99272 d3dc91 99267->99272 99276 d41b11 __lseeki64_nolock 60 API calls 99267->99276 99271 d38d34 __free_osfhnd 58 API calls 99268->99271 99269->99248 99273 d38d68 _memcpy_s 58 API calls 99270->99273 99275 d3dc61 99271->99275 99274 d45ebb __stbuf 58 API calls 99272->99274 99277 d3dc0d 99273->99277 99278 d3dc9f 99274->99278 99279 d38d68 _memcpy_s 58 API calls 99275->99279 99276->99272 99280 d38ff6 _memcpy_s 9 API calls 99277->99280 99281 d3dff8 99278->99281 99286 d39bec _LocaleUpdate::_LocaleUpdate 58 API calls 99278->99286 99282 d3dc68 99279->99282 99280->99293 99283 d3e016 99281->99283 99284 d3e38b WriteFile 99281->99284 99285 d38ff6 _memcpy_s 9 API calls 99282->99285 99287 d3e13a 99283->99287 99295 d3e02c 99283->99295 99288 d3dfeb GetLastError 99284->99288 99292 d3dfb8 99284->99292 99285->99293 99289 d3dccb GetConsoleMode 99286->99289 99300 d3e22f 99287->99300 99302 d3e145 99287->99302 99288->99292 99289->99281 99291 d3dd0a 99289->99291 99290 d3e3c4 99290->99293 99297 d38d68 _memcpy_s 58 API calls 99290->99297 99291->99281 99294 d3dd1a GetConsoleCP 99291->99294 99292->99290 99292->99293 99299 d3e118 99292->99299 99293->99265 99294->99290 99321 d3dd49 99294->99321 99295->99290 99296 d3e09b WriteFile 99295->99296 99296->99288 99301 d3e0d8 99296->99301 99298 d3e3f2 99297->99298 99303 d38d34 __free_osfhnd 58 API calls 99298->99303 99304 d3e123 99299->99304 99305 d3e3bb 99299->99305 99300->99290 99306 d3e2a4 WideCharToMultiByte 99300->99306 99301->99295 99307 d3e0fc 99301->99307 99302->99290 99308 d3e1aa WriteFile 99302->99308 99303->99293 99310 d38d68 _memcpy_s 58 API calls 99304->99310 99311 d38d47 __dosmaperr 58 API calls 99305->99311 99306->99288 99317 d3e2eb 99306->99317 99307->99292 99308->99288 99309 d3e1f9 99308->99309 99309->99292 99309->99302 99309->99307 99312 d3e128 99310->99312 99311->99293 99314 d38d34 __free_osfhnd 58 API calls 99312->99314 99313 d3e2f3 WriteFile 99316 d3e346 GetLastError 99313->99316 99313->99317 99314->99293 99315 d33835 __write_nolock 58 API calls 99315->99321 99316->99317 99317->99292 99317->99300 99317->99307 99317->99313 99318 d4650a 60 API calls __write_nolock 99318->99321 99319 d3de32 WideCharToMultiByte 99319->99292 99320 d3de6d WriteFile 99319->99320 99320->99288 99323 d3de9f 99320->99323 99321->99292 99321->99315 99321->99318 99321->99319 99321->99323 99322 d47cae WriteConsoleW CreateFileW __putwch_nolock 99322->99323 99323->99288 99323->99292 99323->99321 99323->99322 99324 d3dec7 WriteFile 99323->99324 99324->99288 99324->99323 99325->99231 99326->99244 99327->99235 99328->99249 99329->99248 99330->99244 99331->99235 99332->99243 99333->99244 99334->99193 99335->99195 99359 d3d703 99336->99359 99338 d40d91 99372 d3d67d 59 API calls 2 library calls 99338->99372 99340 d40d3b 99340->99338 99343 d3d703 __commit 58 API calls 99340->99343 99350 d40d6f 99340->99350 99341 d3d703 __commit 58 API calls 99344 d40d7b CloseHandle 99341->99344 99342 d40d99 99349 d40dbb 99342->99349 99373 d38d47 58 API calls 3 library calls 99342->99373 99345 d40d66 99343->99345 99344->99338 99347 d40d87 GetLastError 99344->99347 99346 d3d703 __commit 58 API calls 99345->99346 99346->99350 99347->99338 99349->99220 99350->99338 99350->99341 99351->99202 99352->99215 99353->99210 99354->99220 99355->99215 99356->99210 99357->99216 99358->99215 99360 d3d723 99359->99360 99361 d3d70e 99359->99361 99363 d38d34 __free_osfhnd 58 API calls 99360->99363 99365 d3d748 99360->99365 99362 d38d34 __free_osfhnd 58 API calls 99361->99362 99364 d3d713 99362->99364 99366 d3d752 99363->99366 99367 d38d68 _memcpy_s 58 API calls 99364->99367 99365->99340 99368 d38d68 _memcpy_s 58 API calls 99366->99368 99369 d3d71b 99367->99369 99370 d3d75a 99368->99370 99369->99340 99371 d38ff6 _memcpy_s 9 API calls 99370->99371 99371->99369 99372->99342 99373->99349 99436 d41b90 99374->99436 99377 d148f7 99442 d17eec 99377->99442 99378 d148da 99379 d17d2c 59 API calls 99378->99379 99381 d148e6 99379->99381 99438 d17886 99381->99438 99384 d309d5 99385 d41b90 __ftell_nolock 99384->99385 99386 d309e2 GetLongPathNameW 99385->99386 99387 d17d2c 59 API calls 99386->99387 99388 d1741d 99387->99388 99389 d1716b 99388->99389 99390 d177c7 59 API calls 99389->99390 99391 d1717d 99390->99391 99392 d148ae 60 API calls 99391->99392 99393 d17188 99392->99393 99394 d17193 99393->99394 99395 d4ecae 99393->99395 99397 d13f84 59 API calls 99394->99397 99400 d4ecc8 99395->99400 99456 d17a68 61 API calls 99395->99456 99398 d1719f 99397->99398 99450 d134c2 99398->99450 99401 d171b2 Mailbox 99401->98453 99403 d14f3d 136 API calls 99402->99403 99404 d169ef 99403->99404 99405 d4e45a 99404->99405 99407 d14f3d 136 API calls 99404->99407 99406 d797e5 122 API calls 99405->99406 99409 d4e46f 99406->99409 99408 d16a03 99407->99408 99408->99405 99410 d16a0b 99408->99410 99411 d4e490 99409->99411 99412 d4e473 99409->99412 99413 d16a17 99410->99413 99414 d4e47b 99410->99414 99416 d30ff6 Mailbox 59 API calls 99411->99416 99415 d14faa 84 API calls 99412->99415 99457 d16bec 99413->99457 99564 d74534 90 API calls _wprintf 99414->99564 99415->99414 99425 d4e4d5 Mailbox 99416->99425 99420 d4e489 99420->99411 99421 d4e689 99422 d32f95 _free 58 API calls 99421->99422 99423 d4e691 99422->99423 99424 d14faa 84 API calls 99423->99424 99426 d4e69a 99424->99426 99425->99421 99425->99426 99433 d17f41 59 API calls 99425->99433 99550 d1766f 99425->99550 99558 d174bd 99425->99558 99565 d6fc4d 59 API calls 2 library calls 99425->99565 99566 d6fb6e 61 API calls 2 library calls 99425->99566 99567 d77621 59 API calls Mailbox 99425->99567 99430 d32f95 _free 58 API calls 99426->99430 99431 d14faa 84 API calls 99426->99431 99568 d6fcb1 89 API calls 4 library calls 99426->99568 99430->99426 99431->99426 99433->99425 99437 d148bb GetFullPathNameW 99436->99437 99437->99377 99437->99378 99439 d17894 99438->99439 99446 d17e8c 99439->99446 99441 d148f2 99441->99384 99443 d17f06 99442->99443 99445 d17ef9 99442->99445 99444 d30ff6 Mailbox 59 API calls 99443->99444 99444->99445 99445->99381 99447 d17e9a 99446->99447 99449 d17ea3 _memmove 99446->99449 99448 d17faf 59 API calls 99447->99448 99447->99449 99448->99449 99449->99441 99451 d134d4 99450->99451 99455 d134f3 _memmove 99450->99455 99453 d30ff6 Mailbox 59 API calls 99451->99453 99452 d30ff6 Mailbox 59 API calls 99454 d1350a 99452->99454 99453->99455 99454->99401 99455->99452 99456->99395 99458 d4e847 99457->99458 99459 d16c15 99457->99459 99641 d6fcb1 89 API calls 4 library calls 99458->99641 99574 d15906 60 API calls Mailbox 99459->99574 99462 d16c37 99575 d15956 67 API calls 99462->99575 99463 d4e85a 99642 d6fcb1 89 API calls 4 library calls 99463->99642 99465 d16c4c 99465->99463 99467 d16c54 99465->99467 99469 d177c7 59 API calls 99467->99469 99468 d4e876 99471 d16cc1 99468->99471 99470 d16c60 99469->99470 99576 d30b9b 60 API calls __ftell_nolock 99470->99576 99473 d4e889 99471->99473 99474 d16ccf 99471->99474 99476 d15dcf CloseHandle 99473->99476 99477 d177c7 59 API calls 99474->99477 99475 d16c6c 99478 d177c7 59 API calls 99475->99478 99480 d4e895 99476->99480 99481 d16cd8 99477->99481 99479 d16c78 99478->99479 99482 d148ae 60 API calls 99479->99482 99483 d14f3d 136 API calls 99480->99483 99484 d177c7 59 API calls 99481->99484 99485 d16c86 99482->99485 99486 d4e8b1 99483->99486 99487 d16ce1 99484->99487 99577 d159b0 ReadFile SetFilePointerEx 99485->99577 99489 d4e8da 99486->99489 99492 d797e5 122 API calls 99486->99492 99579 d146f9 99487->99579 99643 d6fcb1 89 API calls 4 library calls 99489->99643 99491 d16cb2 99578 d15c4e SetFilePointerEx SetFilePointerEx 99491->99578 99497 d4e8cd 99492->99497 99493 d16cf8 99498 d17c8e 59 API calls 99493->99498 99495 d4e8f1 99528 d16e6c Mailbox 99495->99528 99499 d4e8d5 99497->99499 99500 d4e8f6 99497->99500 99501 d16d09 SetCurrentDirectoryW 99498->99501 99503 d14faa 84 API calls 99499->99503 99502 d14faa 84 API calls 99500->99502 99506 d16d1c Mailbox 99501->99506 99504 d4e8fb 99502->99504 99503->99489 99505 d30ff6 Mailbox 59 API calls 99504->99505 99512 d4e92f 99505->99512 99508 d30ff6 Mailbox 59 API calls 99506->99508 99510 d16d2f 99508->99510 99509 d13bcd 99509->98307 99509->98315 99511 d1538e 59 API calls 99510->99511 99539 d16d3a Mailbox __NMSG_WRITE 99511->99539 99513 d1766f 59 API calls 99512->99513 99547 d4e978 Mailbox 99513->99547 99514 d16e47 99637 d15dcf 99514->99637 99517 d4eb69 99648 d77581 59 API calls Mailbox 99517->99648 99518 d16e53 SetCurrentDirectoryW 99518->99528 99521 d4eb8b 99649 d7f835 59 API calls 2 library calls 99521->99649 99524 d4eb98 99526 d32f95 _free 58 API calls 99524->99526 99525 d4ec02 99652 d6fcb1 89 API calls 4 library calls 99525->99652 99526->99528 99569 d15934 99528->99569 99530 d1766f 59 API calls 99530->99547 99531 d4ec1b 99531->99514 99533 d4ebfa 99651 d6fb07 59 API calls 4 library calls 99533->99651 99536 d17f41 59 API calls 99536->99539 99539->99514 99539->99525 99539->99533 99539->99536 99630 d159cd 67 API calls _wcscpy 99539->99630 99631 d170bd GetStringTypeW 99539->99631 99632 d1702c 60 API calls __wcsnicmp 99539->99632 99633 d1710a GetStringTypeW __NMSG_WRITE 99539->99633 99634 d3387d GetStringTypeW _iswctype 99539->99634 99635 d16a3c 165 API calls 3 library calls 99539->99635 99636 d17373 59 API calls Mailbox 99539->99636 99540 d17f41 59 API calls 99540->99547 99544 d4ebbb 99650 d6fcb1 89 API calls 4 library calls 99544->99650 99546 d4ebd4 99548 d32f95 _free 58 API calls 99546->99548 99547->99517 99547->99530 99547->99540 99547->99544 99644 d6fc4d 59 API calls 2 library calls 99547->99644 99645 d6fb6e 61 API calls 2 library calls 99547->99645 99646 d77621 59 API calls Mailbox 99547->99646 99647 d17373 59 API calls Mailbox 99547->99647 99549 d4ebe7 99548->99549 99549->99528 99551 d1770f 99550->99551 99557 d17682 _memmove 99550->99557 99553 d30ff6 Mailbox 59 API calls 99551->99553 99552 d30ff6 Mailbox 59 API calls 99555 d17689 99552->99555 99553->99557 99554 d176b2 99554->99425 99555->99554 99556 d30ff6 Mailbox 59 API calls 99555->99556 99556->99554 99557->99552 99559 d174d0 99558->99559 99561 d1757e 99558->99561 99560 d30ff6 Mailbox 59 API calls 99559->99560 99563 d17502 99559->99563 99560->99563 99561->99425 99562 d30ff6 59 API calls Mailbox 99562->99563 99563->99561 99563->99562 99564->99420 99565->99425 99566->99425 99567->99425 99568->99426 99570 d15dcf CloseHandle 99569->99570 99571 d1593c Mailbox 99570->99571 99572 d15dcf CloseHandle 99571->99572 99573 d1594b 99572->99573 99573->99509 99574->99462 99575->99465 99576->99475 99577->99491 99578->99471 99580 d177c7 59 API calls 99579->99580 99581 d1470f 99580->99581 99582 d177c7 59 API calls 99581->99582 99583 d14717 99582->99583 99584 d177c7 59 API calls 99583->99584 99585 d1471f 99584->99585 99586 d177c7 59 API calls 99585->99586 99587 d14727 99586->99587 99588 d1475b 99587->99588 99589 d4d8fb 99587->99589 99590 d179ab 59 API calls 99588->99590 99591 d181a7 59 API calls 99589->99591 99592 d14769 99590->99592 99593 d4d904 99591->99593 99594 d17e8c 59 API calls 99592->99594 99595 d17eec 59 API calls 99593->99595 99596 d14773 99594->99596 99598 d1479e 99595->99598 99597 d179ab 59 API calls 99596->99597 99596->99598 99601 d14794 99597->99601 99599 d147de 99598->99599 99602 d147bd 99598->99602 99612 d4d924 99598->99612 99653 d179ab 99599->99653 99604 d17e8c 59 API calls 99601->99604 99606 d17b52 59 API calls 99602->99606 99603 d147ef 99607 d14801 99603->99607 99610 d181a7 59 API calls 99603->99610 99604->99598 99605 d4d9f4 99608 d17d2c 59 API calls 99605->99608 99609 d147c7 99606->99609 99611 d14811 99607->99611 99613 d181a7 59 API calls 99607->99613 99625 d4d9b1 99608->99625 99609->99599 99616 d179ab 59 API calls 99609->99616 99610->99607 99615 d14818 99611->99615 99617 d181a7 59 API calls 99611->99617 99612->99605 99614 d4d9dd 99612->99614 99624 d4d95b 99612->99624 99613->99611 99614->99605 99620 d4d9c8 99614->99620 99618 d181a7 59 API calls 99615->99618 99627 d1481f Mailbox 99615->99627 99616->99599 99617->99615 99618->99627 99619 d17b52 59 API calls 99619->99625 99623 d17d2c 59 API calls 99620->99623 99621 d4d9b9 99622 d17d2c 59 API calls 99621->99622 99622->99625 99623->99625 99624->99621 99628 d4d9a4 99624->99628 99625->99599 99625->99619 99666 d17a84 59 API calls 2 library calls 99625->99666 99627->99493 99629 d17d2c 59 API calls 99628->99629 99629->99625 99630->99539 99631->99539 99632->99539 99633->99539 99634->99539 99635->99539 99636->99539 99638 d15dd9 99637->99638 99639 d15de8 99637->99639 99638->99518 99639->99638 99640 d15ded CloseHandle 99639->99640 99640->99638 99641->99463 99642->99468 99643->99495 99644->99547 99645->99547 99646->99547 99647->99547 99648->99521 99649->99524 99650->99546 99651->99525 99652->99531 99654 d17a17 99653->99654 99655 d179ba 99653->99655 99656 d17e8c 59 API calls 99654->99656 99655->99654 99657 d179c5 99655->99657 99662 d179e8 _memmove 99656->99662 99658 d179e0 99657->99658 99659 d4ef32 99657->99659 99667 d18087 59 API calls Mailbox 99658->99667 99668 d18189 99659->99668 99662->99603 99663 d4ef3c 99664 d30ff6 Mailbox 59 API calls 99663->99664 99665 d4ef5c 99664->99665 99666->99625 99667->99662 99669 d30ff6 Mailbox 59 API calls 99668->99669 99670 d18193 99669->99670 99670->99663 99671->98464 99673 d16ef5 99672->99673 99677 d17009 99672->99677 99674 d30ff6 Mailbox 59 API calls 99673->99674 99673->99677 99676 d16f1c 99674->99676 99675 d30ff6 Mailbox 59 API calls 99682 d16f91 99675->99682 99676->99675 99677->98468 99680 d174bd 59 API calls 99680->99682 99681 d1766f 59 API calls 99681->99682 99682->99677 99682->99680 99682->99681 99685 d163a0 99682->99685 99710 d66ac9 59 API calls Mailbox 99682->99710 99683->98471 99684->98473 99711 d17b76 99685->99711 99687 d165ca 99688 d1766f 59 API calls 99687->99688 99689 d165e4 Mailbox 99688->99689 99689->99682 99692 d4e41f 99720 d6fdba 91 API calls 4 library calls 99692->99720 99693 d17eec 59 API calls 99704 d163c5 99693->99704 99694 d1766f 59 API calls 99694->99704 99698 d4e42d 99699 d1766f 59 API calls 99698->99699 99700 d4e443 99699->99700 99700->99689 99701 d168f9 _memmove 99721 d6fdba 91 API calls 4 library calls 99701->99721 99702 d4e3bb 99703 d18189 59 API calls 99702->99703 99705 d4e3c6 99703->99705 99704->99687 99704->99692 99704->99693 99704->99694 99704->99701 99704->99702 99707 d17faf 59 API calls 99704->99707 99716 d160cc 60 API calls 99704->99716 99717 d15ea1 59 API calls Mailbox 99704->99717 99718 d15fd2 60 API calls 99704->99718 99719 d17a84 59 API calls 2 library calls 99704->99719 99709 d30ff6 Mailbox 59 API calls 99705->99709 99708 d1659b CharUpperBuffW 99707->99708 99708->99704 99709->99701 99710->99682 99712 d30ff6 Mailbox 59 API calls 99711->99712 99713 d17b9b 99712->99713 99714 d18189 59 API calls 99713->99714 99715 d17baa 99714->99715 99715->99704 99716->99704 99717->99704 99718->99704 99719->99704 99720->99698 99721->99689 99722->98486 99723->98487 99725 d14227 99724->99725 99726 d4d638 99724->99726 99725->98493 99750 d73226 62 API calls _W_store_winword 99725->99750 99726->99725 99727 d4d641 DestroyIcon 99726->99727 99727->99725 99729 d14129 99728->99729 99749 d14200 Mailbox 99728->99749 99730 d17b76 59 API calls 99729->99730 99731 d14137 99730->99731 99732 d14144 99731->99732 99733 d4d5dd LoadStringW 99731->99733 99734 d17d2c 59 API calls 99732->99734 99736 d4d5f7 99733->99736 99735 d14159 99734->99735 99735->99736 99737 d1416a 99735->99737 99738 d17c8e 59 API calls 99736->99738 99739 d14205 99737->99739 99740 d14174 99737->99740 99743 d4d601 99738->99743 99741 d181a7 59 API calls 99739->99741 99742 d17c8e 59 API calls 99740->99742 99746 d1417e _memset _wcscpy 99741->99746 99742->99746 99744 d17e0b 59 API calls 99743->99744 99743->99746 99745 d4d623 99744->99745 99748 d17e0b 59 API calls 99745->99748 99747 d141e6 Shell_NotifyIconW 99746->99747 99747->99749 99748->99746 99749->98499 99750->98493 99752 d1e5b1 99751->99752 99753 d1e59d 99751->99753 99927 d7a0b5 89 API calls 4 library calls 99752->99927 99926 d1e060 331 API calls 2 library calls 99753->99926 99755 d1e5a8 99755->98576 99757 d53ece 99757->99757 99759 d1e835 99758->99759 99760 d53ed3 99759->99760 99763 d1e89f 99759->99763 99772 d1e8f9 99759->99772 99929 d1a000 99760->99929 99762 d53ee8 99783 d1ead0 Mailbox 99762->99783 99952 d7a0b5 89 API calls 4 library calls 99762->99952 99766 d177c7 59 API calls 99763->99766 99763->99772 99764 d177c7 59 API calls 99764->99772 99767 d53f2e 99766->99767 99769 d32f80 __cinit 67 API calls 99767->99769 99768 d32f80 __cinit 67 API calls 99768->99772 99769->99772 99770 d53f50 99770->98576 99771 d18620 69 API calls 99771->99783 99772->99764 99772->99768 99772->99770 99775 d1eaba 99772->99775 99772->99783 99773 d1a000 331 API calls 99773->99783 99775->99783 99953 d7a0b5 89 API calls 4 library calls 99775->99953 99776 d7a0b5 89 API calls 99776->99783 99779 d1ebd8 99779->98576 99781 d5424f 99781->98576 99782 d1f2f5 99957 d7a0b5 89 API calls 4 library calls 99782->99957 99783->99771 99783->99773 99783->99776 99783->99779 99783->99782 99784 d18ea0 59 API calls 99783->99784 99928 d180d7 59 API calls 2 library calls 99783->99928 99954 d67405 59 API calls 99783->99954 99955 d8c8d7 331 API calls 99783->99955 99956 d8b851 331 API calls Mailbox 99783->99956 99958 d19df0 59 API calls Mailbox 99783->99958 99959 d896db 331 API calls Mailbox 99783->99959 99784->99783 99790 d1f7b0 99789->99790 99791 d1f61a 99789->99791 99794 d17f41 59 API calls 99790->99794 99792 d1f626 99791->99792 99793 d54848 99791->99793 99966 d1f3f0 99792->99966 100074 d8bf80 331 API calls Mailbox 99793->100074 99801 d1f6ec Mailbox 99794->99801 99797 d1f65d 99798 d54856 99797->99798 99799 d1f790 99797->99799 99797->99801 99798->99799 100075 d7a0b5 89 API calls 4 library calls 99798->100075 99799->98576 99807 d14faa 84 API calls 99801->99807 99981 d8474d 99801->99981 99990 d7cde5 99801->99990 100070 d73e73 99801->100070 99803 d1f743 99803->99799 100073 d19df0 59 API calls Mailbox 99803->100073 99807->99803 100236 d182e0 99808->100236 99810 d1fe9d 99812 d54b57 99810->99812 99856 d20856 99810->99856 100241 d1f394 99810->100241 100258 d7a0b5 89 API calls 4 library calls 99812->100258 99815 d54b6c 99816 d1ff9e 99817 d54cb7 99816->99817 99820 d1ffac 99816->99820 100262 d66c62 59 API calls 2 library calls 99816->100262 99817->99815 99817->99820 100264 d8a5ee 85 API calls Mailbox 99817->100264 99818 d20677 99827 d30ff6 Mailbox 59 API calls 99818->99827 99819 d30ff6 59 API calls Mailbox 99849 d1ff33 99819->99849 99828 d54d23 99820->99828 99877 d54f7d 99820->99877 100245 d184dc 99820->100245 99821 d54c01 99821->99815 100260 d7a0b5 89 API calls 4 library calls 99821->100260 99824 d54c72 100263 d66665 59 API calls 2 library calls 99824->100263 99834 d206a5 _memmove 99827->99834 99835 d54d41 99828->99835 100266 d18720 59 API calls Mailbox 99828->100266 99830 d54b7f 99830->99821 100259 d1f803 331 API calls 99830->100259 99842 d30ff6 Mailbox 59 API calls 99834->99842 99841 d54d52 99835->99841 100267 d18720 59 API calls Mailbox 99835->100267 99837 d54c95 99838 d54cdc Mailbox 99838->99820 100265 d66c62 59 API calls 2 library calls 99838->100265 99873 d202d9 Mailbox _memmove 99841->99873 100268 d66621 59 API calls Mailbox 99841->100268 99870 d20266 _memmove 99842->99870 99849->99815 99849->99816 99849->99818 99849->99819 99849->99830 99849->99834 99852 d1a000 331 API calls 99849->99852 99861 d54c36 99849->99861 99852->99849 99853 d1a000 331 API calls 100257 d7a0b5 89 API calls 4 library calls 99856->100257 100261 d7a0b5 89 API calls 4 library calls 99861->100261 99863 d54edc 99870->99873 99887 d202c2 99870->99887 100256 d19df0 59 API calls Mailbox 99870->100256 99872 d204f8 99872->98576 99873->99856 99873->99863 99873->99872 99874 d30ff6 59 API calls Mailbox 99873->99874 99883 d54e46 99873->99883 99886 d54e77 99873->99886 100254 d188a0 68 API calls __cinit 99873->100254 100255 d187c0 68 API calls 99873->100255 100269 d75bd9 68 API calls 99873->100269 100270 d18b13 69 API calls Mailbox 99873->100270 100271 d19e9c 60 API calls Mailbox 99873->100271 99874->99873 99877->99815 100275 d7a0b5 89 API calls 4 library calls 99877->100275 99884 d30ff6 Mailbox 59 API calls 99883->99884 99884->99886 99886->99853 99887->98576 99888->98576 99889->98505 99890->98510 99891->98576 99892->98515 99893->98515 99894->98515 99895->98576 99896->98576 99897->98576 99899 d199b1 99898->99899 99908 d199ab 99898->99908 99900 d4f903 99899->99900 99901 d199f9 99899->99901 99903 d199b7 __itow 99899->99903 99904 d4f9fc __i64tow 99899->99904 99909 d30ff6 Mailbox 59 API calls 99900->99909 99914 d4f97b Mailbox _wcscpy 99900->99914 100278 d338d8 83 API calls 3 library calls 99901->100278 99906 d30ff6 Mailbox 59 API calls 99903->99906 99904->99904 99907 d199d1 99906->99907 99907->99908 99910 d17f41 59 API calls 99907->99910 99908->98576 99912 d4f948 99909->99912 99910->99908 99911 d30ff6 Mailbox 59 API calls 99913 d4f96e 99911->99913 99912->99911 99913->99914 99915 d17f41 59 API calls 99913->99915 100279 d338d8 83 API calls 3 library calls 99914->100279 99915->99914 99916->98576 99917->98576 99918->98576 99919->98560 99920->98560 99921->98560 99922->98560 99923->98560 99924->98560 99925->98560 99926->99755 99927->99757 99928->99783 99930 d1a01f 99929->99930 99944 d1a04d Mailbox 99929->99944 99931 d30ff6 Mailbox 59 API calls 99930->99931 99931->99944 99932 d1b5d5 99933 d181a7 59 API calls 99932->99933 99947 d1a1b7 99933->99947 99934 d67405 59 API calls 99934->99944 99935 d177c7 59 API calls 99935->99944 99936 d30ff6 59 API calls Mailbox 99936->99944 99940 d5047f 99962 d7a0b5 89 API calls 4 library calls 99940->99962 99943 d181a7 59 API calls 99943->99944 99944->99932 99944->99934 99944->99935 99944->99936 99944->99940 99944->99943 99946 d32f80 67 API calls __cinit 99944->99946 99944->99947 99948 d50e00 99944->99948 99950 d1a6ba 99944->99950 99951 d1b5da 99944->99951 99960 d1ca20 331 API calls 2 library calls 99944->99960 99961 d1ba60 60 API calls Mailbox 99944->99961 99945 d5048e 99945->99762 99946->99944 99947->99762 99964 d7a0b5 89 API calls 4 library calls 99948->99964 99963 d7a0b5 89 API calls 4 library calls 99950->99963 99965 d7a0b5 89 API calls 4 library calls 99951->99965 99952->99783 99953->99783 99954->99783 99955->99783 99956->99783 99957->99781 99958->99783 99959->99783 99960->99944 99961->99944 99962->99945 99963->99947 99964->99951 99965->99947 99967 d1f59a 99966->99967 99969 d1f41c 99966->99969 100077 d7a0b5 89 API calls 4 library calls 99967->100077 99969->99967 99976 d1f459 _memmove 99969->99976 99970 d1f543 99970->99797 99972 d30ff6 59 API calls Mailbox 99972->99976 99973 d54823 100079 d1f803 331 API calls 99973->100079 99975 d1a000 331 API calls 99975->99976 99976->99972 99976->99973 99976->99975 99977 d547d3 99976->99977 99978 d547d5 99976->99978 99980 d1f533 99976->99980 99977->99797 100078 d7a0b5 89 API calls 4 library calls 99978->100078 99980->99970 100076 d8a5ee 85 API calls Mailbox 99980->100076 99982 d19997 84 API calls 99981->99982 99983 d84787 99982->99983 99984 d163a0 94 API calls 99983->99984 99985 d84797 99984->99985 99986 d847bc 99985->99986 99987 d1a000 331 API calls 99985->99987 99989 d847c0 99986->99989 100080 d19bf8 59 API calls Mailbox 99986->100080 99987->99986 99989->99803 99991 d177c7 59 API calls 99990->99991 99992 d7ce1a 99991->99992 99993 d177c7 59 API calls 99992->99993 99994 d7ce23 99993->99994 99995 d7ce37 99994->99995 100190 d19c9c 59 API calls 99994->100190 99997 d19997 84 API calls 99995->99997 99998 d7ce54 99997->99998 99999 d7ce76 99998->99999 100000 d7cf55 99998->100000 100012 d7cf85 Mailbox 99998->100012 100002 d14f3d 136 API calls 100000->100002 100012->99803 100232 d74696 GetFileAttributesW 100070->100232 100073->99803 100074->99798 100075->99799 100076->99970 100077->99977 100078->99977 100079->99977 100080->99989 100190->99995 100233 d73e7a 100232->100233 100234 d746b1 FindFirstFileW 100232->100234 100233->99803 100234->100233 100235 d746c6 FindClose 100234->100235 100235->100233 100237 d182ef 100236->100237 100240 d1830a 100236->100240 100238 d17faf 59 API calls 100237->100238 100239 d182f7 CharUpperBuffW 100238->100239 100239->100240 100240->99810 100242 d1f3b1 100241->100242 100243 d1f3d2 100242->100243 100276 d7a0b5 89 API calls 4 library calls 100242->100276 100243->99849 100246 d4f1e6 100245->100246 100247 d184ed 100245->100247 100248 d30ff6 Mailbox 59 API calls 100247->100248 100254->99873 100255->99873 100256->99870 100257->99812 100258->99815 100259->99821 100260->99815 100261->99815 100262->99824 100263->99837 100264->99838 100265->99838 100266->99835 100267->99841 100268->99873 100269->99873 100270->99873 100271->99873 100275->99815 100276->100243 100278->99903 100279->99904 100281 d17dbf __NMSG_WRITE 100280->100281 100282 d18189 59 API calls 100281->100282 100283 d17dd0 _memmove 100281->100283 100284 d4f130 _memmove 100282->100284 100283->98596 100292 d13633 100293 d1366a 100292->100293 100294 d136e7 100293->100294 100295 d13688 100293->100295 100296 d136e5 100293->100296 100300 d4d31c 100294->100300 100301 d136ed 100294->100301 100297 d13695 100295->100297 100298 d1375d PostQuitMessage 100295->100298 100299 d136ca DefWindowProcW 100296->100299 100302 d136a0 100297->100302 100303 d4d38f 100297->100303 100305 d136d8 100298->100305 100299->100305 100342 d211d0 10 API calls Mailbox 100300->100342 100306 d136f2 100301->100306 100307 d13715 SetTimer RegisterWindowMessageW 100301->100307 100308 d13767 100302->100308 100309 d136a8 100302->100309 100346 d72a16 71 API calls _memset 100303->100346 100313 d136f9 KillTimer 100306->100313 100314 d4d2bf 100306->100314 100307->100305 100310 d1373e CreatePopupMenu 100307->100310 100340 d14531 64 API calls _memset 100308->100340 100315 d4d374 100309->100315 100316 d136b3 100309->100316 100310->100305 100312 d4d343 100343 d211f3 331 API calls Mailbox 100312->100343 100337 d144cb Shell_NotifyIconW _memset 100313->100337 100320 d4d2c4 100314->100320 100321 d4d2f8 MoveWindow 100314->100321 100315->100299 100345 d6817e 59 API calls Mailbox 100315->100345 100324 d1374b 100316->100324 100325 d136be 100316->100325 100317 d4d3a1 100317->100299 100317->100305 100327 d4d2e7 SetFocus 100320->100327 100328 d4d2c8 100320->100328 100321->100305 100323 d1370c 100338 d13114 DeleteObject DestroyWindow Mailbox 100323->100338 100339 d145df 81 API calls _memset 100324->100339 100325->100299 100344 d144cb Shell_NotifyIconW _memset 100325->100344 100326 d1375b 100326->100305 100327->100305 100328->100325 100332 d4d2d1 100328->100332 100341 d211d0 10 API calls Mailbox 100332->100341 100335 d4d368 100336 d143db 68 API calls 100335->100336 100336->100296 100337->100323 100338->100305 100339->100326 100340->100326 100341->100305 100342->100312 100343->100325 100344->100335 100345->100296 100346->100317 100347 d50226 100356 d1ade2 Mailbox 100347->100356 100349 d50c86 100403 d666f4 59 API calls Mailbox 100349->100403 100351 d50c8f 100353 d500e0 VariantClear 100353->100356 100354 d1b6c1 100402 d7a0b5 89 API calls 4 library calls 100354->100402 100356->100349 100356->100351 100356->100353 100356->100354 100359 d923c9 100356->100359 100397 d8e237 100356->100397 100400 d19df0 59 API calls Mailbox 100356->100400 100401 d67405 59 API calls 100356->100401 100360 d177c7 59 API calls 100359->100360 100361 d923e0 100360->100361 100362 d19997 84 API calls 100361->100362 100363 d923ef 100362->100363 100364 d17b76 59 API calls 100363->100364 100365 d92402 100364->100365 100366 d19997 84 API calls 100365->100366 100367 d9240f 100366->100367 100368 d92429 100367->100368 100369 d9249d 100367->100369 100404 d19c9c 59 API calls 100368->100404 100371 d19997 84 API calls 100369->100371 100373 d924a2 100371->100373 100372 d9242e 100374 d9248c 100372->100374 100377 d92445 100372->100377 100375 d924ce 100373->100375 100376 d924b0 100373->100376 100405 d19bf8 59 API calls Mailbox 100374->100405 100379 d924e3 100375->100379 100407 d19c9c 59 API calls 100375->100407 100406 d19bf8 59 API calls Mailbox 100376->100406 100381 d179ab 59 API calls 100377->100381 100390 d924f8 100379->100390 100408 d19c9c 59 API calls 100379->100408 100384 d92452 100381->100384 100387 d17c8e 59 API calls 100384->100387 100386 d92512 100410 d6f8f2 62 API calls Mailbox 100386->100410 100389 d92460 100387->100389 100391 d179ab 59 API calls 100389->100391 100409 d180d7 59 API calls 2 library calls 100390->100409 100392 d92479 100391->100392 100393 d17c8e 59 API calls 100392->100393 100396 d92487 100393->100396 100394 d92499 Mailbox 100394->100356 100411 d19b9c 59 API calls Mailbox 100396->100411 100412 d8cdf1 100397->100412 100399 d8e247 100399->100356 100400->100356 100401->100356 100402->100349 100403->100351 100404->100372 100405->100394 100406->100394 100407->100379 100408->100390 100409->100386 100410->100396 100411->100394 100413 d19997 84 API calls 100412->100413 100414 d8ce2e 100413->100414 100419 d8ce75 Mailbox 100414->100419 100450 d8dab9 100414->100450 100416 d8d242 100489 d8dbdc 92 API calls Mailbox 100416->100489 100419->100399 100420 d8cec6 Mailbox 100420->100419 100423 d19997 84 API calls 100420->100423 100437 d8d0cd 100420->100437 100482 d7f835 59 API calls 2 library calls 100420->100482 100483 d8d2f3 61 API calls 2 library calls 100420->100483 100421 d8d251 100422 d8d0db 100421->100422 100424 d8d25d 100421->100424 100463 d8cc82 100422->100463 100423->100420 100424->100419 100429 d8d114 100478 d30e48 100429->100478 100432 d8d12e 100484 d7a0b5 89 API calls 4 library calls 100432->100484 100433 d8d147 100435 d1942e 59 API calls 100433->100435 100438 d8d153 100435->100438 100436 d8d139 GetCurrentProcess TerminateProcess 100436->100433 100437->100416 100437->100422 100439 d191b0 59 API calls 100438->100439 100440 d8d169 100439->100440 100448 d8d190 100440->100448 100485 d18ea0 59 API calls Mailbox 100440->100485 100442 d8d2b8 100442->100419 100446 d8d2cc FreeLibrary 100442->100446 100443 d8d17f 100486 d8d95d 107 API calls _free 100443->100486 100446->100419 100448->100442 100487 d18ea0 59 API calls Mailbox 100448->100487 100488 d19e9c 60 API calls Mailbox 100448->100488 100490 d8d95d 107 API calls _free 100448->100490 100451 d17faf 59 API calls 100450->100451 100452 d8dad4 CharLowerBuffW 100451->100452 100491 d6f658 100452->100491 100456 d177c7 59 API calls 100457 d8db0d 100456->100457 100458 d179ab 59 API calls 100457->100458 100459 d8db24 100458->100459 100460 d17e8c 59 API calls 100459->100460 100461 d8db30 Mailbox 100460->100461 100462 d8db6c Mailbox 100461->100462 100498 d8d2f3 61 API calls 2 library calls 100461->100498 100462->100420 100464 d8cc9d 100463->100464 100468 d8ccf2 100463->100468 100465 d30ff6 Mailbox 59 API calls 100464->100465 100467 d8ccbf 100465->100467 100466 d30ff6 Mailbox 59 API calls 100466->100467 100467->100466 100467->100468 100469 d8dd64 100468->100469 100470 d8df8d Mailbox 100469->100470 100476 d8dd87 _strcat _wcscpy __NMSG_WRITE 100469->100476 100470->100429 100471 d19c9c 59 API calls 100471->100476 100472 d19cf8 59 API calls 100472->100476 100473 d19d46 59 API calls 100473->100476 100474 d19997 84 API calls 100474->100476 100475 d3594c 58 API calls __crtGetStringTypeA_stat 100475->100476 100476->100470 100476->100471 100476->100472 100476->100473 100476->100474 100476->100475 100501 d75b29 61 API calls 2 library calls 100476->100501 100480 d30e5d 100478->100480 100479 d30ef5 VirtualProtect 100481 d30ec3 100479->100481 100480->100479 100480->100481 100481->100432 100481->100433 100482->100420 100483->100420 100484->100436 100485->100443 100486->100448 100487->100448 100488->100448 100489->100421 100490->100448 100493 d6f683 __NMSG_WRITE 100491->100493 100492 d6f6c2 100492->100456 100492->100461 100493->100492 100494 d6f6b8 100493->100494 100497 d6f769 100493->100497 100494->100492 100499 d17a24 61 API calls 100494->100499 100497->100492 100500 d17a24 61 API calls 100497->100500 100498->100462 100499->100494 100500->100497 100501->100476 100502 d11055 100507 d12649 100502->100507 100505 d32f80 __cinit 67 API calls 100506 d11064 100505->100506 100508 d177c7 59 API calls 100507->100508 100509 d126b7 100508->100509 100514 d13582 100509->100514 100512 d12754 100513 d1105a 100512->100513 100517 d13416 59 API calls 2 library calls 100512->100517 100513->100505 100518 d135b0 100514->100518 100517->100512 100519 d135bd 100518->100519 100520 d135a1 100518->100520 100519->100520 100521 d135c4 RegOpenKeyExW 100519->100521 100520->100512 100521->100520 100522 d135de RegQueryValueExW 100521->100522 100523 d13614 RegCloseKey 100522->100523 100524 d135ff 100522->100524 100523->100520 100524->100523 100525 d50251 100537 d2fb84 100525->100537 100527 d50267 100528 d5027d 100527->100528 100529 d502e8 100527->100529 100546 d19fbd 60 API calls 100528->100546 100531 d1fe40 331 API calls 100529->100531 100536 d502dc Mailbox 100531->100536 100533 d502bc 100533->100536 100547 d785d9 59 API calls Mailbox 100533->100547 100534 d50ce1 Mailbox 100536->100534 100548 d7a0b5 89 API calls 4 library calls 100536->100548 100538 d2fba2 100537->100538 100539 d2fb90 100537->100539 100540 d2fbd1 100538->100540 100541 d2fba8 100538->100541 100549 d19e9c 60 API calls Mailbox 100539->100549 100550 d19e9c 60 API calls Mailbox 100540->100550 100543 d30ff6 Mailbox 59 API calls 100541->100543 100545 d2fb9a 100543->100545 100545->100527 100546->100533 100547->100536 100548->100534 100549->100545 100550->100545 100551 17e023b 100552 17e0242 100551->100552 100553 17e024a 100552->100553 100554 17e02e0 100552->100554 100558 17dfef0 100553->100558 100571 17e0b90 9 API calls 100554->100571 100557 17e02c7 100572 17dd8e0 100558->100572 100561 17dffc0 CreateFileW 100562 17dff8f 100561->100562 100568 17dffcd 100561->100568 100563 17dffe9 VirtualAlloc 100562->100563 100562->100568 100569 17e00f0 CloseHandle 100562->100569 100570 17e0100 VirtualFree 100562->100570 100575 17e0e00 GetPEB 100562->100575 100564 17e000a ReadFile 100563->100564 100563->100568 100567 17e0028 VirtualAlloc 100564->100567 100564->100568 100565 17e01dc VirtualFree 100566 17e01ea 100565->100566 100566->100557 100567->100562 100567->100568 100568->100565 100568->100566 100569->100562 100570->100562 100571->100557 100577 17e0da0 GetPEB 100572->100577 100574 17ddf6b 100574->100562 100576 17e0e2a 100575->100576 100576->100561 100578 17e0dca 100577->100578 100578->100574 100579 d11066 100584 d1f8cf 100579->100584 100581 d1106c 100582 d32f80 __cinit 67 API calls 100581->100582 100583 d11076 100582->100583 100585 d1f8f0 100584->100585 100617 d30143 100585->100617 100589 d1f937 100590 d177c7 59 API calls 100589->100590 100591 d1f941 100590->100591 100592 d177c7 59 API calls 100591->100592 100593 d1f94b 100592->100593 100594 d177c7 59 API calls 100593->100594 100595 d1f955 100594->100595 100596 d177c7 59 API calls 100595->100596 100597 d1f993 100596->100597 100598 d177c7 59 API calls 100597->100598 100599 d1fa5e 100598->100599 100627 d260e7 100599->100627 100603 d1fa90 100604 d177c7 59 API calls 100603->100604 100605 d1fa9a 100604->100605 100655 d2ffde 100605->100655 100607 d1fae1 100608 d1faf1 GetStdHandle 100607->100608 100609 d549d5 100608->100609 100610 d1fb3d 100608->100610 100609->100610 100612 d549de 100609->100612 100611 d1fb45 OleInitialize 100610->100611 100611->100581 100662 d76dda 64 API calls Mailbox 100612->100662 100614 d549e5 100663 d774a9 CreateThread 100614->100663 100616 d549f1 CloseHandle 100616->100611 100664 d3021c 100617->100664 100620 d3021c 59 API calls 100621 d30185 100620->100621 100622 d177c7 59 API calls 100621->100622 100623 d30191 100622->100623 100624 d17d2c 59 API calls 100623->100624 100625 d1f8f6 100624->100625 100626 d303a2 6 API calls 100625->100626 100626->100589 100628 d177c7 59 API calls 100627->100628 100629 d260f7 100628->100629 100630 d177c7 59 API calls 100629->100630 100631 d260ff 100630->100631 100671 d25bfd 100631->100671 100634 d25bfd 59 API calls 100635 d2610f 100634->100635 100636 d177c7 59 API calls 100635->100636 100637 d2611a 100636->100637 100638 d30ff6 Mailbox 59 API calls 100637->100638 100639 d1fa68 100638->100639 100640 d26259 100639->100640 100641 d26267 100640->100641 100642 d177c7 59 API calls 100641->100642 100643 d26272 100642->100643 100644 d177c7 59 API calls 100643->100644 100645 d2627d 100644->100645 100646 d177c7 59 API calls 100645->100646 100647 d26288 100646->100647 100648 d177c7 59 API calls 100647->100648 100649 d26293 100648->100649 100650 d25bfd 59 API calls 100649->100650 100651 d2629e 100650->100651 100652 d30ff6 Mailbox 59 API calls 100651->100652 100653 d262a5 RegisterWindowMessageW 100652->100653 100653->100603 100656 d65cc3 100655->100656 100657 d2ffee 100655->100657 100674 d79d71 60 API calls 100656->100674 100658 d30ff6 Mailbox 59 API calls 100657->100658 100660 d2fff6 100658->100660 100660->100607 100661 d65cce 100662->100614 100663->100616 100675 d7748f 65 API calls 100663->100675 100665 d177c7 59 API calls 100664->100665 100666 d30227 100665->100666 100667 d177c7 59 API calls 100666->100667 100668 d3022f 100667->100668 100669 d177c7 59 API calls 100668->100669 100670 d3017b 100669->100670 100670->100620 100672 d177c7 59 API calls 100671->100672 100673 d25c05 100672->100673 100673->100634 100674->100661 100676 d11016 100681 d14ad2 100676->100681 100679 d32f80 __cinit 67 API calls 100680 d11025 100679->100680 100682 d30ff6 Mailbox 59 API calls 100681->100682 100683 d14ada 100682->100683 100685 d1101b 100683->100685 100688 d14a94 100683->100688 100685->100679 100689 d14aaf 100688->100689 100690 d14a9d 100688->100690 100692 d14afe 100689->100692 100691 d32f80 __cinit 67 API calls 100690->100691 100691->100689 100693 d177c7 59 API calls 100692->100693 100694 d14b16 GetVersionExW 100693->100694 100695 d17d2c 59 API calls 100694->100695 100696 d14b59 100695->100696 100697 d17e8c 59 API calls 100696->100697 100706 d14b86 100696->100706 100698 d14b7a 100697->100698 100699 d17886 59 API calls 100698->100699 100699->100706 100700 d14bf1 GetCurrentProcess IsWow64Process 100701 d14c0a 100700->100701 100703 d14c20 100701->100703 100704 d14c89 GetSystemInfo 100701->100704 100702 d4dc8d 100716 d14c95 100703->100716 100705 d14c56 100704->100705 100705->100685 100706->100700 100706->100702 100709 d14c32 100711 d14c95 2 API calls 100709->100711 100710 d14c7d GetSystemInfo 100712 d14c47 100710->100712 100713 d14c3a GetNativeSystemInfo 100711->100713 100712->100705 100714 d14c4d FreeLibrary 100712->100714 100713->100712 100714->100705 100717 d14c2e 100716->100717 100718 d14c9e LoadLibraryA 100716->100718 100717->100709 100717->100710 100718->100717 100719 d14caf GetProcAddress 100718->100719 100719->100717 100720 d1107d 100725 d171eb 100720->100725 100722 d1108c 100723 d32f80 __cinit 67 API calls 100722->100723 100724 d11096 100723->100724 100726 d171fb __ftell_nolock 100725->100726 100727 d177c7 59 API calls 100726->100727 100728 d172b1 100727->100728 100729 d14864 61 API calls 100728->100729 100730 d172ba 100729->100730 100756 d3074f 100730->100756 100733 d17e0b 59 API calls 100734 d172d3 100733->100734 100735 d13f84 59 API calls 100734->100735 100736 d172e2 100735->100736 100737 d177c7 59 API calls 100736->100737 100738 d172eb 100737->100738 100739 d17eec 59 API calls 100738->100739 100740 d172f4 RegOpenKeyExW 100739->100740 100741 d4ecda RegQueryValueExW 100740->100741 100745 d17316 Mailbox 100740->100745 100742 d4ecf7 100741->100742 100743 d4ed6c RegCloseKey 100741->100743 100744 d30ff6 Mailbox 59 API calls 100742->100744 100743->100745 100754 d4ed7e _wcscat Mailbox __NMSG_WRITE 100743->100754 100746 d4ed10 100744->100746 100745->100722 100747 d1538e 59 API calls 100746->100747 100748 d4ed1b RegQueryValueExW 100747->100748 100749 d4ed38 100748->100749 100751 d4ed52 100748->100751 100750 d17d2c 59 API calls 100749->100750 100750->100751 100751->100743 100752 d17f41 59 API calls 100752->100754 100753 d13f84 59 API calls 100753->100754 100754->100745 100754->100752 100754->100753 100755 d17b52 59 API calls 100754->100755 100755->100754 100757 d41b90 __ftell_nolock 100756->100757 100758 d3075c GetFullPathNameW 100757->100758 100759 d3077e 100758->100759 100760 d17d2c 59 API calls 100759->100760 100761 d172c5 100760->100761 100761->100733 100762 d54599 100766 d6655c 100762->100766 100764 d545a4 100765 d6655c 85 API calls 100764->100765 100765->100764 100767 d66596 100766->100767 100772 d66569 100766->100772 100767->100764 100768 d66598 100778 d19488 84 API calls Mailbox 100768->100778 100770 d6659d 100771 d19997 84 API calls 100770->100771 100773 d665a4 100771->100773 100772->100767 100772->100768 100772->100770 100775 d66590 100772->100775 100774 d17c8e 59 API calls 100773->100774 100774->100767 100777 d19700 59 API calls _wcsstr 100775->100777 100777->100767 100778->100770 100779 d1e5ec 100782 d1ce1a 100779->100782 100781 d1e5f8 100783 d1ce32 100782->100783 100784 d1ce86 100782->100784 100783->100784 100785 d1a000 331 API calls 100783->100785 100788 d1ceaf 100784->100788 100792 d7a0b5 89 API calls 4 library calls 100784->100792 100789 d1ce69 100785->100789 100787 d529e6 100787->100787 100788->100781 100789->100788 100791 d19e9c 60 API calls Mailbox 100789->100791 100791->100784 100792->100787 100793 17dfc90 100794 17dd8e0 GetPEB 100793->100794 100795 17dfd74 100794->100795 100807 17dfb80 100795->100807 100808 17dfb89 Sleep 100807->100808 100809 17dfb97 100808->100809

              Executed Functions

              Function 00D13B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D13B7A
              • IsDebuggerPresent.KERNEL32 ref: 00D13B8C
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00DD62F8,00DD62E0,?,?), ref: 00D13BFD
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
                • Part of subcall function 00D20A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D13C26,00DD62F8,?,?,?), ref: 00D20ACE
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00D13C81
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00DC93F0,00000010), ref: 00D4D4BC
              • SetCurrentDirectoryW.KERNEL32(?,00DD62F8,?,?,?), ref: 00D4D4F4
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00DC5D40,00DD62F8,?,?,?), ref: 00D4D57A
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00D4D581
                • Part of subcall function 00D13A58: GetSysColorBrush.USER32(0000000F), ref: 00D13A62
                • Part of subcall function 00D13A58: LoadCursorW.USER32(00000000,00007F00), ref: 00D13A71
                • Part of subcall function 00D13A58: LoadIconW.USER32(00000063), ref: 00D13A88
                • Part of subcall function 00D13A58: LoadIconW.USER32(000000A4), ref: 00D13A9A
                • Part of subcall function 00D13A58: LoadIconW.USER32(000000A2), ref: 00D13AAC
                • Part of subcall function 00D13A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D13AD2
                • Part of subcall function 00D13A58: RegisterClassExW.USER32(?), ref: 00D13B28
                • Part of subcall function 00D139E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D13A15
                • Part of subcall function 00D139E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D13A36
                • Part of subcall function 00D139E7: ShowWindow.USER32(00000000,?,?), ref: 00D13A4A
                • Part of subcall function 00D139E7: ShowWindow.USER32(00000000,?,?), ref: 00D13A53
                • Part of subcall function 00D143DB: _memset.LIBCMT ref: 00D14401
                • Part of subcall function 00D143DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D144A6
              Strings
              • runas, xrefs: 00D4D575
              • This is a third-party compiled AutoIt script., xrefs: 00D4D4B4
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas
              • API String ID: 529118366-3287110873
              • Opcode ID: 0c9ac4e75017e273d832f3cf2caf276fbb7de78e6e3864af788cfa188d52fd01
              • Instruction ID: 547b377f93fb44fa908553332e35e39a2616169798b4f70586126716575b2d3d
              • Opcode Fuzzy Hash: 0c9ac4e75017e273d832f3cf2caf276fbb7de78e6e3864af788cfa188d52fd01
              • Instruction Fuzzy Hash: AA51A230A05349BECB11ABF4FC15AED7F76EB05300B0441A6F455E23A2DE749685CBB5
              Function 00D14AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 996 d14afe-d14b5e call d177c7 GetVersionExW call d17d2c 1001 d14b64 996->1001 1002 d14c69-d14c6b 996->1002 1004 d14b67-d14b6c 1001->1004 1003 d4db90-d4db9c 1002->1003 1005 d4db9d-d4dba1 1003->1005 1006 d14c70-d14c71 1004->1006 1007 d14b72 1004->1007 1009 d4dba4-d4dbb0 1005->1009 1010 d4dba3 1005->1010 1008 d14b73-d14baa call d17e8c call d17886 1006->1008 1007->1008 1018 d14bb0-d14bb1 1008->1018 1019 d4dc8d-d4dc90 1008->1019 1009->1005 1012 d4dbb2-d4dbb7 1009->1012 1010->1009 1012->1004 1014 d4dbbd-d4dbc4 1012->1014 1014->1003 1016 d4dbc6 1014->1016 1020 d4dbcb-d4dbce 1016->1020 1018->1020 1021 d14bb7-d14bc2 1018->1021 1022 d4dc92 1019->1022 1023 d4dca9-d4dcad 1019->1023 1024 d14bf1-d14c08 GetCurrentProcess IsWow64Process 1020->1024 1025 d4dbd4-d4dbf2 1020->1025 1026 d4dc13-d4dc19 1021->1026 1027 d14bc8-d14bca 1021->1027 1028 d4dc95 1022->1028 1030 d4dcaf-d4dcb8 1023->1030 1031 d4dc98-d4dca1 1023->1031 1032 d14c0a 1024->1032 1033 d14c0d-d14c1e 1024->1033 1025->1024 1029 d4dbf8-d4dbfe 1025->1029 1038 d4dc23-d4dc29 1026->1038 1039 d4dc1b-d4dc1e 1026->1039 1034 d14bd0-d14bd3 1027->1034 1035 d4dc2e-d4dc3a 1027->1035 1028->1031 1036 d4dc00-d4dc03 1029->1036 1037 d4dc08-d4dc0e 1029->1037 1030->1028 1040 d4dcba-d4dcbd 1030->1040 1031->1023 1032->1033 1041 d14c20-d14c30 call d14c95 1033->1041 1042 d14c89-d14c93 GetSystemInfo 1033->1042 1043 d14bd9-d14be8 1034->1043 1044 d4dc5a-d4dc5d 1034->1044 1046 d4dc44-d4dc4a 1035->1046 1047 d4dc3c-d4dc3f 1035->1047 1036->1024 1037->1024 1038->1024 1039->1024 1040->1031 1055 d14c32-d14c3f call d14c95 1041->1055 1056 d14c7d-d14c87 GetSystemInfo 1041->1056 1045 d14c56-d14c66 1042->1045 1050 d4dc4f-d4dc55 1043->1050 1051 d14bee 1043->1051 1044->1024 1049 d4dc63-d4dc78 1044->1049 1046->1024 1047->1024 1053 d4dc82-d4dc88 1049->1053 1054 d4dc7a-d4dc7d 1049->1054 1050->1024 1051->1024 1053->1024 1054->1024 1061 d14c41-d14c45 GetNativeSystemInfo 1055->1061 1062 d14c76-d14c7b 1055->1062 1058 d14c47-d14c4b 1056->1058 1058->1045 1060 d14c4d-d14c50 FreeLibrary 1058->1060 1060->1045 1061->1058 1062->1061
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00D14B2B
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
              • GetCurrentProcess.KERNEL32(?,00D9FAEC,00000000,00000000,?), ref: 00D14BF8
              • IsWow64Process.KERNEL32(00000000), ref: 00D14BFF
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00D14C45
              • FreeLibrary.KERNEL32(00000000), ref: 00D14C50
              • GetSystemInfo.KERNEL32(00000000), ref: 00D14C81
              • GetSystemInfo.KERNEL32(00000000), ref: 00D14C8D
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: 11ba0eb89f2d30c59add49c455e8c694c3c7b39466e2e6a27074ec7ac5918285
              • Instruction ID: f790cea6b1b73bbf4a8987a11f9fb4bee12d46f53e88f0893a8ef0e9c1cab7c6
              • Opcode Fuzzy Hash: 11ba0eb89f2d30c59add49c455e8c694c3c7b39466e2e6a27074ec7ac5918285
              • Instruction Fuzzy Hash: 5391B73154E7C0EEC731CB68A5511EABFE5AF2A300B584D9ED0CA93A41D630E988C779
              Function 00D14FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1063 d14fe9-d15001 CreateStreamOnHGlobal 1064 d15021-d15026 1063->1064 1065 d15003-d1501a FindResourceExW 1063->1065 1066 d15020 1065->1066 1067 d4dd5c-d4dd6b LoadResource 1065->1067 1066->1064 1067->1066 1068 d4dd71-d4dd7f SizeofResource 1067->1068 1068->1066 1069 d4dd85-d4dd90 LockResource 1068->1069 1069->1066 1070 d4dd96-d4dd9e 1069->1070 1071 d4dda2-d4ddb4 1070->1071 1071->1066
              APIs
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00D14EEE,?,?,00000000,00000000), ref: 00D14FF9
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D14EEE,?,?,00000000,00000000), ref: 00D15010
              • LoadResource.KERNEL32(?,00000000,?,?,00D14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D14F8F), ref: 00D4DD60
              • SizeofResource.KERNEL32(?,00000000,?,?,00D14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D14F8F), ref: 00D4DD75
              • LockResource.KERNEL32(00D14EEE,?,?,00D14EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D14F8F,00000000), ref: 00D4DD88
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: be936d21c5629c7ac0294b3ca8ad5b8aab51e76ad7deb592bbd53653c678ca6b
              • Instruction ID: 9a3bae959fcd99d457dfa614198481f53082eab01c82b391a9925eeed276cac8
              • Opcode Fuzzy Hash: be936d21c5629c7ac0294b3ca8ad5b8aab51e76ad7deb592bbd53653c678ca6b
              • Instruction Fuzzy Hash: A6117C75200700BFD7218BA5EC58F677BBAEBC9B12F24416DF406CA260DBB1EC408670
              Function 00D1FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID:
              • API String ID: 3964851224-0
              • Opcode ID: d72faeca72f3aae8023156417c75bb561611f5297d31a88b429d1eb1f2be77fb
              • Instruction ID: 9e9952a22f2d4e576a8b8a469de17f16bdb7dc682719c46e86b73bd8d337aa21
              • Opcode Fuzzy Hash: d72faeca72f3aae8023156417c75bb561611f5297d31a88b429d1eb1f2be77fb
              • Instruction Fuzzy Hash: A8925C746083519FD724DF14D490B6ABBE1FF94308F18896DE88A8B352D771EC85CBA2
              Function 00D74696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,00D4E7C1), ref: 00D746A6
              • FindFirstFileW.KERNELBASE(?,?), ref: 00D746B7
              • FindClose.KERNEL32(00000000), ref: 00D746C7
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: ed0b654095c36be2bd644950d1f3b2d50a2a953d48856b596dc3485ac25c5f30
              • Instruction ID: 1d5704925bfa39b3b70b9ffb948675c865ad315396022e583fdda571f977b017
              • Opcode Fuzzy Hash: ed0b654095c36be2bd644950d1f3b2d50a2a953d48856b596dc3485ac25c5f30
              • Instruction Fuzzy Hash: 19E020314105005B46106738EC4D4EE775CDE06335F144717F839C11E0F7B09D5085F9
              Function 00D20B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D20BBB
              • timeGetTime.WINMM ref: 00D20E76
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D20FB3
              • TranslateMessage.USER32(?), ref: 00D20FC7
              • DispatchMessageW.USER32(?), ref: 00D20FD5
              • Sleep.KERNEL32(0000000A), ref: 00D20FDF
              • LockWindowUpdate.USER32(00000000,?,?), ref: 00D2105A
              • DestroyWindow.USER32 ref: 00D21066
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D21080
              • Sleep.KERNEL32(0000000A,?,?), ref: 00D552AD
              • TranslateMessage.USER32(?), ref: 00D5608A
              • DispatchMessageW.USER32(?), ref: 00D56098
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D560AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
              • API String ID: 4003667617-3242690629
              • Opcode ID: cc648f19439a0481577a8c0b1bd22d0c60fd3fdc64d8ee26d9160104465d6761
              • Instruction ID: c5c4fd281f5960246911d8184a9e3293456df00355be29ee69a0d07e0013da7c
              • Opcode Fuzzy Hash: cc648f19439a0481577a8c0b1bd22d0c60fd3fdc64d8ee26d9160104465d6761
              • Instruction Fuzzy Hash: 87B29370608741DFDB25DF24E854BAABBE5FF94304F18451DE88987291DB71E888CBB2
              Function 00D793DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00D791E9: __time64.LIBCMT ref: 00D791F3
                • Part of subcall function 00D15045: _fseek.LIBCMT ref: 00D1505D
              • __wsplitpath.LIBCMT ref: 00D794BE
                • Part of subcall function 00D3432E: __wsplitpath_helper.LIBCMT ref: 00D3436E
              • _wcscpy.LIBCMT ref: 00D794D1
              • _wcscat.LIBCMT ref: 00D794E4
              • __wsplitpath.LIBCMT ref: 00D79509
              • _wcscat.LIBCMT ref: 00D7951F
              • _wcscat.LIBCMT ref: 00D79532
                • Part of subcall function 00D7922F: _memmove.LIBCMT ref: 00D79268
                • Part of subcall function 00D7922F: _memmove.LIBCMT ref: 00D79277
              • _wcscmp.LIBCMT ref: 00D79479
                • Part of subcall function 00D799BE: _wcscmp.LIBCMT ref: 00D79AAE
                • Part of subcall function 00D799BE: _wcscmp.LIBCMT ref: 00D79AC1
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D796DC
              • _wcsncpy.LIBCMT ref: 00D7974F
              • DeleteFileW.KERNEL32(?,?), ref: 00D79785
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D7979B
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D797AC
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D797BE
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: 6e81c952293e9694b9bd0362e2d616075d7fdd79a2d4c1aed979969790fe8511
              • Instruction ID: 1e49602fd1ee63b2e5f74235083324e350fa609470a93a60266ba8cb7d39822a
              • Opcode Fuzzy Hash: 6e81c952293e9694b9bd0362e2d616075d7fdd79a2d4c1aed979969790fe8511
              • Instruction Fuzzy Hash: 1AC13DB2D00229AADF11DF95DC95ADEB7BDEF49310F0040AAF609E7151EB309A848F75
              Function 00D13015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00D13074
              • RegisterClassExW.USER32(00000030), ref: 00D1309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D130AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00D130CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D130DC
              • LoadIconW.USER32(000000A9), ref: 00D130F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D13101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 08cdece46dfcf25c0a229221012c55b54e0afec8dcf623fef5c5eac198e3ea31
              • Instruction ID: 2925f642b3758faa178c1b80414597c694ad95c94c79848908b06c3abe6516a4
              • Opcode Fuzzy Hash: 08cdece46dfcf25c0a229221012c55b54e0afec8dcf623fef5c5eac198e3ea31
              • Instruction Fuzzy Hash: 4B3125B1841309AFDB009FA4E889AD9BBF4FB09310F10452AE590E63A0E7B54555CFA1
              Function 00D13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00D13074
              • RegisterClassExW.USER32(00000030), ref: 00D1309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D130AF
              • InitCommonControlsEx.COMCTL32(?), ref: 00D130CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D130DC
              • LoadIconW.USER32(000000A9), ref: 00D130F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D13101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 836b58cd3049f7c95d2230976a68c9f780abe2272867302e4ab61da49648e19f
              • Instruction ID: 6da2691519c13e50e1f2829ce20b1ad9b430b0453511f7f33117899c3e51763a
              • Opcode Fuzzy Hash: 836b58cd3049f7c95d2230976a68c9f780abe2272867302e4ab61da49648e19f
              • Instruction Fuzzy Hash: 0D21AEB1941318AFDB009FA4E889B9DBBF8FB08700F10452BEA14E63A0D7B185549FA5
              Function 00D171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00D14864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00DD62F8,?,00D137C0,?), ref: 00D14882
                • Part of subcall function 00D3074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D172C5), ref: 00D30771
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D17308
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D4ECF1
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D4ED32
              • RegCloseKey.ADVAPI32(?), ref: 00D4ED70
              • _wcscat.LIBCMT ref: 00D4EDC9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: 12ed8a33bdec4dcd0a097d95e9b70866c6908c7cd5ec9e466a3fc82b68af54ca
              • Instruction ID: fd8ddacc3279fa3014338623dae3c84050763654a3095b2af37ce57e141aaf56
              • Opcode Fuzzy Hash: 12ed8a33bdec4dcd0a097d95e9b70866c6908c7cd5ec9e466a3fc82b68af54ca
              • Instruction Fuzzy Hash: 2371397150A341AEC714EF65EC819ABBBE8FF99340F44056EF445D32A0EB309988CBB5
              Function 00D13A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00D13A62
              • LoadCursorW.USER32(00000000,00007F00), ref: 00D13A71
              • LoadIconW.USER32(00000063), ref: 00D13A88
              • LoadIconW.USER32(000000A4), ref: 00D13A9A
              • LoadIconW.USER32(000000A2), ref: 00D13AAC
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D13AD2
              • RegisterClassExW.USER32(?), ref: 00D13B28
                • Part of subcall function 00D13041: GetSysColorBrush.USER32(0000000F), ref: 00D13074
                • Part of subcall function 00D13041: RegisterClassExW.USER32(00000030), ref: 00D1309E
                • Part of subcall function 00D13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D130AF
                • Part of subcall function 00D13041: InitCommonControlsEx.COMCTL32(?), ref: 00D130CC
                • Part of subcall function 00D13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D130DC
                • Part of subcall function 00D13041: LoadIconW.USER32(000000A9), ref: 00D130F2
                • Part of subcall function 00D13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D13101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3
              • API String ID: 423443420-4155596026
              • Opcode ID: 8cbe940c388d7b2fbd69fc6a8e21093e997f317bf470c31b8e4b5ed164f63c70
              • Instruction ID: fda8fd0275beefa4d5db4aa63e81a88550bcb689fc673f8c038653fae4baf40b
              • Opcode Fuzzy Hash: 8cbe940c388d7b2fbd69fc6a8e21093e997f317bf470c31b8e4b5ed164f63c70
              • Instruction Fuzzy Hash: 1E21F871A02308AFEB109FA4EC49B9D7FB5FB08711F10416BF504E63A0D7B696549FA8
              Function 00D13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 767 d13633-d13681 769 d136e1-d136e3 767->769 770 d13683-d13686 767->770 769->770 773 d136e5 769->773 771 d136e7 770->771 772 d13688-d1368f 770->772 777 d4d31c-d4d34a call d211d0 call d211f3 771->777 778 d136ed-d136f0 771->778 774 d13695-d1369a 772->774 775 d1375d-d13765 PostQuitMessage 772->775 776 d136ca-d136d2 DefWindowProcW 773->776 779 d136a0-d136a2 774->779 780 d4d38f-d4d3a3 call d72a16 774->780 783 d13711-d13713 775->783 782 d136d8-d136de 776->782 813 d4d34f-d4d356 777->813 784 d136f2-d136f3 778->784 785 d13715-d1373c SetTimer RegisterWindowMessageW 778->785 786 d13767-d13776 call d14531 779->786 787 d136a8-d136ad 779->787 780->783 805 d4d3a9 780->805 783->782 791 d136f9-d1370c KillTimer call d144cb call d13114 784->791 792 d4d2bf-d4d2c2 784->792 785->783 788 d1373e-d13749 CreatePopupMenu 785->788 786->783 793 d4d374-d4d37b 787->793 794 d136b3-d136b8 787->794 788->783 791->783 798 d4d2c4-d4d2c6 792->798 799 d4d2f8-d4d317 MoveWindow 792->799 793->776 802 d4d381-d4d38a call d6817e 793->802 803 d1374b-d1375b call d145df 794->803 804 d136be-d136c4 794->804 808 d4d2e7-d4d2f3 SetFocus 798->808 809 d4d2c8-d4d2cb 798->809 799->783 802->776 803->783 804->776 804->813 805->776 808->783 809->804 814 d4d2d1-d4d2e2 call d211d0 809->814 813->776 818 d4d35c-d4d36f call d144cb call d143db 813->818 814->783 818->776
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 00D136D2
              • KillTimer.USER32(?,00000001), ref: 00D136FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D1371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D1372A
              • CreatePopupMenu.USER32 ref: 00D1373E
              • PostQuitMessage.USER32(00000000), ref: 00D1375F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated
              • API String ID: 129472671-2362178303
              • Opcode ID: e6b5752b4bd2e1f9b7aee3fd47689cc06a1e11ea9f615aab4076ff210210ba62
              • Instruction ID: 1f35862d1f488c82a546b2ad5034635f25a5593cd1a5efb866f22a3268f2d853
              • Opcode Fuzzy Hash: e6b5752b4bd2e1f9b7aee3fd47689cc06a1e11ea9f615aab4076ff210210ba62
              • Instruction Fuzzy Hash: F641D2B1204245BBEB146F68FC49BFD3B55EB10300F18012BF542D63E1DEA4DA90A6B5
              Function 00D13778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
              • API String ID: 1825951767-3513169116
              • Opcode ID: 1691ba8d14a7bcb0732001a88fdb96358b86d4f5035fc1d2f38f7f187bf39ad4
              • Instruction ID: 44978332a81cc49af92ad5183e5fbddb9c46a2d8f1db1a64e4f43e92d17df2d8
              • Opcode Fuzzy Hash: 1691ba8d14a7bcb0732001a88fdb96358b86d4f5035fc1d2f38f7f187bf39ad4
              • Instruction Fuzzy Hash: 61A13F71950219BACF04EFA0EC95AEEB779FF14300F54052AF416A7191DF749A89CBB0
              Function 017DFEF0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 942 17dfef0-17dff9e call 17dd8e0 945 17dffa5-17dffcb call 17e0e00 CreateFileW 942->945 948 17dffcd 945->948 949 17dffd2-17dffe2 945->949 950 17e011d-17e0121 948->950 954 17dffe9-17e0003 VirtualAlloc 949->954 955 17dffe4 949->955 952 17e0163-17e0166 950->952 953 17e0123-17e0127 950->953 956 17e0169-17e0170 952->956 957 17e0129-17e012c 953->957 958 17e0133-17e0137 953->958 961 17e000a-17e0021 ReadFile 954->961 962 17e0005 954->962 955->950 963 17e01c5-17e01da 956->963 964 17e0172-17e017d 956->964 957->958 959 17e0139-17e0143 958->959 960 17e0147-17e014b 958->960 959->960 967 17e014d-17e0157 960->967 968 17e015b 960->968 969 17e0028-17e0068 VirtualAlloc 961->969 970 17e0023 961->970 962->950 965 17e01dc-17e01e7 VirtualFree 963->965 966 17e01ea-17e01f2 963->966 971 17e017f 964->971 972 17e0181-17e018d 964->972 965->966 967->968 968->952 973 17e006f-17e008a call 17e1050 969->973 974 17e006a 969->974 970->950 971->963 975 17e018f-17e019f 972->975 976 17e01a1-17e01ad 972->976 982 17e0095-17e009f 973->982 974->950 978 17e01c3 975->978 979 17e01af-17e01b8 976->979 980 17e01ba-17e01c0 976->980 978->956 979->978 980->978 983 17e00d2-17e00e6 call 17e0e60 982->983 984 17e00a1-17e00d0 call 17e1050 982->984 990 17e00ea-17e00ee 983->990 991 17e00e8 983->991 984->982 992 17e00fa-17e00fe 990->992 993 17e00f0-17e00f4 CloseHandle 990->993 991->950 994 17e010e-17e0117 992->994 995 17e0100-17e010b VirtualFree 992->995 993->992 994->945 994->950 995->994
              APIs
              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017DFFC1
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017E01E7
              Memory Dump Source
              • Source File: 00000000.00000002.1377300952.00000000017DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17dd000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CreateFileFreeVirtual
              • String ID:
              • API String ID: 204039940-0
              • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
              • Instruction ID: e796aa5d42a5000a4b10e320522a101bec2ba99c6b63df680e0f94a1b784eff1
              • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
              • Instruction Fuzzy Hash: 33A1E774E00209EBDB14CFA4C899BAEFBF5BF48304F208599E505BB281D7B59A41CF94
              Function 00D139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1073 d139e7-d13a57 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D13A15
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D13A36
              • ShowWindow.USER32(00000000,?,?), ref: 00D13A4A
              • ShowWindow.USER32(00000000,?,?), ref: 00D13A53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 3d5a8792c456ec4a7c1332712e98450226a1c4854cf7da55c69e5eb9121398a3
              • Instruction ID: a8bd87de42d4d20ff42be470ba8227ca8f64a58bcaa5f82b3dc18207750ff8c5
              • Opcode Fuzzy Hash: 3d5a8792c456ec4a7c1332712e98450226a1c4854cf7da55c69e5eb9121398a3
              • Instruction Fuzzy Hash: 60F0D471642390BEEE311B67AC49E672F7DE7C6F50B00412BB904E23B0C6A65851DAB8
              Function 017DFC90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1074 17dfc90-17dfdea call 17dd8e0 call 17dfb80 CreateFileW 1081 17dfdec 1074->1081 1082 17dfdf1-17dfe01 1074->1082 1083 17dfea1-17dfea6 1081->1083 1085 17dfe08-17dfe22 VirtualAlloc 1082->1085 1086 17dfe03 1082->1086 1087 17dfe24 1085->1087 1088 17dfe26-17dfe3d ReadFile 1085->1088 1086->1083 1087->1083 1089 17dfe3f 1088->1089 1090 17dfe41-17dfe7b call 17dfbc0 call 17deb80 1088->1090 1089->1083 1095 17dfe7d-17dfe92 call 17dfc10 1090->1095 1096 17dfe97-17dfe9f ExitProcess 1090->1096 1095->1096 1096->1083
              APIs
                • Part of subcall function 017DFB80: Sleep.KERNELBASE(000001F4), ref: 017DFB91
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017DFDE0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1377300952.00000000017DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17dd000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CreateFileSleep
              • String ID: I814N7DJ66D8
              • API String ID: 2694422964-783472350
              • Opcode ID: bc9d334086511074beb54e1a4419cc9d96d74a39df6ec8d7b8cf48b5ffd33865
              • Instruction ID: 262c8f97b52daee3b24bb22fe793dbfe1482af5ef692d666121cc39404ee262d
              • Opcode Fuzzy Hash: bc9d334086511074beb54e1a4419cc9d96d74a39df6ec8d7b8cf48b5ffd33865
              • Instruction Fuzzy Hash: 80518030D14248EBEF11DBB4C854BEEBB79EF58700F004199E209BB2C1D6BA5B45CBA5
              Function 00D1410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1098 d1410d-d14123 1099 d14200-d14204 1098->1099 1100 d14129-d1413e call d17b76 1098->1100 1103 d14144-d14164 call d17d2c 1100->1103 1104 d4d5dd-d4d5ec LoadStringW 1100->1104 1107 d4d5f7-d4d60f call d17c8e call d17143 1103->1107 1108 d1416a-d1416e 1103->1108 1104->1107 1118 d1417e-d141fb call d33020 call d1463e call d32ffc Shell_NotifyIconW call d15a64 1107->1118 1119 d4d615-d4d633 call d17e0b call d17143 call d17e0b 1107->1119 1110 d14205-d1420e call d181a7 1108->1110 1111 d14174-d14179 call d17c8e 1108->1111 1110->1118 1111->1118 1118->1099 1119->1118
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D4D5EC
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
              • _memset.LIBCMT ref: 00D1418D
              • _wcscpy.LIBCMT ref: 00D141E1
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D141F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: d664cebe3111ebc7816e29e5d2fbc9ab8061ffb4f4a69f5c18fb6eb231ff3b27
              • Instruction ID: 0efcbdf2c7c90e51e6f61a7cc0f8b2246ab739241407af8d8ba69db07c58d004
              • Opcode Fuzzy Hash: d664cebe3111ebc7816e29e5d2fbc9ab8061ffb4f4a69f5c18fb6eb231ff3b27
              • Instruction Fuzzy Hash: A531AD71109304BAD721EB60EC46BDB77E8AF54310F14451AF185921A2EF74A6C8CBF6
              Function 00D169CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1133 d169ca-d169f1 call d14f3d 1136 d169f7-d16a05 call d14f3d 1133->1136 1137 d4e45a-d4e46a call d797e5 1133->1137 1136->1137 1142 d16a0b-d16a11 1136->1142 1141 d4e46f-d4e471 1137->1141 1143 d4e490-d4e4d8 call d30ff6 1141->1143 1144 d4e473-d4e476 call d14faa 1141->1144 1145 d16a17-d16a39 call d16bec 1142->1145 1146 d4e47b-d4e48a call d74534 1142->1146 1152 d4e4fd 1143->1152 1153 d4e4da-d4e4e4 1143->1153 1144->1146 1146->1143 1157 d4e4ff-d4e512 1152->1157 1156 d4e4f8-d4e4f9 1153->1156 1158 d4e4e6-d4e4f5 1156->1158 1159 d4e4fb 1156->1159 1160 d4e518 1157->1160 1161 d4e689-d4e68c call d32f95 1157->1161 1158->1156 1159->1157 1163 d4e51f-d4e522 call d175e0 1160->1163 1164 d4e691-d4e69a call d14faa 1161->1164 1167 d4e527-d4e549 call d15f12 call d7768b 1163->1167 1170 d4e69c-d4e6ac call d17776 call d15efb 1164->1170 1177 d4e55d-d4e567 call d77675 1167->1177 1178 d4e54b-d4e558 1167->1178 1186 d4e6b1-d4e6e1 call d6fcb1 call d3106c call d32f95 call d14faa 1170->1186 1184 d4e581-d4e58b call d7765f 1177->1184 1185 d4e569-d4e57c 1177->1185 1179 d4e650-d4e660 call d1766f 1178->1179 1179->1167 1190 d4e666-d4e670 call d174bd 1179->1190 1196 d4e58d-d4e59a 1184->1196 1197 d4e59f-d4e5a9 call d15f8a 1184->1197 1185->1179 1186->1170 1195 d4e675-d4e683 1190->1195 1195->1161 1195->1163 1196->1179 1197->1179 1203 d4e5af-d4e5c7 call d6fc4d 1197->1203 1208 d4e5c9-d4e5e8 call d17f41 call d15a64 1203->1208 1209 d4e5ea-d4e5ed 1203->1209 1232 d4e60b-d4e619 call d15f12 1208->1232 1210 d4e5ef-d4e60a call d17f41 call d16999 call d15a64 1209->1210 1211 d4e61b-d4e61e 1209->1211 1210->1232 1214 d4e620-d4e629 call d6fb6e 1211->1214 1215 d4e63e-d4e641 call d77621 1211->1215 1214->1186 1225 d4e62f-d4e639 call d3106c 1214->1225 1222 d4e646-d4e64f call d3106c 1215->1222 1222->1179 1225->1167 1232->1222
              APIs
                • Part of subcall function 00D14F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00DD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D14F6F
              • _free.LIBCMT ref: 00D4E68C
              • _free.LIBCMT ref: 00D4E6D3
                • Part of subcall function 00D16BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D16D0D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: f8e56d9efdccdf461214ed3c004b5b4d1e6988aa6ffbe9afec48036f24e3305c
              • Instruction ID: 4c84e6b4b6b8862fa5f91c7d7cb2d49f8ef7cce35f8c7b8fe2af6adb7f5820be
              • Opcode Fuzzy Hash: f8e56d9efdccdf461214ed3c004b5b4d1e6988aa6ffbe9afec48036f24e3305c
              • Instruction Fuzzy Hash: 74913A71A10219AFCF04EFA4D8919EDB7B4FF19314F14446AF855AB2A1EB30E945CB70
              Function 00D135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D135A1,SwapMouseButtons,00000004,?), ref: 00D135D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00D135A1,SwapMouseButtons,00000004,?,?,?,?,00D12754), ref: 00D135F5
              • RegCloseKey.KERNELBASE(00000000,?,?,00D135A1,SwapMouseButtons,00000004,?,?,?,?,00D12754), ref: 00D13617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 2b41601f61129111edc8792ffdfff59b755d6812af39742bf53082a863c5817e
              • Instruction ID: 2053f112d7024d50cff620108b947ce6475ad8f7aad50262b065823773f73091
              • Opcode Fuzzy Hash: 2b41601f61129111edc8792ffdfff59b755d6812af39742bf53082a863c5817e
              • Instruction Fuzzy Hash: 201118B5611218BFDB208F64EC84AEEB7BCEF44740F15456AE809D7210DA719E949770
              Function 017DEB80 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 017DF33B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017DF3D1
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017DF3F3
              Memory Dump Source
              • Source File: 00000000.00000002.1377300952.00000000017DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17dd000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
              • Instruction ID: efd8b7ae386d493e39c00a92270330af47059a3c31a8d3c01c571dc1bcec4516
              • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
              • Instruction Fuzzy Hash: 36620D30A14258DBEB24DFA4C854BDEB772EF58300F1091A9D10DEB3A4E7769E81CB59
              Function 00D797E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D15045: _fseek.LIBCMT ref: 00D1505D
                • Part of subcall function 00D799BE: _wcscmp.LIBCMT ref: 00D79AAE
                • Part of subcall function 00D799BE: _wcscmp.LIBCMT ref: 00D79AC1
              • _free.LIBCMT ref: 00D7992C
              • _free.LIBCMT ref: 00D79933
              • _free.LIBCMT ref: 00D7999E
                • Part of subcall function 00D32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D39C64), ref: 00D32FA9
                • Part of subcall function 00D32F95: GetLastError.KERNEL32(00000000,?,00D39C64), ref: 00D32FBB
              • _free.LIBCMT ref: 00D799A6
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction ID: 95e5e33bd5db4be171e9fb2fe622e20a426a41f048ef829c147a2ed0673f0614
              • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
              • Instruction Fuzzy Hash: 5F515FB1D04618AFDF249F64DC41AAEBB79EF48310F0444AEB209A7241DB355A80CF79
              Function 00D3493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction ID: 51eb84c46356acf7cf10805cc3b948d449706fd6fcbc713f6096b604e6e00464
              • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
              • Instruction Fuzzy Hash: 6141B6716407059BDF18CEA9C880A6F7BA6EF84364F28817DE855C7650D778ED408F74
              Function 00D173E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D4EE62
              • GetOpenFileNameW.COMDLG32(?), ref: 00D4EEAC
                • Part of subcall function 00D148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D148A1,?,?,00D137C0,?), ref: 00D148CE
                • Part of subcall function 00D309D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D309F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: b7e9ae077d03e7c68ae98f26b15494bfee07283ebbd3460e56e92a44b2fd1d07
              • Instruction ID: 4244736960ce769abbe30e538952ec170bf13763f70a0dc00996948621352607
              • Opcode Fuzzy Hash: b7e9ae077d03e7c68ae98f26b15494bfee07283ebbd3460e56e92a44b2fd1d07
              • Instruction Fuzzy Hash: 93218171A10258ABCB11DF94D845BEEBBF8EF49310F04405AE408E7381DFB899898FB1
              Function 00D79B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 00D79B82
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00D79B99
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: de3ccb76032d876c7c2d93252e2d8b5cccc01aca7c34092d66f03e3e57132c8f
              • Instruction ID: 8e1b12e76d8587a28a98e8965caabb10103ca38b28b74862af3ed8c433585aa1
              • Opcode Fuzzy Hash: de3ccb76032d876c7c2d93252e2d8b5cccc01aca7c34092d66f03e3e57132c8f
              • Instruction Fuzzy Hash: EED05E7954030EABDB109B94DC0EF9A772CE704704F0042A2BE54D21A1DEB055988BA9
              Function 00D8CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae384d9e05d7d37a3f0d061f5339507b42eff996dc9e40f15297a287e49c1a60
              • Instruction ID: 99b10cd34b22137e1aa12ece774930659d2fd31147b964932ab32581e07ef625
              • Opcode Fuzzy Hash: ae384d9e05d7d37a3f0d061f5339507b42eff996dc9e40f15297a287e49c1a60
              • Instruction Fuzzy Hash: 47F12C715043059FC714EF28C494A6ABBE5FF88314F14892EF89997391DB31E945CFA2
              Function 00D1F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D303A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D303D3
                • Part of subcall function 00D303A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D303DB
                • Part of subcall function 00D303A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D303E6
                • Part of subcall function 00D303A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D303F1
                • Part of subcall function 00D303A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D303F9
                • Part of subcall function 00D303A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D30401
                • Part of subcall function 00D26259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00D1FA90), ref: 00D262B4
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D1FB2D
              • OleInitialize.OLE32(00000000), ref: 00D1FBAA
              • CloseHandle.KERNEL32(00000000), ref: 00D549F2
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID:
              • API String ID: 1986988660-0
              • Opcode ID: 412bbd5034b60637293055c629f46415f63191a0e917e76ec78c7aff8c37730a
              • Instruction ID: a3d4a2cad633d7e22dcae314bc6699d4dd0367c6eddbc56764078524a3215f1d
              • Opcode Fuzzy Hash: 412bbd5034b60637293055c629f46415f63191a0e917e76ec78c7aff8c37730a
              • Instruction Fuzzy Hash: 1281B4B090A344AEC784EF79FA50655BBE4EB99708714852BE018C73A2EB75D448CFF0
              Function 00D143DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D14401
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D144A6
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D144C3
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 628953a11c7145e2f9b4db9853909ed55990f377273c9eb12f74cf198cb36647
              • Instruction ID: d04187e41abc2ed7fce86e9ea589b815a3165b174cae3b278819f38e91a137c7
              • Opcode Fuzzy Hash: 628953a11c7145e2f9b4db9853909ed55990f377273c9eb12f74cf198cb36647
              • Instruction Fuzzy Hash: 2E3150B05057019FD720DF64E88469BBBE8FB48304F04092EE59AC3251DBB5A984CBB6
              Function 00D3594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00D35963
                • Part of subcall function 00D3A3AB: __NMSG_WRITE.LIBCMT ref: 00D3A3D2
                • Part of subcall function 00D3A3AB: __NMSG_WRITE.LIBCMT ref: 00D3A3DC
              • __NMSG_WRITE.LIBCMT ref: 00D3596A
                • Part of subcall function 00D3A408: GetModuleFileNameW.KERNEL32(00000000,00DD43BA,00000104,?,00000001,00000000), ref: 00D3A49A
                • Part of subcall function 00D3A408: ___crtMessageBoxW.LIBCMT ref: 00D3A548
                • Part of subcall function 00D332DF: ___crtCorExitProcess.LIBCMT ref: 00D332E5
                • Part of subcall function 00D332DF: ExitProcess.KERNEL32 ref: 00D332EE
                • Part of subcall function 00D38D68: __getptd_noexit.LIBCMT ref: 00D38D68
              • RtlAllocateHeap.NTDLL(017A0000,00000000,00000001,00000000,?,?,?,00D31013,?), ref: 00D3598F
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: cbc7273a354f53431ce88246466968d2be749a23267d7f685223a6f18105b644
              • Instruction ID: 5314ba89d2853f53f3bebb2d750b7ec6f5b2968fbb9ff1de5911fc6a7f273bb6
              • Opcode Fuzzy Hash: cbc7273a354f53431ce88246466968d2be749a23267d7f685223a6f18105b644
              • Instruction Fuzzy Hash: F501DE31342B11DFEA216B68FC42B6E7388CF42730F58002AF841EA281DAB09D018A74
              Function 00D79B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00D797D2,?,?,?,?,?,00000004), ref: 00D79B45
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00D797D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00D79B5B
              • CloseHandle.KERNEL32(00000000,?,00D797D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00D79B62
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: 39540eb8f05bd1efa66d5a509e662a2e2a0381b28953a060795ea34e87e5ffba
              • Instruction ID: edc845f1028bacbdeed5f90f1aded464057353847a4f1c34ed671633a57dcfd8
              • Opcode Fuzzy Hash: 39540eb8f05bd1efa66d5a509e662a2e2a0381b28953a060795ea34e87e5ffba
              • Instruction Fuzzy Hash: A1E08632680314F7D7211BA4EC09FCA7B18EB05761F148221FB14F91E087B1251197E8
              Function 00D78F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00D78FA5
                • Part of subcall function 00D32F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D39C64), ref: 00D32FA9
                • Part of subcall function 00D32F95: GetLastError.KERNEL32(00000000,?,00D39C64), ref: 00D32FBB
              • _free.LIBCMT ref: 00D78FB6
              • _free.LIBCMT ref: 00D78FC8
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction ID: bf003acae188795c17cf5ef5278fe1972fce4719c6211070c38ba98f47f86bc2
              • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
              • Instruction Fuzzy Hash: D6E012B1A097014ACA24A579AD44AB397EE9F88360B1C081EF50DDB142EE24E8419134
              Function 00D1AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: e27182117cb80398a007cfb658853c8b8765df32a152ace04987476e527ffc6d
              • Instruction ID: 6eed49d4748040134f9d143e99ccbe23f7d2b3f5df71e7e94a0da86f4f68d933
              • Opcode Fuzzy Hash: e27182117cb80398a007cfb658853c8b8765df32a152ace04987476e527ffc6d
              • Instruction Fuzzy Hash: 38224C74509341EFCB24DF18D450AAABBE1FF45314F18895DE8968B362DB31EC85CBA2
              Function 00D14DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove
              • String ID: EA06
              • API String ID: 4104443479-3962188686
              • Opcode ID: f4cd5bb202648009cdf10bcb4e1111f022942f14fc868d1141edc89b242bafd1
              • Instruction ID: b11a38ff37a4d375de65d99ed3f704fef6589390e683601a19872e622471c97d
              • Opcode Fuzzy Hash: f4cd5bb202648009cdf10bcb4e1111f022942f14fc868d1141edc89b242bafd1
              • Instruction Fuzzy Hash: 9E415B71A04554BBCF215B64B8A1BFE7FA6EF45300F2C4065F8829B286CE25CDC587B1
              Function 00D17BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
              • Instruction ID: 91cb80109cb6ac70af523ac60d0873829206a9c4e63406f4f997cbc948590039
              • Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
              • Instruction Fuzzy Hash: 3C31A7B1604506AFC714DF28D9D1EA9B3A9FF483107158629E915CB2A1DF70E890CBE0
              Function 00D1492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00D14992
                • Part of subcall function 00D335AC: __lock.LIBCMT ref: 00D335B2
                • Part of subcall function 00D335AC: DecodePointer.KERNEL32(00000001,?,00D149A7,00D681BC), ref: 00D335BE
                • Part of subcall function 00D335AC: EncodePointer.KERNEL32(?,?,00D149A7,00D681BC), ref: 00D335C9
                • Part of subcall function 00D14A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D14A73
                • Part of subcall function 00D14A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D14A88
                • Part of subcall function 00D13B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D13B7A
                • Part of subcall function 00D13B4C: IsDebuggerPresent.KERNEL32 ref: 00D13B8C
                • Part of subcall function 00D13B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00DD62F8,00DD62E0,?,?), ref: 00D13BFD
                • Part of subcall function 00D13B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00D13C81
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D149D2
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID:
              • API String ID: 1438897964-0
              • Opcode ID: ed56721a34e7e70f8a6163a520df4da16a80eec9839a6373815b959e827e469e
              • Instruction ID: 2f59792a51c0ede9a7b170f761569d53dc2d7743195d5fde3f34a932a9bf81eb
              • Opcode Fuzzy Hash: ed56721a34e7e70f8a6163a520df4da16a80eec9839a6373815b959e827e469e
              • Instruction Fuzzy Hash: 13113671919311ABC700EF69E94594AFFE8EF98710F00451FF485C72A1DB709689CBB6
              Function 00D30FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00D3594C: __FF_MSGBANNER.LIBCMT ref: 00D35963
                • Part of subcall function 00D3594C: __NMSG_WRITE.LIBCMT ref: 00D3596A
                • Part of subcall function 00D3594C: RtlAllocateHeap.NTDLL(017A0000,00000000,00000001,00000000,?,?,?,00D31013,?), ref: 00D3598F
              • std::exception::exception.LIBCMT ref: 00D3102C
              • __CxxThrowException@8.LIBCMT ref: 00D31041
                • Part of subcall function 00D387DB: RaiseException.KERNEL32(?,?,?,00DCBAF8,00000000,?,?,?,?,00D31046,?,00DCBAF8,?,00000001), ref: 00D38830
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: dc6e29e133771fdd3b4c29e8b84dba695c2db9cb81ad8cad27237b514a7d76b1
              • Instruction ID: 306d9d615dcced7d7e6193083ff1d5cd21be97d2800bae905a955395ee357c4e
              • Opcode Fuzzy Hash: dc6e29e133771fdd3b4c29e8b84dba695c2db9cb81ad8cad27237b514a7d76b1
              • Instruction Fuzzy Hash: F8F0CD7950031EA6CB24FB99EC06AEF7BACDF01351F140425F80496652DFB1CA84D6F0
              Function 00D355D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00D38D68: __getptd_noexit.LIBCMT ref: 00D38D68
              • __lock_file.LIBCMT ref: 00D3561B
                • Part of subcall function 00D36E4E: __lock.LIBCMT ref: 00D36E71
              • __fclose_nolock.LIBCMT ref: 00D35626
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: ea10d9a30996090bfd27bf5b180f45607a6a7c73f0c0198213d1321650e70d84
              • Instruction ID: 96bc88c4e41dfe9392e6de52aaec77521436f185354f8791211806a4cfcd62c7
              • Opcode Fuzzy Hash: ea10d9a30996090bfd27bf5b180f45607a6a7c73f0c0198213d1321650e70d84
              • Instruction Fuzzy Hash: 28F02471800B019AD720AF34A80376EB7A0AF01330F548209B810AB0C5CF7C8A01ABB1
              Function 017DEB7D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 017DF33B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017DF3D1
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017DF3F3
              Memory Dump Source
              • Source File: 00000000.00000002.1377300952.00000000017DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17dd000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
              • Instruction ID: a4a5bac1922356d43986ce6600141f348eaa1cc933198ce0f0846a2a879fc78c
              • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
              • Instruction Fuzzy Hash: F712BC24E24658C6EB24DF64D8507DEB272EF68300F1090E9D10DEB7A5E77A4F81CB5A
              Function 00D1F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9fead7f1a3d8c631eb0f42a163e7ca839ee3d866dc4f7f72e568ba5cb93c8076
              • Instruction ID: 8b1d022f6a089fecb60ef8bea6aa94a64fcded909065dd7a69d62b79620d39b1
              • Opcode Fuzzy Hash: 9fead7f1a3d8c631eb0f42a163e7ca839ee3d866dc4f7f72e568ba5cb93c8076
              • Instruction Fuzzy Hash: 0361AE70600606AFDB10DF64D991AABB7F5EF48304F148479ED4687252EB30ED95CBB1
              Function 00D30E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ProtectVirtual
              • String ID:
              • API String ID: 544645111-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: a732f29e968ca27685afa26b99945e0913a881882947e8a4732a00e0caf1514a
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: 3431D175A00105DBC718DF58C4A0969FBA6FF59300F688AA5E44AEB651DB31EDC1CBA0
              Function 00D500D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: da5c1caac37dec298fb5f88d499ecbb7e0ef91aca82b95f84786faa5f732d514
              • Instruction ID: 239d2c87186ae5236018e771a173cf7920bc155c69a9f876070a2f00916515b2
              • Opcode Fuzzy Hash: da5c1caac37dec298fb5f88d499ecbb7e0ef91aca82b95f84786faa5f732d514
              • Instruction Fuzzy Hash: 1641F574608351DFDB24DF18D484B5ABBE0BF45318F19889CE8998B762C736E885CB62
              Function 00D17CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: cc42af3be4672e6688c6db71bc63ba78239c3a049173ebb0597e8698dd35b4fa
              • Instruction ID: 871cd3bd23a2c8fafd75fdd0171382b3d9f55bd66750967994c152141776d767
              • Opcode Fuzzy Hash: cc42af3be4672e6688c6db71bc63ba78239c3a049173ebb0597e8698dd35b4fa
              • Instruction Fuzzy Hash: FB21DC7160860AEBDB148F25F842BB97BB8FF94350F25846EE486C61A1EB30D0E09775
              Function 00D14F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D14D13: FreeLibrary.KERNEL32(00000000,?), ref: 00D14D4D
                • Part of subcall function 00D3548B: __wfsopen.LIBCMT ref: 00D35496
              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00DD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D14F6F
                • Part of subcall function 00D14CC8: FreeLibrary.KERNEL32(00000000), ref: 00D14D02
                • Part of subcall function 00D14DD0: _memmove.LIBCMT ref: 00D14E1A
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: 00f0438516d9f3c410bb46d9d5fc5a782e77bc1a29464cf7d7d5408299ad82b0
              • Instruction ID: 5f4e51386cbf89e9774cf5c150eaac3719b1d1d501ae9b92c39cedeb1faa27df
              • Opcode Fuzzy Hash: 00f0438516d9f3c410bb46d9d5fc5a782e77bc1a29464cf7d7d5408299ad82b0
              • Instruction Fuzzy Hash: 10119132A00709BBCF14AF70FC12BEE77A9DF84711F208429F581A62C5DE759A559BB0
              Function 00D501AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 8d4a6a043720570e9b9356d9968e0617e4228330e2f8d5d5a42af3a52568c927
              • Instruction ID: 0a93d8fd7b7da276dbc2cb47650c761a7879217dd9df38339ac3456614f0d333
              • Opcode Fuzzy Hash: 8d4a6a043720570e9b9356d9968e0617e4228330e2f8d5d5a42af3a52568c927
              • Instruction Fuzzy Hash: 08212474608341EFCB14DF58D445A5ABBE0FF85314F098968F88A87722DB31E889CB62
              Function 00D34A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 00D34AD6
                • Part of subcall function 00D38D68: __getptd_noexit.LIBCMT ref: 00D38D68
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: b823fb97a6c98e0b4b5079ac6803766c439a3163c37f6916e479e8b2f8a51d90
              • Instruction ID: 907f75c796772723da1784871ef669f2e3df2ed9f67d20d0be407e2a5c3b35a9
              • Opcode Fuzzy Hash: b823fb97a6c98e0b4b5079ac6803766c439a3163c37f6916e479e8b2f8a51d90
              • Instruction Fuzzy Hash: 16F03C31940209ABDB61AF648C0679E77A5EF00329F188518B424AB1D1DB7C9E51EF75
              Function 00D14FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,00DD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D14FDE
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: d56c6c3dd93b9e5a90a1811412f6431f30765a054b23ae6643e20c169da0f059
              • Instruction ID: fe2c40fda18a747a07fc84e70044d1af72811bfa3ae8352e6226008d5df9a7f0
              • Opcode Fuzzy Hash: d56c6c3dd93b9e5a90a1811412f6431f30765a054b23ae6643e20c169da0f059
              • Instruction Fuzzy Hash: 06F03971105712EFCB349F64F494892BBE1BF043293248A3EE1D682710CB31A895DF60
              Function 00D309D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D309F4
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: 28400cc3e92590fcdc122f211a31d17e8c17b5890b261f9f95e1f2eab14ff9af
              • Instruction ID: 9f5f2b72b9db986b1382ed76ec7db50c0f90aae92e47a8bf4da55f4bccd6c7b3
              • Opcode Fuzzy Hash: 28400cc3e92590fcdc122f211a31d17e8c17b5890b261f9f95e1f2eab14ff9af
              • Instruction Fuzzy Hash: CDE0863690422857C720D698AC05FFA77ADDF89690F0401B6FC0CD7214D9609C8186B0
              Function 00D3548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: fee4390e1afc30d9af49da73739dbf8630407b54f3833324f677116ecab31c63
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 89B0927684020C77DE412E82FC02A593B199B40678F808020FB0C18162A673A6A096A9
              Function 017DFB7C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 017DFB91
              Memory Dump Source
              • Source File: 00000000.00000002.1377300952.00000000017DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17dd000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction ID: a985903d9434ade4183adc16d142b86b1551a8f3b6ebeb04420c3421b46ebafb
              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
              • Instruction Fuzzy Hash: C0E0BF7494110DEFDB00EFB4D6496EE7BB4EF04301F1005A1FD05E7681DB709E548A62
              Function 017DFB80 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNELBASE(000001F4), ref: 017DFB91
              Memory Dump Source
              • Source File: 00000000.00000002.1377300952.00000000017DD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_17dd000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Sleep
              • String ID:
              • API String ID: 3472027048-0
              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction ID: 81e90fda0356d9f8d32acf1336c8caa311ce1daeab8570c38e64486bb2266d02
              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
              • Instruction Fuzzy Hash: 6EE0E67494110DDFDB00EFB4D6496AE7FB4EF04301F100161FD01E2281D6709D508A62

              Non-executed Functions

              Function 00D9CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D9CE50
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D9CE91
              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D9CED6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D9CF00
              • SendMessageW.USER32 ref: 00D9CF29
              • _wcsncpy.LIBCMT ref: 00D9CFA1
              • GetKeyState.USER32(00000011), ref: 00D9CFC2
              • GetKeyState.USER32(00000009), ref: 00D9CFCF
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D9CFE5
              • GetKeyState.USER32(00000010), ref: 00D9CFEF
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D9D018
              • SendMessageW.USER32 ref: 00D9D03F
              • SendMessageW.USER32(?,00001030,?,00D9B602), ref: 00D9D145
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D9D15B
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D9D16E
              • SetCapture.USER32(?), ref: 00D9D177
              • ClientToScreen.USER32(?,?), ref: 00D9D1DC
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D9D1E9
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D9D203
              • ReleaseCapture.USER32 ref: 00D9D20E
              • GetCursorPos.USER32(?), ref: 00D9D248
              • ScreenToClient.USER32(?,?), ref: 00D9D255
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00D9D2B1
              • SendMessageW.USER32 ref: 00D9D2DF
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00D9D31C
              • SendMessageW.USER32 ref: 00D9D34B
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D9D36C
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D9D37B
              • GetCursorPos.USER32(?), ref: 00D9D39B
              • ScreenToClient.USER32(?,?), ref: 00D9D3A8
              • GetParent.USER32(?), ref: 00D9D3C8
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00D9D431
              • SendMessageW.USER32 ref: 00D9D462
              • ClientToScreen.USER32(?,?), ref: 00D9D4C0
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D9D4F0
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00D9D51A
              • SendMessageW.USER32 ref: 00D9D53D
              • ClientToScreen.USER32(?,?), ref: 00D9D58F
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D9D5C3
                • Part of subcall function 00D125DB: GetWindowLongW.USER32(?,000000EB), ref: 00D125EC
              • GetWindowLongW.USER32(?,000000F0), ref: 00D9D65F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F
              • API String ID: 3977979337-4164748364
              • Opcode ID: ba477a451f7895285b43de7bf8c88b68cb7284448e225c51beab5d5f1800f29c
              • Instruction ID: c4f6fcd6b957a260be8d4bd7720cc0e8a3be1c3ac7f85dbf73b26441774b7179
              • Opcode Fuzzy Hash: ba477a451f7895285b43de7bf8c88b68cb7284448e225c51beab5d5f1800f29c
              • Instruction Fuzzy Hash: BE427970204341AFDB25CF28C854EAABBE6FF49314F18051AF696D72A1C731E854DBB6
              Function 00D9804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00D9873F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: %d/%02d/%02d
              • API String ID: 3850602802-328681919
              • Opcode ID: f04032ded0738db3ae6d502285d26e9cf9315e3f85809424001708e6c11c4961
              • Instruction ID: a76d695405e9ba0ba37b975409cb6100e40a70659dc2be974ca60b855ad557ba
              • Opcode Fuzzy Hash: f04032ded0738db3ae6d502285d26e9cf9315e3f85809424001708e6c11c4961
              • Instruction Fuzzy Hash: 5F129071500344ABEF259F64CC49FAA7BB5EF4AB10F24412AF915EA2E1DF709941DB30
              Function 00D2710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
              • API String ID: 1357608183-1798697756
              • Opcode ID: efc698a8ea9ea22d588860b5525726c2dd4a5bb5c65f0e0c7c2778f70ac7ac4d
              • Instruction ID: ff331aabf8265dff3cf81400c0d9bfd6c0c121101c6e8432e0e8ad505e967507
              • Opcode Fuzzy Hash: efc698a8ea9ea22d588860b5525726c2dd4a5bb5c65f0e0c7c2778f70ac7ac4d
              • Instruction Fuzzy Hash: 5893A175A04215DFDB24CF98D881BADB7B1FF58314F29816AE945EB380E7709E81CB60
              Function 00D14A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 00D14A3D
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D4DA8E
              • IsIconic.USER32(?), ref: 00D4DA97
              • ShowWindow.USER32(?,00000009), ref: 00D4DAA4
              • SetForegroundWindow.USER32(?), ref: 00D4DAAE
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D4DAC4
              • GetCurrentThreadId.KERNEL32 ref: 00D4DACB
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D4DAD7
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D4DAE8
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D4DAF0
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00D4DAF8
              • SetForegroundWindow.USER32(?), ref: 00D4DAFB
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4DB10
              • keybd_event.USER32(00000012,00000000), ref: 00D4DB1B
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4DB25
              • keybd_event.USER32(00000012,00000000), ref: 00D4DB2A
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4DB33
              • keybd_event.USER32(00000012,00000000), ref: 00D4DB38
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D4DB42
              • keybd_event.USER32(00000012,00000000), ref: 00D4DB47
              • SetForegroundWindow.USER32(?), ref: 00D4DB4A
              • AttachThreadInput.USER32(?,?,00000000), ref: 00D4DB71
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: a202a51c285dd0b3b4889cdd91ac1b4eccb05bde885b44420ffe05af69f7063a
              • Instruction ID: 4e458fa1c7a36d4f75b3f9c9a5554b3b5ea1048c18eab988540b0c15a5a86328
              • Opcode Fuzzy Hash: a202a51c285dd0b3b4889cdd91ac1b4eccb05bde885b44420ffe05af69f7063a
              • Instruction Fuzzy Hash: FF317471A40318BFEB216FA19C4AF7F3E6DEB44B50F154026FA04EA2D0C6B05D11ABB1
              Function 00D68858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D68D0D
                • Part of subcall function 00D68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D68D3A
                • Part of subcall function 00D68CC3: GetLastError.KERNEL32 ref: 00D68D47
              • _memset.LIBCMT ref: 00D6889B
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D688ED
              • CloseHandle.KERNEL32(?), ref: 00D688FE
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D68915
              • GetProcessWindowStation.USER32 ref: 00D6892E
              • SetProcessWindowStation.USER32(00000000), ref: 00D68938
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D68952
                • Part of subcall function 00D68713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D68851), ref: 00D68728
                • Part of subcall function 00D68713: CloseHandle.KERNEL32(?,?,00D68851), ref: 00D6873A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: 49f375c07bc732f049c628e8f130c4605c505986b1c59a3673cbce66790ebe08
              • Instruction ID: ed2367671f0a0d06e58e3d4f6dabff81f48282605436bbde2fefb17d9e1e3213
              • Opcode Fuzzy Hash: 49f375c07bc732f049c628e8f130c4605c505986b1c59a3673cbce66790ebe08
              • Instruction Fuzzy Hash: 1F8127B1940209AFDF11DFE4DD45AEEBBB8EF04304F18426AFD14A6261DB358E15AB70
              Function 00D8425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32(00D9F910), ref: 00D84284
              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00D84292
              • GetClipboardData.USER32(0000000D), ref: 00D8429A
              • CloseClipboard.USER32 ref: 00D842A6
              • GlobalLock.KERNEL32(00000000), ref: 00D842C2
              • CloseClipboard.USER32 ref: 00D842CC
              • GlobalUnlock.KERNEL32(00000000), ref: 00D842E1
              • IsClipboardFormatAvailable.USER32(00000001), ref: 00D842EE
              • GetClipboardData.USER32(00000001), ref: 00D842F6
              • GlobalLock.KERNEL32(00000000), ref: 00D84303
              • GlobalUnlock.KERNEL32(00000000), ref: 00D84337
              • CloseClipboard.USER32 ref: 00D84447
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
              • String ID:
              • API String ID: 3222323430-0
              • Opcode ID: bda803d0f809deb38deb9e0708d5328d7530b4648728dc2bb626be3477b309ef
              • Instruction ID: b0d72de08edfba75b6770a2a3f48e07bfb8079027c0849195e09ba4c0cbca7c2
              • Opcode Fuzzy Hash: bda803d0f809deb38deb9e0708d5328d7530b4648728dc2bb626be3477b309ef
              • Instruction Fuzzy Hash: 60518C71208302ABD711FF64EC96FAE77A8EF84B00F14452AF596D22A1DF70D9448B76
              Function 00D7C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00D7C9F8
              • FindClose.KERNEL32(00000000), ref: 00D7CA4C
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D7CA71
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D7CA88
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7CAAF
              • __swprintf.LIBCMT ref: 00D7CAFB
              • __swprintf.LIBCMT ref: 00D7CB3E
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
              • __swprintf.LIBCMT ref: 00D7CB92
                • Part of subcall function 00D338D8: __woutput_l.LIBCMT ref: 00D33931
              • __swprintf.LIBCMT ref: 00D7CBE0
                • Part of subcall function 00D338D8: __flsbuf.LIBCMT ref: 00D33953
                • Part of subcall function 00D338D8: __flsbuf.LIBCMT ref: 00D3396B
              • __swprintf.LIBCMT ref: 00D7CC2F
              • __swprintf.LIBCMT ref: 00D7CC7E
              • __swprintf.LIBCMT ref: 00D7CCCD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: a7c62ab62a7a07a6a3f8fd01880d803e07485363dc4a4ba94080b9ff0ce132ea
              • Instruction ID: bc5779e8eafb76434b5069d9a1ffa545964bfe0d088476197079cad6860cf313
              • Opcode Fuzzy Hash: a7c62ab62a7a07a6a3f8fd01880d803e07485363dc4a4ba94080b9ff0ce132ea
              • Instruction Fuzzy Hash: 8FA14DB2508304BBC710EB64D9A5DAFB7ECEF94700F40491DB586C7192EA34EA49CB72
              Function 00D7F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76128FB0,?,00000000), ref: 00D7F221
              • _wcscmp.LIBCMT ref: 00D7F236
              • _wcscmp.LIBCMT ref: 00D7F24D
              • GetFileAttributesW.KERNEL32(?), ref: 00D7F25F
              • SetFileAttributesW.KERNEL32(?,?), ref: 00D7F279
              • FindNextFileW.KERNEL32(00000000,?), ref: 00D7F291
              • FindClose.KERNEL32(00000000), ref: 00D7F29C
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00D7F2B8
              • _wcscmp.LIBCMT ref: 00D7F2DF
              • _wcscmp.LIBCMT ref: 00D7F2F6
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00D7F308
              • SetCurrentDirectoryW.KERNEL32(00DCA5A0), ref: 00D7F326
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D7F330
              • FindClose.KERNEL32(00000000), ref: 00D7F33D
              • FindClose.KERNEL32(00000000), ref: 00D7F34F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 6fa6d88b6d3bb46946cc9dfabf54372d836308fa664688de66909565fa80a083
              • Instruction ID: 34c7ffd9f931d2cd740fbff62e5f4a8594873df1e892bfd4fff10767e810326e
              • Opcode Fuzzy Hash: 6fa6d88b6d3bb46946cc9dfabf54372d836308fa664688de66909565fa80a083
              • Instruction Fuzzy Hash: 0631A3766012196FDB20DBB4DC49BEE73ACEF08361F188176E818D31A0EB34DA45CA74
              Function 00D90AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D90BDE
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00D9F910,00000000,?,00000000,?,?), ref: 00D90C4C
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00D90C94
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00D90D1D
              • RegCloseKey.ADVAPI32(?), ref: 00D9103D
              • RegCloseKey.ADVAPI32(00000000), ref: 00D9104A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 4080d8b7623fb6c910723aea6603b4bd1e4fe5f6a9dea6d4709e66ae892d22c7
              • Instruction ID: a7c0345af0729e804e01c6f0029c21403b2f91b6f7115542c1f544991acdd618
              • Opcode Fuzzy Hash: 4080d8b7623fb6c910723aea6603b4bd1e4fe5f6a9dea6d4709e66ae892d22c7
              • Instruction Fuzzy Hash: 86026D75200611AFCB14DF24D891E6ABBE5FF88714F04885DF89A9B362CB31ED45CBA1
              Function 00D7F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76128FB0,?,00000000), ref: 00D7F37E
              • _wcscmp.LIBCMT ref: 00D7F393
              • _wcscmp.LIBCMT ref: 00D7F3AA
                • Part of subcall function 00D745C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D745DC
              • FindNextFileW.KERNEL32(00000000,?), ref: 00D7F3D9
              • FindClose.KERNEL32(00000000), ref: 00D7F3E4
              • FindFirstFileW.KERNEL32(*.*,?), ref: 00D7F400
              • _wcscmp.LIBCMT ref: 00D7F427
              • _wcscmp.LIBCMT ref: 00D7F43E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00D7F450
              • SetCurrentDirectoryW.KERNEL32(00DCA5A0), ref: 00D7F46E
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D7F478
              • FindClose.KERNEL32(00000000), ref: 00D7F485
              • FindClose.KERNEL32(00000000), ref: 00D7F497
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: 3330d2baafa36cb2bdd97eb5c089afb634a5a009a850fd76c4ca3baa9af9d49a
              • Instruction ID: 7bc9aad9192d89c6182902678b73446bd7dd0d1e4e933709c68dcfd3f2467116
              • Opcode Fuzzy Hash: 3330d2baafa36cb2bdd97eb5c089afb634a5a009a850fd76c4ca3baa9af9d49a
              • Instruction Fuzzy Hash: F631D5715012196FCF209B74EC89ADE77AC9F09328F148176E858E31A0E734DE44CA74
              Function 00D681F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D68766
                • Part of subcall function 00D6874A: GetLastError.KERNEL32(?,00D6822A,?,?,?), ref: 00D68770
                • Part of subcall function 00D6874A: GetProcessHeap.KERNEL32(00000008,?,?,00D6822A,?,?,?), ref: 00D6877F
                • Part of subcall function 00D6874A: HeapAlloc.KERNEL32(00000000,?,00D6822A,?,?,?), ref: 00D68786
                • Part of subcall function 00D6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D6879D
                • Part of subcall function 00D687E7: GetProcessHeap.KERNEL32(00000008,00D68240,00000000,00000000,?,00D68240,?), ref: 00D687F3
                • Part of subcall function 00D687E7: HeapAlloc.KERNEL32(00000000,?,00D68240,?), ref: 00D687FA
                • Part of subcall function 00D687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D68240,?), ref: 00D6880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D6825B
              • _memset.LIBCMT ref: 00D68270
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D6828F
              • GetLengthSid.ADVAPI32(?), ref: 00D682A0
              • GetAce.ADVAPI32(?,00000000,?), ref: 00D682DD
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D682F9
              • GetLengthSid.ADVAPI32(?), ref: 00D68316
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D68325
              • HeapAlloc.KERNEL32(00000000), ref: 00D6832C
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D6834D
              • CopySid.ADVAPI32(00000000), ref: 00D68354
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D68385
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D683AB
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D683BF
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: 6ddfe5970ddc038a9633962313c2be54f7ff8f7a10e8b2c7b2164dfbb44ae52c
              • Instruction ID: 2ce3dbafa06ca6ba18eb1d36f4953313579284ca31f6ed1f755ca4cdc4b73929
              • Opcode Fuzzy Hash: 6ddfe5970ddc038a9633962313c2be54f7ff8f7a10e8b2c7b2164dfbb44ae52c
              • Instruction Fuzzy Hash: C6613871900209ABDF009FA4DD85AAEBBB9FF04700F14826AE815EB391DB319A15DB70
              Function 00D26843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
              • API String ID: 0-4052911093
              • Opcode ID: 974337704fdb662f025a273023e22fbac5c5d58d251a24ed995560d9f66ebf87
              • Instruction ID: 97a24b1869f994bf43450c9eed9fba56da0af70ef2bfa1010dd5d00a3e9db310
              • Opcode Fuzzy Hash: 974337704fdb662f025a273023e22fbac5c5d58d251a24ed995560d9f66ebf87
              • Instruction Fuzzy Hash: CD726F75E00329DBDB14CF58D8807AEB7B5EF58714F18816AE849EB290DB70DD81DBA0
              Function 00D90665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D90038,?,?), ref: 00D910BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D90737
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D907D6
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D9086E
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00D90AAD
              • RegCloseKey.ADVAPI32(00000000), ref: 00D90ABA
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: f1318d64aa3479fb8efe6d872aa7704677512439a38fb5cb607da2885b9d6ec0
              • Instruction ID: a72e7a8f81cbcd14442beb787798d2f10a44ceb34f77540f78b0f8dd831252b9
              • Opcode Fuzzy Hash: f1318d64aa3479fb8efe6d872aa7704677512439a38fb5cb607da2885b9d6ec0
              • Instruction Fuzzy Hash: 48E14E31204310AFCB14DF24D895E6ABBF9EF89714F04896DF49ADB261DA30ED45CB61
              Function 00D70219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00D70241
              • GetAsyncKeyState.USER32(000000A0), ref: 00D702C2
              • GetKeyState.USER32(000000A0), ref: 00D702DD
              • GetAsyncKeyState.USER32(000000A1), ref: 00D702F7
              • GetKeyState.USER32(000000A1), ref: 00D7030C
              • GetAsyncKeyState.USER32(00000011), ref: 00D70324
              • GetKeyState.USER32(00000011), ref: 00D70336
              • GetAsyncKeyState.USER32(00000012), ref: 00D7034E
              • GetKeyState.USER32(00000012), ref: 00D70360
              • GetAsyncKeyState.USER32(0000005B), ref: 00D70378
              • GetKeyState.USER32(0000005B), ref: 00D7038A
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 50774a206cd7e23692ee95c7a3312bb8f8f4efb7620235b7aed6834071bdf331
              • Instruction ID: 60462bd5ed9410811dc185cbaf8b59b2ea395d7caa0a11d9efe94eabc9fde33f
              • Opcode Fuzzy Hash: 50774a206cd7e23692ee95c7a3312bb8f8f4efb7620235b7aed6834071bdf331
              • Instruction Fuzzy Hash: F74195246047C9EEFF719B64C8083B5BEA06B12344F0CC09ED5CE966C2FB9499C487B6
              Function 00D886D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • CoInitialize.OLE32 ref: 00D88718
              • CoUninitialize.OLE32 ref: 00D88723
              • CoCreateInstance.OLE32(?,00000000,00000017,00DA2BEC,?), ref: 00D88783
              • IIDFromString.OLE32(?,?), ref: 00D887F6
              • VariantInit.OLEAUT32(?), ref: 00D88890
              • VariantClear.OLEAUT32(?), ref: 00D888F1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: dab2755c0bf2fafdb7d6adb853989b89c201f0a99a10445e842d0e2b64fe4a67
              • Instruction ID: af4c0e5cd50babfd342fc2e319ebe5802ca89d28215b1b170e8838f6810c2d71
              • Opcode Fuzzy Hash: dab2755c0bf2fafdb7d6adb853989b89c201f0a99a10445e842d0e2b64fe4a67
              • Instruction Fuzzy Hash: 23618970608301AFD710EF24D958A6ABBF8EF48714F944819F9859B291DB70ED48DBB2
              Function 00D84458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 0b251dfb7ec018bc076fcb0aa680e1a0ae5d2542a258c23cc2cebcafa5cc1c01
              • Instruction ID: c4fd1693ae58d5199f7f898e8f4469a2ee4f6eea846e9ad238de0f168a012f40
              • Opcode Fuzzy Hash: 0b251dfb7ec018bc076fcb0aa680e1a0ae5d2542a258c23cc2cebcafa5cc1c01
              • Instruction Fuzzy Hash: 0E214B35241311AFDB10AF64EC59B69BBA9EF04711F14806AF946DB2A1DB74AD008B74
              Function 00D73A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D148A1,?,?,00D137C0,?), ref: 00D148CE
                • Part of subcall function 00D74CD3: GetFileAttributesW.KERNEL32(?,00D73947), ref: 00D74CD4
              • FindFirstFileW.KERNEL32(?,?), ref: 00D73ADF
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00D73B87
              • MoveFileW.KERNEL32(?,?), ref: 00D73B9A
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00D73BB7
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D73BD9
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00D73BF5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 8a19d940f41c1f57daad515f6a00147099ca6fb090b10572e07c730cfc4cb072
              • Instruction ID: c05d27eca647ff7edbb9bc3a1ba28fc3be7ffb633f5320a663094a950dff858f
              • Opcode Fuzzy Hash: 8a19d940f41c1f57daad515f6a00147099ca6fb090b10572e07c730cfc4cb072
              • Instruction Fuzzy Hash: 8151843180124DAACF15EBA0ED929EDB779EF14300F648169E446B71A1EF306F49DB70
              Function 00D7F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00D7F6AB
              • Sleep.KERNEL32(0000000A), ref: 00D7F6DB
              • _wcscmp.LIBCMT ref: 00D7F6EF
              • _wcscmp.LIBCMT ref: 00D7F70A
              • FindNextFileW.KERNEL32(?,?), ref: 00D7F7A8
              • FindClose.KERNEL32(00000000), ref: 00D7F7BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: cf470b3b1ab6f576880d25496d7f0fd9af03a8f75acd7d52dcf0823177278824
              • Instruction ID: 5c75b1e071cca754ae16943a4f3556686838a9dd881eacba45f8a3e9532c79b4
              • Opcode Fuzzy Hash: cf470b3b1ab6f576880d25496d7f0fd9af03a8f75acd7d52dcf0823177278824
              • Instruction Fuzzy Hash: B441537190421AAFDF25DF64DC45AEEBBB4FF05310F148566E819A71A1EB309E84CBB0
              Function 00D24140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
              • API String ID: 0-1546025612
              • Opcode ID: 44a8e171178fc381931744a426b847e80b3b7dd715e22fae06e722ab985fe709
              • Instruction ID: fa9b8e5056ba1e393596ed7e718516d14ef68ce312df7c7e62309cc7d4e0003f
              • Opcode Fuzzy Hash: 44a8e171178fc381931744a426b847e80b3b7dd715e22fae06e722ab985fe709
              • Instruction Fuzzy Hash: 8BA29270E0422ACBDF24CF58E9407ADB7B1BF64319F2881AADC56A7280D7709D85DF60
              Function 00D258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 25d0a55f94d4fc1e3d8310edba2be23c26a7f0c76ebe195d1d2d1dc20bcbb501
              • Instruction ID: 5707f16df6b520e568491f858e14d12e3a03f77c340519a0c7dcadb055d6e98e
              • Opcode Fuzzy Hash: 25d0a55f94d4fc1e3d8310edba2be23c26a7f0c76ebe195d1d2d1dc20bcbb501
              • Instruction Fuzzy Hash: 43129970A0061AEBDF04CFA4E981AEEB7B5FF58304F148169E446E7294EB35AD51CB70
              Function 00D7545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D68CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D68D0D
                • Part of subcall function 00D68CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D68D3A
                • Part of subcall function 00D68CC3: GetLastError.KERNEL32 ref: 00D68D47
              • ExitWindowsEx.USER32(?,00000000), ref: 00D7549B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: adeca1597a8b8af272352733dd7194b1b122ca049c07f3ad99cc636682cf3c22
              • Instruction ID: 156f2867006745e4fe3b3917b088c16d80379ce5ddfb4ad1cd38940736b3ae3f
              • Opcode Fuzzy Hash: adeca1597a8b8af272352733dd7194b1b122ca049c07f3ad99cc636682cf3c22
              • Instruction Fuzzy Hash: D6014731A54B156BE7285378FC4ABBA7358EB00347F288126FD4ED20C6FAD15C8081B2
              Function 00D86596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D865EF
              • WSAGetLastError.WSOCK32(00000000), ref: 00D865FE
              • bind.WSOCK32(00000000,?,00000010), ref: 00D8661A
              • listen.WSOCK32(00000000,00000005), ref: 00D86629
              • WSAGetLastError.WSOCK32(00000000), ref: 00D86643
              • closesocket.WSOCK32(00000000,00000000), ref: 00D86657
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: 3492fac9e8adcf21aa17a784613406bd27a375e085495b1abd2d112118df0c98
              • Instruction ID: 970e16bfd2f9db2592101f552f6cf340583806b9856db2d8c01554cad3d9dc50
              • Opcode Fuzzy Hash: 3492fac9e8adcf21aa17a784613406bd27a375e085495b1abd2d112118df0c98
              • Instruction Fuzzy Hash: ED217E31600204AFCB10AF64D85AB6EB7A9EF44720F14819AF956E73D1DB70ED418B71
              Function 00D25680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D30FF6: std::exception::exception.LIBCMT ref: 00D3102C
                • Part of subcall function 00D30FF6: __CxxThrowException@8.LIBCMT ref: 00D31041
              • _memmove.LIBCMT ref: 00D6062F
              • _memmove.LIBCMT ref: 00D60744
              • _memmove.LIBCMT ref: 00D607EB
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 1300846289-0
              • Opcode ID: 099346ec2aff1eb48634870a8a6c6006c1190eefcb9e670f46fb35781cc0228a
              • Instruction ID: fbe1eb8b8c675cca388f703b8161e6b3cdd16a4b16170c5e63d94a954f101937
              • Opcode Fuzzy Hash: 099346ec2aff1eb48634870a8a6c6006c1190eefcb9e670f46fb35781cc0228a
              • Instruction Fuzzy Hash: 85028FB1E00209EBDF04DF64E991AAEBBB5FF54300F148069E846DB255EB31DA51CBB1
              Function 00D11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00D119FA
              • GetSysColor.USER32(0000000F), ref: 00D11A4E
              • SetBkColor.GDI32(?,00000000), ref: 00D11A61
                • Part of subcall function 00D11290: DefDlgProcW.USER32(?,00000020,?), ref: 00D112D8
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: 6649cffcbc71c13c79a672a8fc79ccadb21a9d33a579bffd02f9eaef6fd07938
              • Instruction ID: c7f94d6df6269fb7b5a4dc3e826cb8926de8e943fbbfaf91fe227c01527932e6
              • Opcode Fuzzy Hash: 6649cffcbc71c13c79a672a8fc79ccadb21a9d33a579bffd02f9eaef6fd07938
              • Instruction Fuzzy Hash: E3A17A78106546BBDB28AB78BC85DFF3D9DDF42351B18010BF652D6292CE20DC8292F2
              Function 00D86A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D880CB
              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D86AB1
              • WSAGetLastError.WSOCK32(00000000), ref: 00D86ADA
              • bind.WSOCK32(00000000,?,00000010), ref: 00D86B13
              • WSAGetLastError.WSOCK32(00000000), ref: 00D86B20
              • closesocket.WSOCK32(00000000,00000000), ref: 00D86B34
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: bcf9aa50af54dff42bbd78f12805022040336a86b970178e12d2e6e5e1da6438
              • Instruction ID: 26279d7bce8ba33454db2c2c8bcc4fe8e77da411c6df90f0aeb95ad1ea084eda
              • Opcode Fuzzy Hash: bcf9aa50af54dff42bbd78f12805022040336a86b970178e12d2e6e5e1da6438
              • Instruction Fuzzy Hash: 0F419375640210AFEB10BF64EC96FAEB7A5DF44720F048059F956AB3D2DE709D4087B1
              Function 00D955FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: de9d657c3f60fb62cc8159b7074b4135ab921e4d3eb952130b6d1541949052de
              • Instruction ID: 183938aa1315982bbd49a1e103767006d8dc3d0ae4b7dbbad95eba36780e429f
              • Opcode Fuzzy Hash: de9d657c3f60fb62cc8159b7074b4135ab921e4d3eb952130b6d1541949052de
              • Instruction Fuzzy Hash: DA11BF32340A116FEB221F66EC54B6FBB99EF45721B89403AF846D7241CB70D942CBB4
              Function 00D8C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00D51D88,?), ref: 00D8C312
              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D8C324
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetSystemWow64DirectoryW$kernel32.dll
              • API String ID: 2574300362-1816364905
              • Opcode ID: 123c752f550d80acf43eb36e40110685a666bd4baad48720c0bf8488fb0134f8
              • Instruction ID: 5270b663b257d3aa5d3f8eb3e5d4de9f840aa46348e226b02c6bcbdaa85e6254
              • Opcode Fuzzy Hash: 123c752f550d80acf43eb36e40110685a666bd4baad48720c0bf8488fb0134f8
              • Instruction Fuzzy Hash: A2E0EC74610713CFDB205F25D804B4676D8EB19755B94D43AE896D2260E7B0D881CBB0
              Function 00D23190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID:
              • API String ID: 674341424-0
              • Opcode ID: 4ff0cd6fa70b861d76ea7ee032849bfbe0070bf4ec7c4e12e416ef4d11e16352
              • Instruction ID: 6bf29bd6726311d9bea0c783fd25420b66aa0c51a56628107cb0e948c4e91cdc
              • Opcode Fuzzy Hash: 4ff0cd6fa70b861d76ea7ee032849bfbe0070bf4ec7c4e12e416ef4d11e16352
              • Instruction Fuzzy Hash: 4B229D716083119FC724DF24E891BAEB7E5EF94304F14491DF89A97291DB34EA48CBB2
              Function 00D8F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 00D8F151
              • Process32FirstW.KERNEL32(00000000,?), ref: 00D8F15F
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
              • Process32NextW.KERNEL32(00000000,?), ref: 00D8F21F
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00D8F22E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: 4a34b1aaf182263915faba972ac9512b1ea0b2f81060b5ee07dbc60dc5bb8ebb
              • Instruction ID: c0f828b796e27b90d5178a3f09772ca0bd4190092d029d994e44c802c329e3f0
              • Opcode Fuzzy Hash: 4a34b1aaf182263915faba972ac9512b1ea0b2f81060b5ee07dbc60dc5bb8ebb
              • Instruction Fuzzy Hash: AA514C71504311AFD310EF24EC95AABBBE8EF94710F14482DF495D72A1EB70A948CBB2
              Function 00D740B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00D740D1
              • _memset.LIBCMT ref: 00D740F2
              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00D74144
              • CloseHandle.KERNEL32(00000000), ref: 00D7414D
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CloseControlCreateDeviceFileHandle_memset
              • String ID:
              • API String ID: 1157408455-0
              • Opcode ID: 2fea081b37896dec5ab7e19e799c724a09c3d23f6c57e1c6c97fb0bb3edd96fb
              • Instruction ID: 9f6ca297dbdb96567cbc8902ad5b331736e2bc67fa8fbbcdfa30d1c5141d122d
              • Opcode Fuzzy Hash: 2fea081b37896dec5ab7e19e799c724a09c3d23f6c57e1c6c97fb0bb3edd96fb
              • Instruction Fuzzy Hash: 0D11AB759013287AD7305BA59C4DFABBB7CEF44760F10419AF908D7280D6744E808BB4
              Function 00D6EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D6EB19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 1d331258c20744e28e64d6699a9fea76ca2a8b708c08e69752ca171ffd06e88e
              • Instruction ID: b59690293e033235d88e14f1fbd025d62ff882e529d0d49cf06d5cae9c8663b5
              • Opcode Fuzzy Hash: 1d331258c20744e28e64d6699a9fea76ca2a8b708c08e69752ca171ffd06e88e
              • Instruction Fuzzy Hash: 67323579A007059FCB28CF19D481A6AB7F1FF48310B15C56EE89ADB3A1E770E941CB50
              Function 00D825E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D81AFE,00000000), ref: 00D826D5
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D8270C
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: 3cbbaa7a539a00a697fb53327af65c8a963a54d3e2824b3be24397c7e35e01d3
              • Instruction ID: 93fd4389e569f5d40708966cda2b275f60153a19e1be6583229353bbc1429e06
              • Opcode Fuzzy Hash: 3cbbaa7a539a00a697fb53327af65c8a963a54d3e2824b3be24397c7e35e01d3
              • Instruction Fuzzy Hash: 2041D3B5500309BFEB20EF95DC86EBBB7BCEB40724F14406AF645A6140EAB1EE419770
              Function 00D7B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00D7B5AE
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D7B608
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00D7B655
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: 05366252eb7843600d60caa1ee098f46a6c5060923b48df959be9aab8e9ed4dd
              • Instruction ID: 068211cd08ce1d617e31cd0ebc3f90ed6206f44997c662c1b466a39368f1b2d2
              • Opcode Fuzzy Hash: 05366252eb7843600d60caa1ee098f46a6c5060923b48df959be9aab8e9ed4dd
              • Instruction Fuzzy Hash: 13215135A00218EFCB00EF65D890AEDBBB8FF48310F1480AAE945EB351DB319955CB65
              Function 00D68CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D30FF6: std::exception::exception.LIBCMT ref: 00D3102C
                • Part of subcall function 00D30FF6: __CxxThrowException@8.LIBCMT ref: 00D31041
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D68D0D
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D68D3A
              • GetLastError.KERNEL32 ref: 00D68D47
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 23e3c6635f73dcf498a7dd93f93f2c859bd638956ab109de4a7406cf6ffca04b
              • Instruction ID: 590939c0b9a55a0e0e74a552f32d948d02013b326e55f8dec6ab3ea1b3868a76
              • Opcode Fuzzy Hash: 23e3c6635f73dcf498a7dd93f93f2c859bd638956ab109de4a7406cf6ffca04b
              • Instruction Fuzzy Hash: AD118FB2414309AFD728DF54DC85D6BB7BCEF44710B24862EF45693241EB70AC408A70
              Function 00D74C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D74C2C
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D74C43
              • FreeSid.ADVAPI32(?), ref: 00D74C53
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: f6db5567b9133f196cc12f2c06a5c799721230fe2844ab78a79362fb62b3c901
              • Instruction ID: fb87d616f4ee4b7fc7f39ac647d083749e24e34c9d2018a91264622d2ee14445
              • Opcode Fuzzy Hash: f6db5567b9133f196cc12f2c06a5c799721230fe2844ab78a79362fb62b3c901
              • Instruction Fuzzy Hash: 44F0627591130CBFDF04DFF0DC89ABDB7BCEF08201F104469A505E2281E7705A048B60
              Function 00D1E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0bd5b6f3c7b9446a24a5b0f5c38c1e40d88828671c64ec7523cfe3cdc209dfaa
              • Instruction ID: 9aac40ba65e8ddaaff3e760a9d87f844841a7733baec0de25399c20e8151b1a1
              • Opcode Fuzzy Hash: 0bd5b6f3c7b9446a24a5b0f5c38c1e40d88828671c64ec7523cfe3cdc209dfaa
              • Instruction Fuzzy Hash: 71227D74900216EFDB24DF54D490AEAB7B1FF08300F188569EC969B351EB34E985CBB1
              Function 00D7C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 00D7C966
              • FindClose.KERNEL32(00000000), ref: 00D7C996
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 73b2492b61b4a6124797ef0b5511bbb518b995400a383299f24a3a4a39ffdad8
              • Instruction ID: 0d348f60e6b6f570e943a42cd223cadead7662c4ac2f8d10a6fe7f276019813e
              • Opcode Fuzzy Hash: 73b2492b61b4a6124797ef0b5511bbb518b995400a383299f24a3a4a39ffdad8
              • Instruction Fuzzy Hash: 0B115E726106009FD710EF29D855A6AF7E9EF84325F04851EF9A9D7291DB34AC04CBA1
              Function 00D7A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D8977D,?,00D9FB84,?), ref: 00D7A302
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D8977D,?,00D9FB84,?), ref: 00D7A314
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: 01d83ef751f6fb22893ca1405017fd6e877670f2913fc48e5b0bcd9ec901ed09
              • Instruction ID: ecbc4c3aa47280f5770b1403ce13b5415d84955c9998f43c3238e12a1d1a3b39
              • Opcode Fuzzy Hash: 01d83ef751f6fb22893ca1405017fd6e877670f2913fc48e5b0bcd9ec901ed09
              • Instruction Fuzzy Hash: 9BF05E3564422DBBDB109FA4CC48FEA776DEF09761F008266B909D6291DA309940CBB1
              Function 00D68713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D68851), ref: 00D68728
              • CloseHandle.KERNEL32(?,?,00D68851), ref: 00D6873A
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: 38cc2a9b1df19777cd8ac44cc88a204e0a4f93a700b5c984867d6b08076457f5
              • Instruction ID: 42764a434bd86208560031eeef5dac9c122cda555dfc3ee233dd1164d78f6817
              • Opcode Fuzzy Hash: 38cc2a9b1df19777cd8ac44cc88a204e0a4f93a700b5c984867d6b08076457f5
              • Instruction Fuzzy Hash: 27E0B676010611EFE7252B60EC09E777BA9EB04350B24892AF49AC0470DB62AC90DB30
              Function 00D3A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D38F97,?,?,?,00000001), ref: 00D3A39A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00D3A3A3
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: fae68668666345d52dbbd220173d654ff6ff3c93a946dedfa9231e1aca0f21cf
              • Instruction ID: 651769670d447b3c4e5f57713e16f1c97a69e053fae7880c7764a6b085d6ea5e
              • Opcode Fuzzy Hash: fae68668666345d52dbbd220173d654ff6ff3c93a946dedfa9231e1aca0f21cf
              • Instruction Fuzzy Hash: ACB09231054308EBCA002BA1EC09B883F68EB44BA2F404022F60DC4260CB6654A08AA1
              Function 00D1E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              • Variable must be of type 'Object'., xrefs: 00D5428C
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID: Variable must be of type 'Object'.
              • API String ID: 0-109567571
              • Opcode ID: 7ed9710d4cb7d6815dcb7950b3574a1a1c61f86734c705b713dd9dfab823079a
              • Instruction ID: 7309da1dcb55384153337cade536ed46fe8d535cd01f4a2875e2130a726e40fb
              • Opcode Fuzzy Hash: 7ed9710d4cb7d6815dcb7950b3574a1a1c61f86734c705b713dd9dfab823079a
              • Instruction Fuzzy Hash: ABA27B74A04205EBCB24CF58E580AE9B7B1FF48314F688059EC56AB351DB31ED86CBA1
              Function 00D3F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6a892358d5a31a6f7062fe7c1a455578b3c471a6856b514f26242cee11eceb8
              • Instruction ID: 5b41a6a3406403b3011ec96e8b4f8286a81a6c73709b1ecd620d12bc8c1882bd
              • Opcode Fuzzy Hash: f6a892358d5a31a6f7062fe7c1a455578b3c471a6856b514f26242cee11eceb8
              • Instruction Fuzzy Hash: 6D321562D69F054DD7239634DC72336A289AFB73C4F15D737F819B5AA6EB28C4834120
              Function 00D4267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e17e03839bd34d51a474ea0ddb9235491f45ec5cb54eb0186eb7d01a9342a913
              • Instruction ID: e6774e29df83004fffe3947f22679978eaea369990027b3f5cc634ccd29721ea
              • Opcode Fuzzy Hash: e17e03839bd34d51a474ea0ddb9235491f45ec5cb54eb0186eb7d01a9342a913
              • Instruction Fuzzy Hash: 1AB11520D2AF414DD76396398831336BB8CAFBB2D5F51D71BFC1AB4E22EB2185838151
              Function 00D78B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 00D78B25
                • Part of subcall function 00D3543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00D791F8,00000000,?,?,?,?,00D793A9,00000000,?), ref: 00D35443
                • Part of subcall function 00D3543A: __aulldiv.LIBCMT ref: 00D35463
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID:
              • API String ID: 2893107130-0
              • Opcode ID: 916990c77bdc4493467816a1f17832c53291981ce440a4a49653b658cd8e4568
              • Instruction ID: 72b0224ca7711d8d3b9cfff7973dcabb0b03001c0a10686b960ecad9ba885433
              • Opcode Fuzzy Hash: 916990c77bdc4493467816a1f17832c53291981ce440a4a49653b658cd8e4568
              • Instruction Fuzzy Hash: 1321E4726356108BC329CF25D441A52B3E1EBA4321B288E6DD0F9CB2D0DA34B905DBA4
              Function 00D841FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
              Download Yara Rule
              APIs
              • BlockInput.USER32(00000001), ref: 00D84218
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BlockInput
              • String ID:
              • API String ID: 3456056419-0
              • Opcode ID: 52d79a7cf8f70fa67e1d5d17b2d7c425017fc99920e9e86c7351f2bd8da020f6
              • Instruction ID: d11cd1634a18cd832bc5898a10ca38dfb77cad8d00fce7896f6b4c2fadfd29c6
              • Opcode Fuzzy Hash: 52d79a7cf8f70fa67e1d5d17b2d7c425017fc99920e9e86c7351f2bd8da020f6
              • Instruction Fuzzy Hash: 38E04F31284215AFC710EF69E854A9AF7E9EF94760F008026FC49C7352DA70F8408BB0
              Function 00D74EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00D74EEC
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: mouse_event
              • String ID:
              • API String ID: 2434400541-0
              • Opcode ID: 7fa76e6b4ff314e601ed49bfab86381404d2f1e5b84e40f8d2cc632675f5ec64
              • Instruction ID: 9139bc34c784585567d3fefa38177b42e442ca5acd5e80c19d01bfb323359e6a
              • Opcode Fuzzy Hash: 7fa76e6b4ff314e601ed49bfab86381404d2f1e5b84e40f8d2cc632675f5ec64
              • Instruction Fuzzy Hash: 0ED05E981A071479FC5A4B209C5FF771108F3007A1FD8C14EB54AC91C1FAD0AC505530
              Function 00D68C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D688D1), ref: 00D68CB3
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: bdeaeea4ca624f90c689fb5e023ea2eae1e076ce9c1ae1e47d9664e3e9d92a77
              • Instruction ID: f62c662f3e9fc25bcc66ed9a8f7e93f3599fa6262b18d5013484f4ba235c5b4f
              • Opcode Fuzzy Hash: bdeaeea4ca624f90c689fb5e023ea2eae1e076ce9c1ae1e47d9664e3e9d92a77
              • Instruction Fuzzy Hash: 30D05E3226460EABEF018FA4DC01EAE3B69EB04B01F408111FE15C51A1C775D835AB60
              Function 00D52230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,?), ref: 00D52242
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: bc71f5b31d5a5d4c537f34e1b03775f0de1ed5794a0e4954b210cc6214472bbb
              • Instruction ID: 80c3544e6a0c67f8a39f110f65ecb7cd35111f5f975d0473eb697860317328d4
              • Opcode Fuzzy Hash: bc71f5b31d5a5d4c537f34e1b03775f0de1ed5794a0e4954b210cc6214472bbb
              • Instruction Fuzzy Hash: E6C04CF5800109DBDB05DB90D988EEE77BCAB04305F104056A545F2100D7749B488A71
              Function 00D3A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00D3A36A
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 2b1a936d28f4201732bbda0a3d992a8b40fb0e97b7213422f82fc06bcdb586bd
              • Instruction ID: 1d578d280639207fc67a52c9e02585db9caea57b4c00e4f0d503288301770427
              • Opcode Fuzzy Hash: 2b1a936d28f4201732bbda0a3d992a8b40fb0e97b7213422f82fc06bcdb586bd
              • Instruction Fuzzy Hash: CEA0123000020CE78A001B51EC044447F5CD6001907004021F40CC0121873254504590
              Function 00D28A0E Relevance: .6, Instructions: 608COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 85635bb4d5e446b3df05af81fe361ba77dbad51f199c5741986f20ba69c1c8ab
              • Instruction ID: 49dafa1bffb6dce48bfbb05e65ea648306a3474d92b3e981544e2b0a8a5bcb9b
              • Opcode Fuzzy Hash: 85635bb4d5e446b3df05af81fe361ba77dbad51f199c5741986f20ba69c1c8ab
              • Instruction Fuzzy Hash: 32221630A06626CBDF288B68F49467D77A1EF51308F6C446AD8828B695DB34DDC1FB70
              Function 00D32405 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: ba423c0068529bcb83ee5feb135247e098c69767ade374147f909cc86060286a
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: A1C18F376051930ADB2D863A943503EBBE15EA27B1B1E076DE8B3CB5D4EF20D524E630
              Function 00D3283A Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 81b90f149e043d167e3f3d9593e5c1bedc9c515447869c54ddd24b622c850f3d
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: F7C19F376091A30ADB2D463A943413EFBE15EA27B1B1E176DE4B2DB5C4EF20D524E630
              Function 00D31BB8 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: 12d37ab51b713ed1d96e9f42fe1d0e298a1448027c50ee63d2af1bd402b6aea2
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 35C16E3B20919309DF6D463A943403EBBE15EA27B1B1E1B6DE8B2DB5D4EF20D5249630
              Function 00D87B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00D87B70
              • DeleteObject.GDI32(00000000), ref: 00D87B82
              • DestroyWindow.USER32 ref: 00D87B90
              • GetDesktopWindow.USER32 ref: 00D87BAA
              • GetWindowRect.USER32(00000000), ref: 00D87BB1
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00D87CF2
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00D87D02
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87D4A
              • GetClientRect.USER32(00000000,?), ref: 00D87D56
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D87D90
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87DB2
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87DC5
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87DD0
              • GlobalLock.KERNEL32(00000000), ref: 00D87DD9
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87DE8
              • GlobalUnlock.KERNEL32(00000000), ref: 00D87DF1
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87DF8
              • GlobalFree.KERNEL32(00000000), ref: 00D87E03
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87E15
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00DA2CAC,00000000), ref: 00D87E2B
              • GlobalFree.KERNEL32(00000000), ref: 00D87E3B
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00D87E61
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00D87E80
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D87EA2
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D8808F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: a3a911692da7475db59ba8d83f3a0884d757f360e8b8938fb879a93e2e7e3828
              • Instruction ID: 72b316f8b33922371c06371aa02218972be00a2457a4d3ed913fa1b07eee516d
              • Opcode Fuzzy Hash: a3a911692da7475db59ba8d83f3a0884d757f360e8b8938fb879a93e2e7e3828
              • Instruction Fuzzy Hash: CD025B71A00215AFDB14DFA4DC99EAEBBB9EB48310F148159F915EB2A1CB70ED41CB70
              Function 00D937F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,00D9F910), ref: 00D938AF
              • IsWindowVisible.USER32(?), ref: 00D938D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: f29d5b19a8cbcfc8579146bb6661bc55375bbbc7abc86c147c11d6df82b547e7
              • Instruction ID: d807337b92ebc777f59c3013a6e9d2f6a397222b14b5a9504a89cc1871ba606d
              • Opcode Fuzzy Hash: f29d5b19a8cbcfc8579146bb6661bc55375bbbc7abc86c147c11d6df82b547e7
              • Instruction Fuzzy Hash: 78D130302047069BCF14EF24D461A6ABBE9EF94354F14445DB8C65B7A2CB31EE4ACBB1
              Function 00D9A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 00D9A89F
              • GetSysColorBrush.USER32(0000000F), ref: 00D9A8D0
              • GetSysColor.USER32(0000000F), ref: 00D9A8DC
              • SetBkColor.GDI32(?,000000FF), ref: 00D9A8F6
              • SelectObject.GDI32(?,?), ref: 00D9A905
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00D9A930
              • GetSysColor.USER32(00000010), ref: 00D9A938
              • CreateSolidBrush.GDI32(00000000), ref: 00D9A93F
              • FrameRect.USER32(?,?,00000000), ref: 00D9A94E
              • DeleteObject.GDI32(00000000), ref: 00D9A955
              • InflateRect.USER32(?,000000FE,000000FE), ref: 00D9A9A0
              • FillRect.USER32(?,?,?), ref: 00D9A9D2
              • GetWindowLongW.USER32(?,000000F0), ref: 00D9A9FD
                • Part of subcall function 00D9AB60: GetSysColor.USER32(00000012), ref: 00D9AB99
                • Part of subcall function 00D9AB60: SetTextColor.GDI32(?,?), ref: 00D9AB9D
                • Part of subcall function 00D9AB60: GetSysColorBrush.USER32(0000000F), ref: 00D9ABB3
                • Part of subcall function 00D9AB60: GetSysColor.USER32(0000000F), ref: 00D9ABBE
                • Part of subcall function 00D9AB60: GetSysColor.USER32(00000011), ref: 00D9ABDB
                • Part of subcall function 00D9AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D9ABE9
                • Part of subcall function 00D9AB60: SelectObject.GDI32(?,00000000), ref: 00D9ABFA
                • Part of subcall function 00D9AB60: SetBkColor.GDI32(?,00000000), ref: 00D9AC03
                • Part of subcall function 00D9AB60: SelectObject.GDI32(?,?), ref: 00D9AC10
                • Part of subcall function 00D9AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00D9AC2F
                • Part of subcall function 00D9AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D9AC46
                • Part of subcall function 00D9AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00D9AC5B
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
              • String ID:
              • API String ID: 4124339563-0
              • Opcode ID: 8d6724ab89c09327e351b172eb8c989ba6325ba4e06e262a6ca760f3c43bf483
              • Instruction ID: 83b431aa5ccd75b4c3935aef2a9197836755788303a1476a354a8b71d7d57938
              • Opcode Fuzzy Hash: 8d6724ab89c09327e351b172eb8c989ba6325ba4e06e262a6ca760f3c43bf483
              • Instruction Fuzzy Hash: 08A17372008301FFDB109F68DC08A5B7BA9FF88321F154A2AF956D62E1D771D945CBA2
              Function 00D12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00D12CA2
              • DeleteObject.GDI32(00000000), ref: 00D12CE8
              • DeleteObject.GDI32(00000000), ref: 00D12CF3
              • DestroyIcon.USER32(00000000,?,?,?), ref: 00D12CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00D12D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00D4C68B
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D4C6C4
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D4CAED
                • Part of subcall function 00D11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D12036,?,00000000,?,?,?,?,00D116CB,00000000,?), ref: 00D11B9A
              • SendMessageW.USER32(?,00001053), ref: 00D4CB2A
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D4CB41
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D4CB57
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00D4CB62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 464785882-4108050209
              • Opcode ID: f675354c4d1d741425c81a121483a7bb2254128078accc950630396a591a0f02
              • Instruction ID: 8db17f9d92bd591249b37de9acf5dec0179279ebd98087209801cb7430a11ae3
              • Opcode Fuzzy Hash: f675354c4d1d741425c81a121483a7bb2254128078accc950630396a591a0f02
              • Instruction Fuzzy Hash: 33129C30615201EFDB60CF24D885BA9BBE6FF04310F585569E985DB262DB32E891CFB1
              Function 00D877BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 00D877F1
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D878B0
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00D878EE
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00D87900
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00D87946
              • GetClientRect.USER32(00000000,?), ref: 00D87952
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00D87996
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D879A5
              • GetStockObject.GDI32(00000011), ref: 00D879B5
              • SelectObject.GDI32(00000000,00000000), ref: 00D879B9
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00D879C9
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D879D2
              • DeleteDC.GDI32(00000000), ref: 00D879DB
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D87A07
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00D87A1E
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00D87A59
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D87A6D
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00D87A7E
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00D87AAE
              • GetStockObject.GDI32(00000011), ref: 00D87AB9
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D87AC4
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00D87ACE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: 07a9d4782040ced51fc96a042fdcf9436ba3f552f2c553d214e7ba14591ee228
              • Instruction ID: 7cb65666e2568ea13dcfaae6ea188fb51943698b328a815181557e2bb54dce80
              • Opcode Fuzzy Hash: 07a9d4782040ced51fc96a042fdcf9436ba3f552f2c553d214e7ba14591ee228
              • Instruction Fuzzy Hash: 2CA14D71A40215BFEB149BA4DC4AFAEBBB9EB44710F144116FA15E72E0DB70AD40CBB4
              Function 00D7AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00D7AF89
              • GetDriveTypeW.KERNEL32(?,00D9FAC0,?,\\.\,00D9F910), ref: 00D7B066
              • SetErrorMode.KERNEL32(00000000,00D9FAC0,?,\\.\,00D9F910), ref: 00D7B1C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: cbe1006d41ce6fde9062a62c41169c84af5b4d244e93afcfc22e894cf5e97d46
              • Instruction ID: 085d22d7985fc844b6de6041b877f91d7ebdc89ce764fbfe6614aee1822ccd48
              • Opcode Fuzzy Hash: cbe1006d41ce6fde9062a62c41169c84af5b4d244e93afcfc22e894cf5e97d46
              • Instruction Fuzzy Hash: 2F51AF7068434AAF8B00DF14C9A6FADB3B1FB54365764C01BE84EA7690EB24DD458B72
              Function 00D16A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: c90639a3595d6dceaee6fc1f0e141a18e2c3f05aad8bed63aa5b06a0bdcc64bb
              • Instruction ID: a0be1eab480384b1b5b8038896b89b550ea9e0a5186d55831f0409b723c7593f
              • Opcode Fuzzy Hash: c90639a3595d6dceaee6fc1f0e141a18e2c3f05aad8bed63aa5b06a0bdcc64bb
              • Instruction Fuzzy Hash: 7A810670644215BBCB20AF64EE82FFB77A8FF15714F084025F945AA192EF60DA85C2B1
              Function 00D9AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 00D9AB99
              • SetTextColor.GDI32(?,?), ref: 00D9AB9D
              • GetSysColorBrush.USER32(0000000F), ref: 00D9ABB3
              • GetSysColor.USER32(0000000F), ref: 00D9ABBE
              • CreateSolidBrush.GDI32(?), ref: 00D9ABC3
              • GetSysColor.USER32(00000011), ref: 00D9ABDB
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D9ABE9
              • SelectObject.GDI32(?,00000000), ref: 00D9ABFA
              • SetBkColor.GDI32(?,00000000), ref: 00D9AC03
              • SelectObject.GDI32(?,?), ref: 00D9AC10
              • InflateRect.USER32(?,000000FF,000000FF), ref: 00D9AC2F
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D9AC46
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00D9AC5B
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D9ACA7
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D9ACCE
              • InflateRect.USER32(?,000000FD,000000FD), ref: 00D9ACEC
              • DrawFocusRect.USER32(?,?), ref: 00D9ACF7
              • GetSysColor.USER32(00000011), ref: 00D9AD05
              • SetTextColor.GDI32(?,00000000), ref: 00D9AD0D
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D9AD21
              • SelectObject.GDI32(?,00D9A869), ref: 00D9AD38
              • DeleteObject.GDI32(?), ref: 00D9AD43
              • SelectObject.GDI32(?,?), ref: 00D9AD49
              • DeleteObject.GDI32(?), ref: 00D9AD4E
              • SetTextColor.GDI32(?,?), ref: 00D9AD54
              • SetBkColor.GDI32(?,?), ref: 00D9AD5E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: 2298bc3e64023b7b21ed3fcb8ca766ff4d21b30599aa3344512a832c30fc6dec
              • Instruction ID: 2087665363b5ff412449ca7ca1425dc2382a44b58729744e88b572eb3d68268c
              • Opcode Fuzzy Hash: 2298bc3e64023b7b21ed3fcb8ca766ff4d21b30599aa3344512a832c30fc6dec
              • Instruction Fuzzy Hash: 82612D72900218EFDF119FA8DC48EAE7B79EF08320F254526F915EB2A1D6759D40DBA0
              Function 00D98C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D98D34
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D98D45
              • CharNextW.USER32(0000014E), ref: 00D98D74
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D98DB5
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D98DCB
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D98DDC
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D98DF9
              • SetWindowTextW.USER32(?,0000014E), ref: 00D98E45
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D98E5B
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D98E8C
              • _memset.LIBCMT ref: 00D98EB1
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D98EFA
              • _memset.LIBCMT ref: 00D98F59
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D98F83
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00D98FDB
              • SendMessageW.USER32(?,0000133D,?,?), ref: 00D99088
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00D990AA
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D990F4
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D99121
              • DrawMenuBar.USER32(?), ref: 00D99130
              • SetWindowTextW.USER32(?,0000014E), ref: 00D99158
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0
              • API String ID: 1073566785-4108050209
              • Opcode ID: 8b8de8890ad093aa5638e0147b55d369b84a070f110ebfbbb1d5c10766d765c2
              • Instruction ID: bb223db9ea326cfe2fde1e6c28869bca5f726e0aea94deb8719883e20438c0f1
              • Opcode Fuzzy Hash: 8b8de8890ad093aa5638e0147b55d369b84a070f110ebfbbb1d5c10766d765c2
              • Instruction Fuzzy Hash: 24E15D70901319ABDF209F64CC84AEEBBB9FF16710F14815AF955AB290DB708A85DF70
              Function 00D94B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00D94C51
              • GetDesktopWindow.USER32 ref: 00D94C66
              • GetWindowRect.USER32(00000000), ref: 00D94C6D
              • GetWindowLongW.USER32(?,000000F0), ref: 00D94CCF
              • DestroyWindow.USER32(?), ref: 00D94CFB
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D94D24
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D94D42
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D94D68
              • SendMessageW.USER32(?,00000421,?,?), ref: 00D94D7D
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D94D90
              • IsWindowVisible.USER32(?), ref: 00D94DB0
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D94DCB
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D94DDF
              • GetWindowRect.USER32(?,?), ref: 00D94DF7
              • MonitorFromPoint.USER32(?,?,00000002), ref: 00D94E1D
              • GetMonitorInfoW.USER32(00000000,?), ref: 00D94E37
              • CopyRect.USER32(?,?), ref: 00D94E4E
              • SendMessageW.USER32(?,00000412,00000000), ref: 00D94EB9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: ba1c940fc4ec5fbf958e5dcc932e72ed84428ebbc3f128be6b6debdb7ca04066
              • Instruction ID: cb68ff901d5d41faee79ef38d3941639ded2a7dcafa8c281f4da445c70e265f3
              • Opcode Fuzzy Hash: ba1c940fc4ec5fbf958e5dcc932e72ed84428ebbc3f128be6b6debdb7ca04066
              • Instruction Fuzzy Hash: 57B16771608340AFDB04DF64D854F6ABBE4FF88314F04891DF5999B2A2DB70E845CBA1
              Function 00D746D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00D746E8
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00D7470E
              • _wcscpy.LIBCMT ref: 00D7473C
              • _wcscmp.LIBCMT ref: 00D74747
              • _wcscat.LIBCMT ref: 00D7475D
              • _wcsstr.LIBCMT ref: 00D74768
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00D74784
              • _wcscat.LIBCMT ref: 00D747CD
              • _wcscat.LIBCMT ref: 00D747D4
              • _wcsncpy.LIBCMT ref: 00D747FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: 111995c98539140d580fe741807ee4429b36cb3fc53a100afc792f5c796b0aac
              • Instruction ID: 3d80cdf3463b58df55cbc7d8fc25a6c763c9af441213350590868b9a03a64990
              • Opcode Fuzzy Hash: 111995c98539140d580fe741807ee4429b36cb3fc53a100afc792f5c796b0aac
              • Instruction Fuzzy Hash: FA412376A00215BBEB15BB648C43EBF77ACDF01710F04406AF908E7182FB75AA0196B9
              Function 00D127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D128BC
              • GetSystemMetrics.USER32(00000007), ref: 00D128C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D128EF
              • GetSystemMetrics.USER32(00000008), ref: 00D128F7
              • GetSystemMetrics.USER32(00000004), ref: 00D1291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D12939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D12949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D1297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D12990
              • GetClientRect.USER32(00000000,000000FF), ref: 00D129AE
              • GetStockObject.GDI32(00000011), ref: 00D129CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D129D5
                • Part of subcall function 00D12344: GetCursorPos.USER32(?), ref: 00D12357
                • Part of subcall function 00D12344: ScreenToClient.USER32(00DD67B0,?), ref: 00D12374
                • Part of subcall function 00D12344: GetAsyncKeyState.USER32(00000001), ref: 00D12399
                • Part of subcall function 00D12344: GetAsyncKeyState.USER32(00000002), ref: 00D123A7
              • SetTimer.USER32(00000000,00000000,00000028,00D11256), ref: 00D129FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: a393854d7b98c73b6a305d666c98bfdb9194b112cc97b3ef7da6a3012c9ae6d3
              • Instruction ID: 682ffa2e29594665d5b31454ab4233131da54eb4aa0cb507ee4f0001c890cb4c
              • Opcode Fuzzy Hash: a393854d7b98c73b6a305d666c98bfdb9194b112cc97b3ef7da6a3012c9ae6d3
              • Instruction Fuzzy Hash: 69B13C7160120AAFDB14DFA8DC49BEE7BB5FB08714F14412AFA15E6290DB75E850CBB0
              Function 00D94069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00D940F6
              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D941B6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
              • API String ID: 3974292440-719923060
              • Opcode ID: 20b02b652094ba7103bf72df6bb523c8daf87c2b335e4c2f87ed5b124e739d74
              • Instruction ID: c0fee0240d3b6b02d6b2a3d4466554a5b27d2875937dc8b8462c2a4b94c22e27
              • Opcode Fuzzy Hash: 20b02b652094ba7103bf72df6bb523c8daf87c2b335e4c2f87ed5b124e739d74
              • Instruction Fuzzy Hash: 8DA15E30254301ABCB14EF20D961E6AB7E9FF84314F14496DB8969B792DB30EC46CB71
              Function 00D852F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F89), ref: 00D85309
              • LoadCursorW.USER32(00000000,00007F8A), ref: 00D85314
              • LoadCursorW.USER32(00000000,00007F00), ref: 00D8531F
              • LoadCursorW.USER32(00000000,00007F03), ref: 00D8532A
              • LoadCursorW.USER32(00000000,00007F8B), ref: 00D85335
              • LoadCursorW.USER32(00000000,00007F01), ref: 00D85340
              • LoadCursorW.USER32(00000000,00007F81), ref: 00D8534B
              • LoadCursorW.USER32(00000000,00007F88), ref: 00D85356
              • LoadCursorW.USER32(00000000,00007F80), ref: 00D85361
              • LoadCursorW.USER32(00000000,00007F86), ref: 00D8536C
              • LoadCursorW.USER32(00000000,00007F83), ref: 00D85377
              • LoadCursorW.USER32(00000000,00007F85), ref: 00D85382
              • LoadCursorW.USER32(00000000,00007F82), ref: 00D8538D
              • LoadCursorW.USER32(00000000,00007F84), ref: 00D85398
              • LoadCursorW.USER32(00000000,00007F04), ref: 00D853A3
              • LoadCursorW.USER32(00000000,00007F02), ref: 00D853AE
              • GetCursorInfo.USER32(?), ref: 00D853BE
              • GetLastError.KERNEL32(00000001,00000000), ref: 00D853E9
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Cursor$Load$ErrorInfoLast
              • String ID:
              • API String ID: 3215588206-0
              • Opcode ID: 18ebbc835543415abf05aafa172c3c7ccb7cdaa6d352a9729ce4fb44de0ac56d
              • Instruction ID: 17b11d8035f10a57dbf447eb7111432c739288b4cb849c5c360a3902da57da5e
              • Opcode Fuzzy Hash: 18ebbc835543415abf05aafa172c3c7ccb7cdaa6d352a9729ce4fb44de0ac56d
              • Instruction Fuzzy Hash: 8B416270E443196ADB10AFBA9C4996FFFF8EF51B50B10452FE509E7290DAB8A401CF61
              Function 00D6AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 00D6AAA5
              • __swprintf.LIBCMT ref: 00D6AB46
              • _wcscmp.LIBCMT ref: 00D6AB59
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D6ABAE
              • _wcscmp.LIBCMT ref: 00D6ABEA
              • GetClassNameW.USER32(?,?,00000400), ref: 00D6AC21
              • GetDlgCtrlID.USER32(?), ref: 00D6AC73
              • GetWindowRect.USER32(?,?), ref: 00D6ACA9
              • GetParent.USER32(?), ref: 00D6ACC7
              • ScreenToClient.USER32(00000000), ref: 00D6ACCE
              • GetClassNameW.USER32(?,?,00000100), ref: 00D6AD48
              • _wcscmp.LIBCMT ref: 00D6AD5C
              • GetWindowTextW.USER32(?,?,00000400), ref: 00D6AD82
              • _wcscmp.LIBCMT ref: 00D6AD96
                • Part of subcall function 00D3386C: _iswctype.LIBCMT ref: 00D33874
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: 412df1460d7a370a56f9fde3542317d2483e672a057d4c71501b303b6162a373
              • Instruction ID: a2f07e58300b3dce36eee738d819e502d79ac768bbd2b389ac86953c526bdf2a
              • Opcode Fuzzy Hash: 412df1460d7a370a56f9fde3542317d2483e672a057d4c71501b303b6162a373
              • Instruction Fuzzy Hash: C7A1AE71204306ABD714DF68C884BAAB7E8FF44355F144629F9D9E2190EB30E955CFB2
              Function 00D6B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 00D6B3DB
              • _wcscmp.LIBCMT ref: 00D6B3EC
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00D6B414
              • CharUpperBuffW.USER32(?,00000000), ref: 00D6B431
              • _wcscmp.LIBCMT ref: 00D6B44F
              • _wcsstr.LIBCMT ref: 00D6B460
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00D6B498
              • _wcscmp.LIBCMT ref: 00D6B4A8
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00D6B4CF
              • GetClassNameW.USER32(00000018,?,00000400), ref: 00D6B518
              • _wcscmp.LIBCMT ref: 00D6B528
              • GetClassNameW.USER32(00000010,?,00000400), ref: 00D6B550
              • GetWindowRect.USER32(00000004,?), ref: 00D6B5B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: c9453d4528e57cc7e0863123cddf2de3899690c6cfd54a4b0397abf1f419293b
              • Instruction ID: a13051285b3d4678fe09a04849d5d673793ce04b33b02fb01a577f1486d45bbf
              • Opcode Fuzzy Hash: c9453d4528e57cc7e0863123cddf2de3899690c6cfd54a4b0397abf1f419293b
              • Instruction Fuzzy Hash: 8781AD711083059BDB00DF14D885FAA7BE8EF44328F08856AFD86CA192DB30ED89CB71
              Function 00D6B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: 9ceb1dc0764a31f43fc7cca9b947fc3de0b36ec58f673597f98970ed8728e6a1
              • Instruction ID: 9761aee73125259f3af4f3bdff39e0eadfe3ba047fa666e5414844bda9dd4180
              • Opcode Fuzzy Hash: 9ceb1dc0764a31f43fc7cca9b947fc3de0b36ec58f673597f98970ed8728e6a1
              • Instruction Fuzzy Hash: 54316131684206FADB14FA60ED67FEEB7A4DF14760F60001AF441B20E5EF61AE88C675
              Function 00D6C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000063), ref: 00D6C4D4
              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D6C4E6
              • SetWindowTextW.USER32(?,?), ref: 00D6C4FD
              • GetDlgItem.USER32(?,000003EA), ref: 00D6C512
              • SetWindowTextW.USER32(00000000,?), ref: 00D6C518
              • GetDlgItem.USER32(?,000003E9), ref: 00D6C528
              • SetWindowTextW.USER32(00000000,?), ref: 00D6C52E
              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D6C54F
              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D6C569
              • GetWindowRect.USER32(?,?), ref: 00D6C572
              • SetWindowTextW.USER32(?,?), ref: 00D6C5DD
              • GetDesktopWindow.USER32 ref: 00D6C5E3
              • GetWindowRect.USER32(00000000), ref: 00D6C5EA
              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D6C636
              • GetClientRect.USER32(?,?), ref: 00D6C643
              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00D6C668
              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D6C693
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
              • String ID:
              • API String ID: 3869813825-0
              • Opcode ID: 13aa7be6739ba5662f4dbb92beab2c556dd445cc6a3577dbd99c223c3f9a6719
              • Instruction ID: 42726303c942d5d65d5dad5f4035f7bd259ee58fdc015bbae79dc5a6a631040d
              • Opcode Fuzzy Hash: 13aa7be6739ba5662f4dbb92beab2c556dd445cc6a3577dbd99c223c3f9a6719
              • Instruction Fuzzy Hash: D6516C71A00709AFDB20DFA8DD85B6EBBB5FF04705F104929E686E26A0C774F944CB60
              Function 00D9A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D9A4C8
              • DestroyWindow.USER32(?,?), ref: 00D9A542
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D9A5BC
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D9A5DE
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D9A5F1
              • DestroyWindow.USER32(00000000), ref: 00D9A613
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D10000,00000000), ref: 00D9A64A
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D9A663
              • GetDesktopWindow.USER32 ref: 00D9A67C
              • GetWindowRect.USER32(00000000), ref: 00D9A683
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D9A69B
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D9A6B3
                • Part of subcall function 00D125DB: GetWindowLongW.USER32(?,000000EB), ref: 00D125EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$tooltips_class32
              • API String ID: 1297703922-3619404913
              • Opcode ID: 4234c37d43d4ac10acc0db477a27e2b78785e7a3f2a49166d83a12ca387e24b4
              • Instruction ID: abbfc640b50fc767ad9545542c48ea7c9630becf744398fa978e08414364ba32
              • Opcode Fuzzy Hash: 4234c37d43d4ac10acc0db477a27e2b78785e7a3f2a49166d83a12ca387e24b4
              • Instruction Fuzzy Hash: E7715A72144745AFDB20CF28C845FA677E5EB89304F08452EF985C72A0D771E945DBA2
              Function 00D9C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • DragQueryPoint.SHELL32(?,?), ref: 00D9C917
                • Part of subcall function 00D9ADF1: ClientToScreen.USER32(?,?), ref: 00D9AE1A
                • Part of subcall function 00D9ADF1: GetWindowRect.USER32(?,?), ref: 00D9AE90
                • Part of subcall function 00D9ADF1: PtInRect.USER32(?,?,00D9C304), ref: 00D9AEA0
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00D9C980
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D9C98B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D9C9AE
              • _wcscat.LIBCMT ref: 00D9C9DE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D9C9F5
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00D9CA0E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00D9CA25
              • SendMessageW.USER32(?,000000B1,?,?), ref: 00D9CA47
              • DragFinish.SHELL32(?), ref: 00D9CA4E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D9CB41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
              • API String ID: 169749273-3440237614
              • Opcode ID: 8119ef179dcb0d653159b7913edcdd70a98b08bc7ee52fd6886a048d8d932e1e
              • Instruction ID: 9e5139dc52e8d19ea8bc3825c029f5d1b46718ad26e0424bb26ccaff1bef8c1e
              • Opcode Fuzzy Hash: 8119ef179dcb0d653159b7913edcdd70a98b08bc7ee52fd6886a048d8d932e1e
              • Instruction Fuzzy Hash: 8C613A71108301AFC701EF64DC95D9BBBE9EF89710F000A2EF595972A1DB709A49CBB2
              Function 00D94619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00D946AB
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D946F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: eb7d706150d4a411b9b32cd6536dcd0b248ec4d8f9b290255a437e51331a941f
              • Instruction ID: cde64fa2269725007f1cce52e6db95ddd547f42ef6e7f1b12e6f73dc542c2efe
              • Opcode Fuzzy Hash: eb7d706150d4a411b9b32cd6536dcd0b248ec4d8f9b290255a437e51331a941f
              • Instruction Fuzzy Hash: 43914B74204301ABCB14EF20D461AAABBA5EF85354F04485DF8965B7A3CB31ED4ACBB1
              Function 00D9BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D9BB6E
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D99431), ref: 00D9BBCA
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D9BC03
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D9BC46
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D9BC7D
              • FreeLibrary.KERNEL32(?), ref: 00D9BC89
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D9BC99
              • DestroyIcon.USER32(?,?,?,?,?,00D99431), ref: 00D9BCA8
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D9BCC5
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D9BCD1
                • Part of subcall function 00D3313D: __wcsicmp_l.LIBCMT ref: 00D331C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: 18625f0e498251a31c9cc85559ceaaafdeadf970789fd42ab2e017564fc8f4bb
              • Instruction ID: 4a39bd087b9b773b97b2efeb16c027e1d75781efd475165e2943c739e5057af2
              • Opcode Fuzzy Hash: 18625f0e498251a31c9cc85559ceaaafdeadf970789fd42ab2e017564fc8f4bb
              • Instruction Fuzzy Hash: 7E61AC71A00619BAEF14DF74ED86FBE77A8EB08720F10411AF915D61D0DB74AA90CBB0
              Function 00D7A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • CharLowerBuffW.USER32(?,?), ref: 00D7A636
              • GetDriveTypeW.KERNEL32 ref: 00D7A683
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D7A6CB
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D7A702
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D7A730
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: c1009336de560c14e5911bd255def7c1ecf71090220a3b87b02f3d8b5c832487
              • Instruction ID: 950b6c1f40ac1c686f5d94cf5eaf177fb3969313e8a9ad263827f99d6600b674
              • Opcode Fuzzy Hash: c1009336de560c14e5911bd255def7c1ecf71090220a3b87b02f3d8b5c832487
              • Instruction Fuzzy Hash: 0E516D71104705AFC700EF24D8919AAB7F5FF84718F04896DF89A97261DB31AE4ACB72
              Function 00D121A5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D125DB: GetWindowLongW.USER32(?,000000EB), ref: 00D125EC
              • GetSysColor.USER32(0000000F), ref: 00D121D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID: q0v
              • API String ID: 259745315-2993000639
              • Opcode ID: e4925888dd60ffb8d8b05a83466eca36945ab4c695874f255f5ef22034fed6cc
              • Instruction ID: d52774635153246b4b7c55629a800115b174ae8eca5a2e361a31f2633c3bd83f
              • Opcode Fuzzy Hash: e4925888dd60ffb8d8b05a83466eca36945ab4c695874f255f5ef22034fed6cc
              • Instruction Fuzzy Hash: 06418231100640ABDB255F28EC88BFD3765EB06331F584266FD65DA2E6CB328C92DB75
              Function 00D7A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D7A47A
              • __swprintf.LIBCMT ref: 00D7A49C
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00D7A4D9
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D7A4FE
              • _memset.LIBCMT ref: 00D7A51D
              • _wcsncpy.LIBCMT ref: 00D7A559
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D7A58E
              • CloseHandle.KERNEL32(00000000), ref: 00D7A599
              • RemoveDirectoryW.KERNEL32(?), ref: 00D7A5A2
              • CloseHandle.KERNEL32(00000000), ref: 00D7A5AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: dd073c474811f1b14ae4894ab3d58c2b2694c6da53660b3564e2b4009e7fffab
              • Instruction ID: 0ce324524b95f505f8b75bf24f5986c8de984cbcce4d2525dc671d2a37cb6f6b
              • Opcode Fuzzy Hash: dd073c474811f1b14ae4894ab3d58c2b2694c6da53660b3564e2b4009e7fffab
              • Instruction Fuzzy Hash: B2318EB6900219ABDB219FA4DC49FEF77BCEF88705F1441B6FA08D2160E67496448B35
              Function 00D9C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D9C4EC
              • GetFocus.USER32 ref: 00D9C4FC
              • GetDlgCtrlID.USER32(00000000), ref: 00D9C507
              • _memset.LIBCMT ref: 00D9C632
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D9C65D
              • GetMenuItemCount.USER32(?), ref: 00D9C67D
              • GetMenuItemID.USER32(?,00000000), ref: 00D9C690
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D9C6C4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D9C70C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D9C744
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D9C779
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0
              • API String ID: 1296962147-4108050209
              • Opcode ID: c18448f13641f6fd2ee83be80e0793c2f723afa6454637ce2bd92d804fa6f165
              • Instruction ID: 0d159ce867e2287a5fbd752e5b2fc98746c74116ee725fa6f5c30339bc101870
              • Opcode Fuzzy Hash: c18448f13641f6fd2ee83be80e0793c2f723afa6454637ce2bd92d804fa6f165
              • Instruction Fuzzy Hash: 63818D70218341AFDB10CF54C984A6BBBE9FB88314F14592EF995D72A1D770E905CBB2
              Function 00D683F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D6874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D68766
                • Part of subcall function 00D6874A: GetLastError.KERNEL32(?,00D6822A,?,?,?), ref: 00D68770
                • Part of subcall function 00D6874A: GetProcessHeap.KERNEL32(00000008,?,?,00D6822A,?,?,?), ref: 00D6877F
                • Part of subcall function 00D6874A: HeapAlloc.KERNEL32(00000000,?,00D6822A,?,?,?), ref: 00D68786
                • Part of subcall function 00D6874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D6879D
                • Part of subcall function 00D687E7: GetProcessHeap.KERNEL32(00000008,00D68240,00000000,00000000,?,00D68240,?), ref: 00D687F3
                • Part of subcall function 00D687E7: HeapAlloc.KERNEL32(00000000,?,00D68240,?), ref: 00D687FA
                • Part of subcall function 00D687E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D68240,?), ref: 00D6880B
              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D68458
              • _memset.LIBCMT ref: 00D6846D
              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D6848C
              • GetLengthSid.ADVAPI32(?), ref: 00D6849D
              • GetAce.ADVAPI32(?,00000000,?), ref: 00D684DA
              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D684F6
              • GetLengthSid.ADVAPI32(?), ref: 00D68513
              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D68522
              • HeapAlloc.KERNEL32(00000000), ref: 00D68529
              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D6854A
              • CopySid.ADVAPI32(00000000), ref: 00D68551
              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D68582
              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D685A8
              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D685BC
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
              • String ID:
              • API String ID: 3996160137-0
              • Opcode ID: d2dfb46c7648046fb5979741f41780f97a34b78243ac2fe60e6e35fa5d23b5e9
              • Instruction ID: ded71a6658777796c9a4df74c10b3784d529f30e1b0205428a73273379df22c8
              • Opcode Fuzzy Hash: d2dfb46c7648046fb5979741f41780f97a34b78243ac2fe60e6e35fa5d23b5e9
              • Instruction Fuzzy Hash: B561177190020AABDF10DFA4DC45AAEBBB9FF04300F14826AE916E7291DB319A15DF70
              Function 00D8762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00D876A2
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00D876AE
              • CreateCompatibleDC.GDI32(?), ref: 00D876BA
              • SelectObject.GDI32(00000000,?), ref: 00D876C7
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00D8771B
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00D87757
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00D8777B
              • SelectObject.GDI32(00000006,?), ref: 00D87783
              • DeleteObject.GDI32(?), ref: 00D8778C
              • DeleteDC.GDI32(00000006), ref: 00D87793
              • ReleaseDC.USER32(00000000,?), ref: 00D8779E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: a54bbea50db55adf2c3289528f7a1af66c817f9a296690610a78b17b2b3ae59d
              • Instruction ID: da18869a3a6ccbf1e1c3a25127d848ffc5101f8c6d63ea09f7ce5294a04cda97
              • Opcode Fuzzy Hash: a54bbea50db55adf2c3289528f7a1af66c817f9a296690610a78b17b2b3ae59d
              • Instruction Fuzzy Hash: 7E511875904309EFCB15DFA8DC85EAEBBB9EF48710F24852AE959D7210D631A940CB60
              Function 00D7A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • LoadStringW.USER32(00000066,?,00000FFF,00D9FB78), ref: 00D7A0FC
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
              • LoadStringW.USER32(?,?,00000FFF,?), ref: 00D7A11E
              • __swprintf.LIBCMT ref: 00D7A177
              • __swprintf.LIBCMT ref: 00D7A190
              • _wprintf.LIBCMT ref: 00D7A246
              • _wprintf.LIBCMT ref: 00D7A264
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: LoadString__swprintf_wprintf$_memmove
              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
              • API String ID: 311963372-2391861430
              • Opcode ID: 44cd2772c0a8c52ecae5e110c14596fd596af9f4d00d47179e18d81a3b1613e3
              • Instruction ID: 54cd9872d546bdc4323bb720acea894531cda6bd93865c69b09530916f52f64a
              • Opcode Fuzzy Hash: 44cd2772c0a8c52ecae5e110c14596fd596af9f4d00d47179e18d81a3b1613e3
              • Instruction Fuzzy Hash: A5513D7190020ABACF15EBE4ED46EEEB779EF14300F144165F505A21A2EB316F98DBB1
              Function 00D16BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D30B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D16C6C,?,00008000), ref: 00D30BB7
                • Part of subcall function 00D148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D148A1,?,?,00D137C0,?), ref: 00D148CE
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D16D0D
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00D16E5A
                • Part of subcall function 00D159CD: _wcscpy.LIBCMT ref: 00D15A05
                • Part of subcall function 00D3387D: _iswctype.LIBCMT ref: 00D33885
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: d54dfe13cf7f4b972290e2e040299e894d8d7a893c9b1567e0978f6526acd33d
              • Instruction ID: 1e7bfd3111ef3f7248b9b260759bce48c52200cf92346ea101d8acfb6f287778
              • Opcode Fuzzy Hash: d54dfe13cf7f4b972290e2e040299e894d8d7a893c9b1567e0978f6526acd33d
              • Instruction Fuzzy Hash: 4A025971108341AFC724EF24E891AAEBBE5FF98354F04491DF486972A1DB30D989CB72
              Function 00D145DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D145F9
              • GetMenuItemCount.USER32(00DD6890), ref: 00D4D7CD
              • GetMenuItemCount.USER32(00DD6890), ref: 00D4D87D
              • GetCursorPos.USER32(?), ref: 00D4D8C1
              • SetForegroundWindow.USER32(00000000), ref: 00D4D8CA
              • TrackPopupMenuEx.USER32(00DD6890,00000000,?,00000000,00000000,00000000), ref: 00D4D8DD
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D4D8E9
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 2751501086-0
              • Opcode ID: 8db9ac98d5a2600ceaab16bf38581cb2b9b8dbb78f333db8f23cec2dbde21167
              • Instruction ID: 84589f507380b381d949399a5f9f6bf83cfb020da8064ec40400e9d83e671475
              • Opcode Fuzzy Hash: 8db9ac98d5a2600ceaab16bf38581cb2b9b8dbb78f333db8f23cec2dbde21167
              • Instruction Fuzzy Hash: A371F570600205BFEB209F54DC85FEABF65FF05368F244216F519A62E1CBB1A850DBB0
              Function 00D910A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D90038,?,?), ref: 00D910BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
              • API String ID: 3964851224-909552448
              • Opcode ID: 6b5a1773006efd68b782634f6c3f03aba3f2d861c6893fd26322344919670034
              • Instruction ID: 14d28af441433d12af3238a31406c4c20229a6e910711b75240e63c9dbdbf872
              • Opcode Fuzzy Hash: 6b5a1773006efd68b782634f6c3f03aba3f2d861c6893fd26322344919670034
              • Instruction Fuzzy Hash: 9E41383425034B9BCF10EF90E8A2AEB3768FF11350F544459EC916B692DB30E95ACB70
              Function 00D75569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
                • Part of subcall function 00D17A84: _memmove.LIBCMT ref: 00D17B0D
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D755D2
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D755E8
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D755F9
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D7560B
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D7561C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: ce035fc97668a7d3acebbe27e707dc2f3c391b09de17ff8ae256ba57e3b0359d
              • Instruction ID: 87a43442f4ce444a4a3b65c6fb29354e43285b99dfad2bdf581eac29f9714290
              • Opcode Fuzzy Hash: ce035fc97668a7d3acebbe27e707dc2f3c391b09de17ff8ae256ba57e3b0359d
              • Instruction Fuzzy Hash: 1E1182206501AE79D720B6E5EC5AEFFBB7CEF91B04F44046DB405A30D5EEA01D49C5B2
              Function 00D748F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: b57b76d977f4ab0159c1721ec4472c40cd3a27f72021ab0c49aaf20624e6fdb0
              • Instruction ID: 6ef75d36de8832d55618aa0ba968f976b0b24b2f72414772d3f2b59688f222e4
              • Opcode Fuzzy Hash: b57b76d977f4ab0159c1721ec4472c40cd3a27f72021ab0c49aaf20624e6fdb0
              • Instruction Fuzzy Hash: 1C11E432A04215AFCB25EB64EC4AEEB77BCDF01720F0441BAF548D6191FF709A818A71
              Function 00D75217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00D7521C
                • Part of subcall function 00D30719: timeGetTime.WINMM(?,76BFB850,00D20FF9), ref: 00D3071D
              • Sleep.KERNEL32(0000000A), ref: 00D75248
              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00D7526C
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D7528E
              • SetActiveWindow.USER32 ref: 00D752AD
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D752BB
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00D752DA
              • Sleep.KERNEL32(000000FA), ref: 00D752E5
              • IsWindow.USER32 ref: 00D752F1
              • EndDialog.USER32(00000000), ref: 00D75302
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: 07e3dcd7f8442db69559f2cc4a21afdf4ff52f6c5205eabfceeeaf4e12dbb82d
              • Instruction ID: 114af7b9044910015e148f5b75181f6d5e38cba495e66b4390ea9847c5285bd1
              • Opcode Fuzzy Hash: 07e3dcd7f8442db69559f2cc4a21afdf4ff52f6c5205eabfceeeaf4e12dbb82d
              • Instruction Fuzzy Hash: BE21C371205704AFE7005B70FC89B263B6AEB55386F44546AF409C23B9FBB19C109B77
              Function 00D7D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • CoInitialize.OLE32(00000000), ref: 00D7D855
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D7D8E8
              • SHGetDesktopFolder.SHELL32(?), ref: 00D7D8FC
              • CoCreateInstance.OLE32(00DA2D7C,00000000,00000001,00DCA89C,?), ref: 00D7D948
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D7D9B7
              • CoTaskMemFree.OLE32(?,?), ref: 00D7DA0F
              • _memset.LIBCMT ref: 00D7DA4C
              • SHBrowseForFolderW.SHELL32(?), ref: 00D7DA88
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D7DAAB
              • CoTaskMemFree.OLE32(00000000), ref: 00D7DAB2
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00D7DAE9
              • CoUninitialize.OLE32(00000001,00000000), ref: 00D7DAEB
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: f12e1df79589af42dbf67ec3dee774b5ae4afe1e633f415cd4b758086a98aa86
              • Instruction ID: 1a41db424d2c931e333712dceb8e20f3a943790f60d201cb74e6f642ea3a0206
              • Opcode Fuzzy Hash: f12e1df79589af42dbf67ec3dee774b5ae4afe1e633f415cd4b758086a98aa86
              • Instruction Fuzzy Hash: E7B10C75A00209AFDB04DFA4D899DAEBBF9FF48304B148469F509EB261DB30ED45CB60
              Function 00D7052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00D705A7
              • SetKeyboardState.USER32(?), ref: 00D70612
              • GetAsyncKeyState.USER32(000000A0), ref: 00D70632
              • GetKeyState.USER32(000000A0), ref: 00D70649
              • GetAsyncKeyState.USER32(000000A1), ref: 00D70678
              • GetKeyState.USER32(000000A1), ref: 00D70689
              • GetAsyncKeyState.USER32(00000011), ref: 00D706B5
              • GetKeyState.USER32(00000011), ref: 00D706C3
              • GetAsyncKeyState.USER32(00000012), ref: 00D706EC
              • GetKeyState.USER32(00000012), ref: 00D706FA
              • GetAsyncKeyState.USER32(0000005B), ref: 00D70723
              • GetKeyState.USER32(0000005B), ref: 00D70731
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: 39a894d28e762fb428a0b88e8b9f6af9383f04cd7a191487fae061e397016f78
              • Instruction ID: 6b7a17efee4b4f2c5bb6b47a9c27dd05a937eb7ae03f8c8ca9897f607cdb9660
              • Opcode Fuzzy Hash: 39a894d28e762fb428a0b88e8b9f6af9383f04cd7a191487fae061e397016f78
              • Instruction Fuzzy Hash: 4051EC20A047846AFB34DBA488557EEBFB49F01340F4CC59ED5CA5A1C2FA549A4CCB71
              Function 00D6C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 00D6C746
              • GetWindowRect.USER32(00000000,?), ref: 00D6C758
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D6C7B6
              • GetDlgItem.USER32(?,00000002), ref: 00D6C7C1
              • GetWindowRect.USER32(00000000,?), ref: 00D6C7D3
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D6C827
              • GetDlgItem.USER32(?,000003E9), ref: 00D6C835
              • GetWindowRect.USER32(00000000,?), ref: 00D6C846
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D6C889
              • GetDlgItem.USER32(?,000003EA), ref: 00D6C897
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D6C8B4
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00D6C8C1
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: 0d02fddff5d483c06b0422f4f28e8f52692c1cd421dfa582136b73ce949a458d
              • Instruction ID: 94e7e7e3bd66563725431a00639ed4254db38e918520cb4a1280d7dc6be013a6
              • Opcode Fuzzy Hash: 0d02fddff5d483c06b0422f4f28e8f52692c1cd421dfa582136b73ce949a458d
              • Instruction Fuzzy Hash: 86512F71B10305AFDB18CFA9DD99AAEBBBAEB88311F14812DF515D7290D7709D40CB60
              Function 00D1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D12036,?,00000000,?,?,?,?,00D116CB,00000000,?), ref: 00D11B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D120D3
              • KillTimer.USER32(-00000001,?,?,?,?,00D116CB,00000000,?,?,00D11AE2,?,?), ref: 00D1216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 00D4BEF6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D116CB,00000000,?,?,00D11AE2,?,?), ref: 00D4BF27
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D116CB,00000000,?,?,00D11AE2,?,?), ref: 00D4BF3E
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D116CB,00000000,?,?,00D11AE2,?,?), ref: 00D4BF5A
              • DeleteObject.GDI32(00000000), ref: 00D4BF6C
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID:
              • API String ID: 641708696-0
              • Opcode ID: c5874519c3f092eba971d6e78e5cc6eb90313f76557307a83141b0b398063c24
              • Instruction ID: 2350290e0155b499dde7145529b05ffd5de2e66625b9c1a8d50f2f6040d6c303
              • Opcode Fuzzy Hash: c5874519c3f092eba971d6e78e5cc6eb90313f76557307a83141b0b398063c24
              • Instruction Fuzzy Hash: 74615935101710EFCB259F14E948B79B7B1FF54312F18452AE18686AA0CB76E8E5EFB0
              Function 00D7AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,00D9F910), ref: 00D7AB76
              • GetDriveTypeW.KERNEL32(00000061,00DCA620,00000061), ref: 00D7AC40
              • _wcscpy.LIBCMT ref: 00D7AC6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: fb81c2f1f78d4d5b796d2cb1591add7d00cf6d42769dffdb2a10474a94673301
              • Instruction ID: fff91492ce1482118556fc5474a014e4e7353ce0bdf4de504a18ce46bf8cec64
              • Opcode Fuzzy Hash: fb81c2f1f78d4d5b796d2cb1591add7d00cf6d42769dffdb2a10474a94673301
              • Instruction Fuzzy Hash: E5518131158305ABC710EF18D8A1AAFB7A5EF84304F54881DF49A972A2EB31DD49CB73
              Function 00D19997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: 188d2cc32011d741d4f66a64423ea6bb2796f763508a83cc7d51b5811b7b60ea
              • Instruction ID: 333ba746e98049b6479348e85806f2b9fb59dcedbb9f23af6bef847fe550c5e7
              • Opcode Fuzzy Hash: 188d2cc32011d741d4f66a64423ea6bb2796f763508a83cc7d51b5811b7b60ea
              • Instruction Fuzzy Hash: 5D418571604205BFDB249B38E852F7AB7E4EF44310F24446EE589D7295EE71D9428F31
              Function 00D973C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D973D9
              • CreateMenu.USER32 ref: 00D973F4
              • SetMenu.USER32(?,00000000), ref: 00D97403
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D97490
              • IsMenu.USER32(?), ref: 00D974A6
              • CreatePopupMenu.USER32 ref: 00D974B0
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D974DD
              • DrawMenuBar.USER32 ref: 00D974E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F
              • API String ID: 176399719-3044882817
              • Opcode ID: 8527b1fb5906a65541afc14160c9f9b25c46c453457f8d3de638442ed89a83ea
              • Instruction ID: 515685e918dd3b2c5566013c7fd1a42ac767c9b7f7e7c3dbc4584411152f6bf5
              • Opcode Fuzzy Hash: 8527b1fb5906a65541afc14160c9f9b25c46c453457f8d3de638442ed89a83ea
              • Instruction Fuzzy Hash: AB412575A11309EFDF20DF64D884E9ABBB9FF49310F194029E955D7361DB31A910CBA0
              Function 00D9772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D977CD
              • CreateCompatibleDC.GDI32(00000000), ref: 00D977D4
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D977E7
              • SelectObject.GDI32(00000000,00000000), ref: 00D977EF
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D977FA
              • DeleteDC.GDI32(00000000), ref: 00D97803
              • GetWindowLongW.USER32(?,000000EC), ref: 00D9780D
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00D97821
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D9782D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: a2304cb80467dd013db8a573009d1cfe82eb6dec1b04892be7a9715e11213167
              • Instruction ID: 9f7dc6376ff50d3c31d037ddaa5cd0a8df372f09121415847a6deb51dd9ac5c6
              • Opcode Fuzzy Hash: a2304cb80467dd013db8a573009d1cfe82eb6dec1b04892be7a9715e11213167
              • Instruction Fuzzy Hash: 7E314932115215BBDF129FA4DC09FEA3B69FF09361F150226FA15E62A0DB31D821DBB4
              Function 00D37040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D3707B
                • Part of subcall function 00D38D68: __getptd_noexit.LIBCMT ref: 00D38D68
              • __gmtime64_s.LIBCMT ref: 00D37114
              • __gmtime64_s.LIBCMT ref: 00D3714A
              • __gmtime64_s.LIBCMT ref: 00D37167
              • __allrem.LIBCMT ref: 00D371BD
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D371D9
              • __allrem.LIBCMT ref: 00D371F0
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D3720E
              • __allrem.LIBCMT ref: 00D37225
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D37243
              • __invoke_watson.LIBCMT ref: 00D372B4
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction ID: 82816ddbbd21175fd944175abc4fc4a7c43d03218c340bbf0fd740190725c601
              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
              • Instruction Fuzzy Hash: 8671C8B6A04B16ABD7249F79CC82B5BB3B8FF15324F14422AF914E7681E770D94087B4
              Function 00D72A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D72A31
              • GetMenuItemInfoW.USER32(00DD6890,000000FF,00000000,00000030), ref: 00D72A92
              • SetMenuItemInfoW.USER32(00DD6890,00000004,00000000,00000030), ref: 00D72AC8
              • Sleep.KERNEL32(000001F4), ref: 00D72ADA
              • GetMenuItemCount.USER32(?), ref: 00D72B1E
              • GetMenuItemID.USER32(?,00000000), ref: 00D72B3A
              • GetMenuItemID.USER32(?,-00000001), ref: 00D72B64
              • GetMenuItemID.USER32(?,?), ref: 00D72BA9
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D72BEF
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D72C03
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D72C24
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: ebb32305d49163e1d9c4af409c049f0bf28d4f735f3319f4feabdc0d0b420ac8
              • Instruction ID: 3401c64ab4216df8118b1892e69ede6e6a0819c2364475f1667302a53600aa4a
              • Opcode Fuzzy Hash: ebb32305d49163e1d9c4af409c049f0bf28d4f735f3319f4feabdc0d0b420ac8
              • Instruction Fuzzy Hash: AF61A0B0900389AFDB21CF64CD88EBEBBB8EB55304F18855AE845D7251E731AE45DB31
              Function 00D97192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D97214
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D97217
              • GetWindowLongW.USER32(?,000000F0), ref: 00D9723B
              • _memset.LIBCMT ref: 00D9724C
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D9725E
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D972D6
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID:
              • API String ID: 830647256-0
              • Opcode ID: a287e45b94ac780e2c84a6cd0effb7772492b25e05a248e3f3734cfb35451da9
              • Instruction ID: f5f6799c8976f9ed0fa65c7ab4738ee2f1ba3dc8071e836ee97a7eb240d65f4c
              • Opcode Fuzzy Hash: a287e45b94ac780e2c84a6cd0effb7772492b25e05a248e3f3734cfb35451da9
              • Instruction Fuzzy Hash: 5F613975A00208AFDB10DFA4CC81EEE77B8EB09710F14416AFA15E73A1D774AD45DBA0
              Function 00D6710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D67135
              • SafeArrayAllocData.OLEAUT32(?), ref: 00D6718E
              • VariantInit.OLEAUT32(?), ref: 00D671A0
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00D671C0
              • VariantCopy.OLEAUT32(?,?), ref: 00D67213
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00D67227
              • VariantClear.OLEAUT32(?), ref: 00D6723C
              • SafeArrayDestroyData.OLEAUT32(?), ref: 00D67249
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D67252
              • VariantClear.OLEAUT32(?), ref: 00D67264
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D6726F
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: f730d3f41c64659796a96bb2e06b93d81881c143dd26f9b4ea448ee756382bc8
              • Instruction ID: f287e56940c664b8c626ba8206c37ef5fe1bcecbce5e9b3adfd8b9408a6cb026
              • Opcode Fuzzy Hash: f730d3f41c64659796a96bb2e06b93d81881c143dd26f9b4ea448ee756382bc8
              • Instruction Fuzzy Hash: 20410C35A04219AFCB00DFA8D8549EEBBB9EF48354F00806AF955E7361DB34A945CBB0
              Function 00D85A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 00D85AA6
              • inet_addr.WSOCK32(?,?,?), ref: 00D85AEB
              • gethostbyname.WSOCK32(?), ref: 00D85AF7
              • IcmpCreateFile.IPHLPAPI ref: 00D85B05
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D85B75
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D85B8B
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D85C00
              • WSACleanup.WSOCK32 ref: 00D85C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: d483d881ba3c06ab7b50733352ad2d04bc7f141da1cde6b67bebe8b644700e25
              • Instruction ID: b1627038a0219d3edc55296d79160f49fa9e75383e7c58a93a5623d110588ba0
              • Opcode Fuzzy Hash: d483d881ba3c06ab7b50733352ad2d04bc7f141da1cde6b67bebe8b644700e25
              • Instruction Fuzzy Hash: A1518031604701AFD710AF64EC95B6ABBE4EF44710F18892AF599DB2A5DB70EC40CB71
              Function 00D7B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00D7B73B
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D7B7B1
              • GetLastError.KERNEL32 ref: 00D7B7BB
              • SetErrorMode.KERNEL32(00000000,READY), ref: 00D7B828
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: c2d8cd44fa8f3ad3a8ab685185b46bd7246a8a5c3f22fac038285b8b37b5a36e
              • Instruction ID: 483405400b1cc7675f3912d83baa8a3998a5b375b7ce87909dbb44c73242d22e
              • Opcode Fuzzy Hash: c2d8cd44fa8f3ad3a8ab685185b46bd7246a8a5c3f22fac038285b8b37b5a36e
              • Instruction Fuzzy Hash: C8316235A00309AFDB14EF68D885BBEBBB8EF44714F14802BE509D7291EB719946C7B1
              Function 00D69471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D6B0E7
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D694F6
              • GetDlgCtrlID.USER32 ref: 00D69501
              • GetParent.USER32 ref: 00D6951D
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D69520
              • GetDlgCtrlID.USER32(?), ref: 00D69529
              • GetParent.USER32(?), ref: 00D69545
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D69548
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 07bf828d0f2bdd7c2370b6924f2c39e0c1773935814215918f2b4253a3b43c31
              • Instruction ID: 97a8cf7a099f99765797d2b7dd52a9fd52b98088fa96ec8e18db0a76742d9ddf
              • Opcode Fuzzy Hash: 07bf828d0f2bdd7c2370b6924f2c39e0c1773935814215918f2b4253a3b43c31
              • Instruction Fuzzy Hash: 6621C170A00204BBCF05AB64DC95EFEBB79EF49310F10016AB962D72E2DB759959DB30
              Function 00D6955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D6B0E7
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D695DF
              • GetDlgCtrlID.USER32 ref: 00D695EA
              • GetParent.USER32 ref: 00D69606
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00D69609
              • GetDlgCtrlID.USER32(?), ref: 00D69612
              • GetParent.USER32(?), ref: 00D6962E
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00D69631
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: e4c1487a588ecf1c73b04c79f8ee4e9acf464d59b04c28acda17c9f9cb00cac7
              • Instruction ID: 498d53da66147ca2c982f5fc867fc62720e1808d735cf7d47bc87de8ec395004
              • Opcode Fuzzy Hash: e4c1487a588ecf1c73b04c79f8ee4e9acf464d59b04c28acda17c9f9cb00cac7
              • Instruction Fuzzy Hash: 6921B075A00304BBDF01ABA0CC95EFEBB79EF49300F100056B962D72A2DB7599599B30
              Function 00D69645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 00D69651
              • GetClassNameW.USER32(00000000,?,00000100), ref: 00D69666
              • _wcscmp.LIBCMT ref: 00D69678
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D696F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: 80f59b5dd12fdfca69d444a4b375a4ba2d82d72bbd2451c40c728223ad9bd9b6
              • Instruction ID: c5315e691210df5da78a287ddea1140d1d292880f2e60f0a65f22aa1b99985c9
              • Opcode Fuzzy Hash: 80f59b5dd12fdfca69d444a4b375a4ba2d82d72bbd2451c40c728223ad9bd9b6
              • Instruction Fuzzy Hash: BC110C76248307BFFA052660DC2BEA6F79CDB05770F20012BF900E60D1FEB1A9554A78
              Function 00D88BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00D88BEC
              • CoInitialize.OLE32(00000000), ref: 00D88C19
              • CoUninitialize.OLE32 ref: 00D88C23
              • GetRunningObjectTable.OLE32(00000000,?), ref: 00D88D23
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00D88E50
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00DA2C0C), ref: 00D88E84
              • CoGetObject.OLE32(?,00000000,00DA2C0C,?), ref: 00D88EA7
              • SetErrorMode.KERNEL32(00000000), ref: 00D88EBA
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D88F3A
              • VariantClear.OLEAUT32(?), ref: 00D88F4A
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID:
              • API String ID: 2395222682-0
              • Opcode ID: 4d66a56a7892921eefa28928a7a0f74adb6ffce68ce20fb23e3163a35af7b8cb
              • Instruction ID: 10c1064ffb72efcc939d3c35ba5782d9f0bdbf94bafd124cdff85816c32b2bb5
              • Opcode Fuzzy Hash: 4d66a56a7892921eefa28928a7a0f74adb6ffce68ce20fb23e3163a35af7b8cb
              • Instruction Fuzzy Hash: FCC121B1208305AFC700EF68C88492AB7E9FF89748F44496DF58ADB251DB71ED05CB62
              Function 00D74189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
              Download Yara Rule
              APIs
              • __swprintf.LIBCMT ref: 00D7419D
              • __swprintf.LIBCMT ref: 00D741AA
                • Part of subcall function 00D338D8: __woutput_l.LIBCMT ref: 00D33931
              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00D741D4
              • LoadResource.KERNEL32(?,00000000), ref: 00D741E0
              • LockResource.KERNEL32(00000000), ref: 00D741ED
              • FindResourceW.KERNEL32(?,?,00000003), ref: 00D7420D
              • LoadResource.KERNEL32(?,00000000), ref: 00D7421F
              • SizeofResource.KERNEL32(?,00000000), ref: 00D7422E
              • LockResource.KERNEL32(?), ref: 00D7423A
              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00D7429B
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
              • String ID:
              • API String ID: 1433390588-0
              • Opcode ID: 68e47c580d7593448edb87c38fc7ecb54332ef3662043e0f40dcde7060ce6863
              • Instruction ID: ecbeb6d4b2cfbb409871837cf7713bae964e487049c0d0e563347c531c93b0f8
              • Opcode Fuzzy Hash: 68e47c580d7593448edb87c38fc7ecb54332ef3662043e0f40dcde7060ce6863
              • Instruction Fuzzy Hash: 2D31907160531AABDB129F60ED44EBF7BACEF04301F048526F909D6251E770DA618BB9
              Function 00D716DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00D71700
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D70778,?,00000001), ref: 00D71714
              • GetWindowThreadProcessId.USER32(00000000), ref: 00D7171B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D70778,?,00000001), ref: 00D7172A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7173C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D70778,?,00000001), ref: 00D71755
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D70778,?,00000001), ref: 00D71767
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D70778,?,00000001), ref: 00D717AC
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D70778,?,00000001), ref: 00D717C1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00D70778,?,00000001), ref: 00D717CC
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: d2beb55ea12dec8083692037019c351ccbbdfb6981b1bd878b8a99d6fcf7774f
              • Instruction ID: ad1778afdfde278cd1294303afe36f57d657296d37a67112c11de89d0faf087e
              • Opcode Fuzzy Hash: d2beb55ea12dec8083692037019c351ccbbdfb6981b1bd878b8a99d6fcf7774f
              • Instruction Fuzzy Hash: 6831A979641304FBEB259F28EC88B693BADAF15711F248167F808D63A0E7B09D408B70
              Function 00D1FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D1FC06
              • OleUninitialize.OLE32(?,00000000), ref: 00D1FCA5
              • UnregisterHotKey.USER32(?), ref: 00D1FDFC
              • DestroyWindow.USER32(?), ref: 00D54A00
              • FreeLibrary.KERNEL32(?), ref: 00D54A65
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D54A92
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: 0b0931ce8f2adc1a4f16f2425e435f59ceff53728241ac615b5f22445d4ca5a7
              • Instruction ID: 3240d660aa94d457c5f3b9e08af7f4cefca223cec4e0c1d08466225329b515e1
              • Opcode Fuzzy Hash: 0b0931ce8f2adc1a4f16f2425e435f59ceff53728241ac615b5f22445d4ca5a7
              • Instruction Fuzzy Hash: 0AA16B30701212DFCB19EB14E494AA9F765EF04709F1842ADE80AAB251DF30ED96CFB5
              Function 00D6A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,00D6AA64), ref: 00D6A9A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: 5dc03393283c0fab7d526f26287ab0688fec3646dfb39e1c3e1dce797ab774a3
              • Instruction ID: eb619705be7037d8f57cf182d56f229f0ae643b78c8fce3744904d5dd88925d7
              • Opcode Fuzzy Hash: 5dc03393283c0fab7d526f26287ab0688fec3646dfb39e1c3e1dce797ab774a3
              • Instruction Fuzzy Hash: D5917070600606ABDB08DF64D491BE9FBB4FF04344F54811AD8DAA7291DF30AA99DFB1
              Function 00D12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00D12EAE
                • Part of subcall function 00D11DB3: GetClientRect.USER32(?,?), ref: 00D11DDC
                • Part of subcall function 00D11DB3: GetWindowRect.USER32(?,?), ref: 00D11E1D
                • Part of subcall function 00D11DB3: ScreenToClient.USER32(?,?), ref: 00D11E45
              • GetDC.USER32 ref: 00D4CF82
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D4CF95
              • SelectObject.GDI32(00000000,00000000), ref: 00D4CFA3
              • SelectObject.GDI32(00000000,00000000), ref: 00D4CFB8
              • ReleaseDC.USER32(?,00000000), ref: 00D4CFC0
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D4D04B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: 1fd9cfe657583e46989b5a67f659a7e56621fdb8d0a958cf895a49fba586b4c9
              • Instruction ID: a6a586900721fd258b4a0020635f3148003b76128b4cdf36d2bd71f43547ca1f
              • Opcode Fuzzy Hash: 1fd9cfe657583e46989b5a67f659a7e56621fdb8d0a958cf895a49fba586b4c9
              • Instruction Fuzzy Hash: 46717D30501205EFCF218F64D884AFA7BB6FF49350F18426AF9959A2A6CB319895DB70
              Function 00D9C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
                • Part of subcall function 00D12344: GetCursorPos.USER32(?), ref: 00D12357
                • Part of subcall function 00D12344: ScreenToClient.USER32(00DD67B0,?), ref: 00D12374
                • Part of subcall function 00D12344: GetAsyncKeyState.USER32(00000001), ref: 00D12399
                • Part of subcall function 00D12344: GetAsyncKeyState.USER32(00000002), ref: 00D123A7
              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00D9C2E4
              • ImageList_EndDrag.COMCTL32 ref: 00D9C2EA
              • ReleaseCapture.USER32 ref: 00D9C2F0
              • SetWindowTextW.USER32(?,00000000), ref: 00D9C39A
              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D9C3AD
              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00D9C48F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
              • String ID: @GUI_DRAGFILE$@GUI_DROPID
              • API String ID: 1924731296-2107944366
              • Opcode ID: e6d26d5e545d37527ce3f369a93aaefd1f66daef15d7d3d5413cc1b1d1ce4b75
              • Instruction ID: 69997c6f661e264896ba743e19fa87a419624803a6396b0df54b6bf135964ff4
              • Opcode Fuzzy Hash: e6d26d5e545d37527ce3f369a93aaefd1f66daef15d7d3d5413cc1b1d1ce4b75
              • Instruction Fuzzy Hash: C2516B70204305AFDB04DF24D896FAA7BE5EB88310F04452EF5958B2E1DB71E958DB72
              Function 00D88F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D9F910), ref: 00D8903D
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D9F910), ref: 00D89071
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D891EB
              • SysFreeString.OLEAUT32(?), ref: 00D89215
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: 9d3c4a0abb0c6b711c3e530515a3afbc5f643ac6e86ea97797ad76131327ef5b
              • Instruction ID: fd824ef71ec97e853d827f220ebe29ff58df48b1550b40ee0ab76947adb8b674
              • Opcode Fuzzy Hash: 9d3c4a0abb0c6b711c3e530515a3afbc5f643ac6e86ea97797ad76131327ef5b
              • Instruction Fuzzy Hash: 09F11971A00209EFDB04EF94C898EBEB7B9FF49314F188059F555AB290DB31AE45CB60
              Function 00D8F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D8F9C9
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D8FB5C
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D8FB80
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D8FBC0
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D8FBE2
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D8FD5E
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00D8FD90
              • CloseHandle.KERNEL32(?), ref: 00D8FDBF
              • CloseHandle.KERNEL32(?), ref: 00D8FE36
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: eded9ab0c4a5266eaba70ff246aaef640b7113e5adb216ad75af773ed5b0b02c
              • Instruction ID: 3fc696670206161905a441839ad1784704d47acbbff4df1e564f11987a012242
              • Opcode Fuzzy Hash: eded9ab0c4a5266eaba70ff246aaef640b7113e5adb216ad75af773ed5b0b02c
              • Instruction Fuzzy Hash: 00E1A231604301DFCB14EF24D491A6ABBE1EF84354F18896DF8999B2A2DB31ED44CB72
              Function 00D74F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D738D3,?), ref: 00D748C7
                • Part of subcall function 00D748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D738D3,?), ref: 00D748E0
                • Part of subcall function 00D74CD3: GetFileAttributesW.KERNEL32(?,00D73947), ref: 00D74CD4
              • lstrcmpiW.KERNEL32(?,?), ref: 00D74FE2
              • _wcscmp.LIBCMT ref: 00D74FFC
              • MoveFileW.KERNEL32(?,?), ref: 00D75017
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: e450869c522c247b2834cc81016c53e7548fc5bc3952945106d9a3acfa41bcc4
              • Instruction ID: 6f361aab58013abd8d60ca7860d5a9ba40a27a054d16a94a8a1fadf00e2fe743
              • Opcode Fuzzy Hash: e450869c522c247b2834cc81016c53e7548fc5bc3952945106d9a3acfa41bcc4
              • Instruction Fuzzy Hash: F25183B25087849BC725EB60D8819DFB3ECEF85301F04492EF689D7152EF74A2888776
              Function 00D988B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D9896E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: dee60fb74bd80524b1206486536edb3ab26b0f3d5d3bd1dd6945b72f0271b717
              • Instruction ID: 0e7dec928d0fd0ecd435d57371bed105eb484561093cbc67c9c64d445348abe5
              • Opcode Fuzzy Hash: dee60fb74bd80524b1206486536edb3ab26b0f3d5d3bd1dd6945b72f0271b717
              • Instruction Fuzzy Hash: 6051C430600308BFDF209F28DC85BA97B65FB06B60F644212F555E66A1DF71E990EBB1
              Function 00D12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D4C547
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D4C569
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D4C581
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D4C59F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D4C5C0
              • DestroyIcon.USER32(00000000), ref: 00D4C5CF
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D4C5EC
              • DestroyIcon.USER32(?), ref: 00D4C5FB
                • Part of subcall function 00D9A71E: DeleteObject.GDI32(00000000), ref: 00D9A757
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2819616528-0
              • Opcode ID: 86148a83413b5044129cc34bbc9fdd1fa5535e7ff9948369d768c4e624032711
              • Instruction ID: 0684a5b18201090cbff8b21cb1842a99d3e27181b04449323d09e0f87ed1da8e
              • Opcode Fuzzy Hash: 86148a83413b5044129cc34bbc9fdd1fa5535e7ff9948369d768c4e624032711
              • Instruction Fuzzy Hash: 5D516674A11309AFDB20DF24EC45BAA3BB5EB48310F144529F942D72A0DB71EDA0DBB0
              Function 00D69B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D6AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D6AE77
                • Part of subcall function 00D6AE57: GetCurrentThreadId.KERNEL32 ref: 00D6AE7E
                • Part of subcall function 00D6AE57: AttachThreadInput.USER32(00000000,?,00D69B65,?,00000001), ref: 00D6AE85
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D69B70
              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D69B8D
              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00D69B90
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D69B99
              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D69BB7
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D69BBA
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D69BC3
              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D69BDA
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D69BDD
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
              • String ID:
              • API String ID: 2014098862-0
              • Opcode ID: 8227fd482b558a74d3a9bf183407fe66ff676341c850c78a68df9e88a080e5c1
              • Instruction ID: aa28ed8c15456bc4ee12fd2194b12079d576292670ccd5173c871c7922bbd914
              • Opcode Fuzzy Hash: 8227fd482b558a74d3a9bf183407fe66ff676341c850c78a68df9e88a080e5c1
              • Instruction Fuzzy Hash: D411E171650318BFF6106B64DC89F6A7B2DEB4C751F100426F284EB1A0C9F35C50DAB4
              Function 00D68E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D68A84,00000B00,?,?), ref: 00D68E0C
              • HeapAlloc.KERNEL32(00000000,?,00D68A84,00000B00,?,?), ref: 00D68E13
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D68A84,00000B00,?,?), ref: 00D68E28
              • GetCurrentProcess.KERNEL32(?,00000000,?,00D68A84,00000B00,?,?), ref: 00D68E30
              • DuplicateHandle.KERNEL32(00000000,?,00D68A84,00000B00,?,?), ref: 00D68E33
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D68A84,00000B00,?,?), ref: 00D68E43
              • GetCurrentProcess.KERNEL32(00D68A84,00000000,?,00D68A84,00000B00,?,?), ref: 00D68E4B
              • DuplicateHandle.KERNEL32(00000000,?,00D68A84,00000B00,?,?), ref: 00D68E4E
              • CreateThread.KERNEL32(00000000,00000000,00D68E74,00000000,00000000,00000000), ref: 00D68E68
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: 3063002eadb9213885324177bea1f38720fec43b799234c218089914fb427da7
              • Instruction ID: a76b7a374d9dd788ae3f0d416e8e002ab208e812621211b84a7381ab585d1628
              • Opcode Fuzzy Hash: 3063002eadb9213885324177bea1f38720fec43b799234c218089914fb427da7
              • Instruction Fuzzy Hash: 7D01BBB5640308FFE710ABA5DC4DF6B3BACEB89711F104422FA05DB2A1CA719800CB74
              Function 00D89428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-625585964
              • Opcode ID: 093b4c7d82106f63c9749c3bd7884df77d6ea83983d588be4d3ba0f1e356e855
              • Instruction ID: ab83f710d8db1448e113aeae5ac95fd1393ddab44e7c507ad5d3d1d43440ddfb
              • Opcode Fuzzy Hash: 093b4c7d82106f63c9749c3bd7884df77d6ea83983d588be4d3ba0f1e356e855
              • Instruction Fuzzy Hash: 2D91CF70A00209AFCF20EFA5C865FAEB7B8EF85714F188159F545AB280D7709905CFB0
              Function 00D89A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D67652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?,?,?,00D6799D), ref: 00D6766F
                • Part of subcall function 00D67652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?,?), ref: 00D6768A
                • Part of subcall function 00D67652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?,?), ref: 00D67698
                • Part of subcall function 00D67652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?), ref: 00D676A8
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00D89B1B
              • _memset.LIBCMT ref: 00D89B28
              • _memset.LIBCMT ref: 00D89C6B
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00D89C97
              • CoTaskMemFree.OLE32(?), ref: 00D89CA2
              Strings
              • NULL Pointer assignment, xrefs: 00D89CF0
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: 773b3409024c6f655ed17b6e34d9211c658de430735f23cca53fa1cda9796fb6
              • Instruction ID: 83500e16354013296ea5b6e6c6564d5f592d86d9861475e0335e31e91577e506
              • Opcode Fuzzy Hash: 773b3409024c6f655ed17b6e34d9211c658de430735f23cca53fa1cda9796fb6
              • Instruction Fuzzy Hash: 07913971D00219EBDB10DFA4DC90AEEBBB9EF08310F24415AF419A7291DB71AA44CFB0
              Function 00D96FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D97093
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00D970A7
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D970C1
              • _wcscat.LIBCMT ref: 00D9711C
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00D97133
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D97161
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 9d21125c78d9f6491394465c19707720170fdd61ed6870de2371a86f2bf9465a
              • Instruction ID: 08b15432d3f0996fa5a5d1d154c07ba4a535a4593982a0f608cdcb1034a218a5
              • Opcode Fuzzy Hash: 9d21125c78d9f6491394465c19707720170fdd61ed6870de2371a86f2bf9465a
              • Instruction Fuzzy Hash: 5C417171A14308AFDF219FA4CC85BEE77B8EF08350F14456AF588E7291D6729D848B70
              Function 00D8EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D73E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00D73EB6
                • Part of subcall function 00D73E91: Process32FirstW.KERNEL32(00000000,?), ref: 00D73EC4
                • Part of subcall function 00D73E91: CloseHandle.KERNEL32(00000000), ref: 00D73F8E
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D8ECB8
              • GetLastError.KERNEL32 ref: 00D8ECCB
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D8ECFA
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D8ED77
              • GetLastError.KERNEL32(00000000), ref: 00D8ED82
              • CloseHandle.KERNEL32(00000000), ref: 00D8EDB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: 034ed2a913c7a8d78691805077ab9be2d15e1568df12b36688fac42415ce5bcd
              • Instruction ID: 5e4e68171ed3da94df5994e9bc88c9ab0bf7d60e3789856016df5c03c17afdea
              • Opcode Fuzzy Hash: 034ed2a913c7a8d78691805077ab9be2d15e1568df12b36688fac42415ce5bcd
              • Instruction Fuzzy Hash: F0418B71240201AFDB14EF24CCA5F6DB7A5EF80714F188459F8869B2C2DB75A848CFB6
              Function 00D73226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 00D732C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: bf5575fb07d4e40d9fbb5acae9a83ed2017f0e2b6832367f5ce4223393417fa3
              • Instruction ID: 9ea328d4ffc805308da8548342d297f2d56158712b15b9f66c0b5593b1fe116a
              • Opcode Fuzzy Hash: bf5575fb07d4e40d9fbb5acae9a83ed2017f0e2b6832367f5ce4223393417fa3
              • Instruction Fuzzy Hash: D111023124835ABEA7055B58DC42DAAB39CDF19374F20402EF908A6282F6A19B4066BD
              Function 00D74534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D7454E
              • LoadStringW.USER32(00000000), ref: 00D74555
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D7456B
              • LoadStringW.USER32(00000000), ref: 00D74572
              • _wprintf.LIBCMT ref: 00D74598
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D745B6
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 00D74593
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 87126db0389c3ce951526491941973d8a6120af639ec62c416ee7d125f470acd
              • Instruction ID: 0784de710ccfe1d7c685b424344c5e9d530540d262f489406af7f09dc8c93b1a
              • Opcode Fuzzy Hash: 87126db0389c3ce951526491941973d8a6120af639ec62c416ee7d125f470acd
              • Instruction Fuzzy Hash: 920162F3900308BFE711A7A4DD89EFB776CD708301F0005A6BB49E2151EA749E858B70
              Function 00D9D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • GetSystemMetrics.USER32(0000000F), ref: 00D9D78A
              • GetSystemMetrics.USER32(0000000F), ref: 00D9D7AA
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D9D9E5
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D9DA03
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D9DA24
              • ShowWindow.USER32(00000003,00000000), ref: 00D9DA43
              • InvalidateRect.USER32(?,00000000,00000001), ref: 00D9DA68
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00D9DA8B
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID:
              • API String ID: 1211466189-0
              • Opcode ID: b377c73b77ffc4e418467a98dd4d7f2050a594b7efcc0be2b9cad96382593e89
              • Instruction ID: 71c7b2437caaee5b4878dbbfec1e3ad48e8c259af866d7e076f8912920c276be
              • Opcode Fuzzy Hash: b377c73b77ffc4e418467a98dd4d7f2050a594b7efcc0be2b9cad96382593e89
              • Instruction Fuzzy Hash: C6B16975600225EBDF14CF69C9857AD7BB2FF48701F08816AEC499B295D734A960CBA0
              Function 00D12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D4C417,00000004,00000000,00000000,00000000), ref: 00D12ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00D4C417,00000004,00000000,00000000,00000000,000000FF), ref: 00D12B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00D4C417,00000004,00000000,00000000,00000000), ref: 00D4C46A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D4C417,00000004,00000000,00000000,00000000), ref: 00D4C4D6
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 4ec85b249bed7436bca5c9835c60a624f9921bcf877be15c98019d35ce35d62f
              • Instruction ID: a3e7de19b9b1d1204b9a87f625dafd4a863436e51e67fd291a63fbc6de5e185d
              • Opcode Fuzzy Hash: 4ec85b249bed7436bca5c9835c60a624f9921bcf877be15c98019d35ce35d62f
              • Instruction Fuzzy Hash: 2441EB31219780BBC7754B28BD987FA7B95AF45310F1C841AE08BC6660DE76E8D1D730
              Function 00D77368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00D7737F
                • Part of subcall function 00D30FF6: std::exception::exception.LIBCMT ref: 00D3102C
                • Part of subcall function 00D30FF6: __CxxThrowException@8.LIBCMT ref: 00D31041
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00D773B6
              • EnterCriticalSection.KERNEL32(?), ref: 00D773D2
              • _memmove.LIBCMT ref: 00D77420
              • _memmove.LIBCMT ref: 00D7743D
              • LeaveCriticalSection.KERNEL32(?), ref: 00D7744C
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00D77461
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00D77480
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: 5ab0ec1732d6a67553436588ae54ac06bab0dd33c42da2a604a8dccd96428975
              • Instruction ID: 79af3d0419ffc5a97e6fae404e90de8ad30b77d5e45c18baf202f8d048a8b3dd
              • Opcode Fuzzy Hash: 5ab0ec1732d6a67553436588ae54ac06bab0dd33c42da2a604a8dccd96428975
              • Instruction Fuzzy Hash: F0318D36904206EBCF10DF64DD85AAEBBB8EF44710F1481A6F904EB256DB30DA10CBB4
              Function 00D96442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 00D9645A
              • GetDC.USER32(00000000), ref: 00D96462
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D9646D
              • ReleaseDC.USER32(00000000,00000000), ref: 00D96479
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D964B5
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D964C6
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D99299,?,?,000000FF,00000000,?,000000FF,?), ref: 00D96500
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D96520
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: c77b4a89872a8959b31a4a37d849ecea137a66775c15474ab0778b5a4e2b3b9b
              • Instruction ID: cade9e95b1ebd7a2afd47339ab66b6509554a09f7f96d7bd2141a9be21c79393
              • Opcode Fuzzy Hash: c77b4a89872a8959b31a4a37d849ecea137a66775c15474ab0778b5a4e2b3b9b
              • Instruction Fuzzy Hash: 12316B72201214BFEF118F50DC8AFEA3FA9EF09761F094066FE08DA295D6759851CB74
              Function 00D6C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 2b898d35ac5de94a221a3ce3b267a38593bd76d02ade6727a3b174ac7cc24462
              • Instruction ID: 6c675b2e835166318aceedfe8a3740bdb5ca9a7e55211a996b639c7f3336a8f8
              • Opcode Fuzzy Hash: 2b898d35ac5de94a221a3ce3b267a38593bd76d02ade6727a3b174ac7cc24462
              • Instruction Fuzzy Hash: E121D1B5650206BBD710B6268C43FBB339CEF223A4F082020FD8A96283E755DE1582F5
              Function 00D7ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
                • Part of subcall function 00D2FEC6: _wcscpy.LIBCMT ref: 00D2FEE9
              • _wcstok.LIBCMT ref: 00D7EEFF
              • _wcscpy.LIBCMT ref: 00D7EF8E
              • _memset.LIBCMT ref: 00D7EFC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 0c488020756d9a1168a68a5e72f937dcead9fd3d8b8c0611c0d5ed01b7ba802d
              • Instruction ID: fd544b4f449a5442ab823d159f9d54e68d27b0dd8f4f01f151bbdf6d0bb0fe68
              • Opcode Fuzzy Hash: 0c488020756d9a1168a68a5e72f937dcead9fd3d8b8c0611c0d5ed01b7ba802d
              • Instruction Fuzzy Hash: EDC14371508301AFC724EF24D895A9AB7E5EF84310F04896DF899972A2DF30ED45CBB2
              Function 00D86E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D86F14
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D86F35
              • WSAGetLastError.WSOCK32(00000000), ref: 00D86F48
              • htons.WSOCK32(?,?,?,00000000,?), ref: 00D86FFE
              • inet_ntoa.WSOCK32(?), ref: 00D86FBB
                • Part of subcall function 00D6AE14: _strlen.LIBCMT ref: 00D6AE1E
                • Part of subcall function 00D6AE14: _memmove.LIBCMT ref: 00D6AE40
              • _strlen.LIBCMT ref: 00D87058
              • _memmove.LIBCMT ref: 00D870C1
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: 455801b76eb6ba6d91bd672df201ea6c4094c8c278ad081d120129bfe5e42d11
              • Instruction ID: 0cfc1ce68037eb0429d7cecb8e2ec946cbc4e496d1eb15c42870c7bdaabb5578
              • Opcode Fuzzy Hash: 455801b76eb6ba6d91bd672df201ea6c4094c8c278ad081d120129bfe5e42d11
              • Instruction Fuzzy Hash: 3181FF71508300BBC710EB24DC91EAFB7A9EF84714F148919F5559B2A2DE71ED44CBB2
              Function 00D11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a5d2ddea763e8218ee08192d4684e5bde5a735e99b6d87df35df5533ccef8b2e
              • Instruction ID: c010210e63daed914640eb4a2d1f258b0bac84dd8d72321393d5799a4d3e8171
              • Opcode Fuzzy Hash: a5d2ddea763e8218ee08192d4684e5bde5a735e99b6d87df35df5533ccef8b2e
              • Instruction Fuzzy Hash: 0C714B34904109FFDB048F98D845AFEBB79FF85320F148159FA15AA251CB34AA91CFB4
              Function 00D9B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(017B5BB8), ref: 00D9B6A5
              • IsWindowEnabled.USER32(017B5BB8), ref: 00D9B6B1
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D9B795
              • SendMessageW.USER32(017B5BB8,000000B0,?,?), ref: 00D9B7CC
              • IsDlgButtonChecked.USER32(?,?), ref: 00D9B809
              • GetWindowLongW.USER32(017B5BB8,000000EC), ref: 00D9B82B
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D9B843
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID:
              • API String ID: 4072528602-0
              • Opcode ID: c4bedb065ae50a358d4dbc1f8096e1748c39a60c6250d2ec422ef2cf8d597465
              • Instruction ID: 01e3916a1fff59fb040b44e9d4bcf62d7494044bf6eb1f1443def86ebff7f794
              • Opcode Fuzzy Hash: c4bedb065ae50a358d4dbc1f8096e1748c39a60c6250d2ec422ef2cf8d597465
              • Instruction Fuzzy Hash: 4E718E34600304AFDF209FA4D9D4FAA7BB9EF49320F1A456BE945973A1C731A951CB70
              Function 00D8F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D8F75C
              • _memset.LIBCMT ref: 00D8F825
              • ShellExecuteExW.SHELL32(?), ref: 00D8F86A
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
                • Part of subcall function 00D2FEC6: _wcscpy.LIBCMT ref: 00D2FEE9
              • GetProcessId.KERNEL32(00000000), ref: 00D8F8E1
              • CloseHandle.KERNEL32(00000000), ref: 00D8F910
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: d0ad3d6cd05a45da5ada53d6f99fcf8ff6327b5cb4558632e9dbbf7daa34703b
              • Instruction ID: 229a77fc7d8c3d2068e9a61b5b4f22c4736763316257e2cc5f00beb854d24341
              • Opcode Fuzzy Hash: d0ad3d6cd05a45da5ada53d6f99fcf8ff6327b5cb4558632e9dbbf7daa34703b
              • Instruction Fuzzy Hash: 4E616BB5A00619AFCB14EF64D5919AEBBF5FF48310F148469E846AB351CB30AD80CFB0
              Function 00D7145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 00D7149C
              • GetKeyboardState.USER32(?), ref: 00D714B1
              • SetKeyboardState.USER32(?), ref: 00D71512
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00D71540
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00D7155F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00D715A5
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D715C8
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 5270093ffd8491768956a0660195abe35f852ff659f9c65373227d26ec65780a
              • Instruction ID: 8e864c5dfcac00297f9064547a2c89725e9796c28972bb1a44f38fd5b246d462
              • Opcode Fuzzy Hash: 5270093ffd8491768956a0660195abe35f852ff659f9c65373227d26ec65780a
              • Instruction Fuzzy Hash: 0A51D4A46047D53DFB36463C8C45BBA7FA96B46304F0CC689E5D9998C2E298DC88D770
              Function 00D71276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 00D712B5
              • GetKeyboardState.USER32(?), ref: 00D712CA
              • SetKeyboardState.USER32(?), ref: 00D7132B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D71357
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D71374
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D713B8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D713D9
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 0565c65b498676f10852105229fb47dd0ef119ab39ecb0187a55806405747b69
              • Instruction ID: d3200f1830eaaf57c7de21a1aa444e947a071432a4f1e31b19dfdb907ebe64a1
              • Opcode Fuzzy Hash: 0565c65b498676f10852105229fb47dd0ef119ab39ecb0187a55806405747b69
              • Instruction Fuzzy Hash: 6351E4A45047D57DFB3687288C45B7ABFA99B06304F0CC689E1DC9A8C2E395EC98D770
              Function 00D7589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: 1381384e7d122ec36965673484eac9709fbf0802cc22756f678fb7bf503d443e
              • Instruction ID: 739dcfc3f3f5a28ab8e24ad705f1b2ccd0c761f5cdf3cc69879f8a4c01c1952a
              • Opcode Fuzzy Hash: 1381384e7d122ec36965673484eac9709fbf0802cc22756f678fb7bf503d443e
              • Instruction Fuzzy Hash: 6F4172A9C20528B6CB10EBB898869DF73A8DF04310F508566F618F3121F734E755C7BA
              Function 00D738AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D748AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D738D3,?), ref: 00D748C7
                • Part of subcall function 00D748AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D738D3,?), ref: 00D748E0
              • lstrcmpiW.KERNEL32(?,?), ref: 00D738F3
              • _wcscmp.LIBCMT ref: 00D7390F
              • MoveFileW.KERNEL32(?,?), ref: 00D73927
              • _wcscat.LIBCMT ref: 00D7396F
              • SHFileOperationW.SHELL32(?), ref: 00D739DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: 261f77abb433bd1c06f9ab94990337782e8d9a9f23fa53f1ac6a1acb7faa27b9
              • Instruction ID: 4824a4750e5da59fc4ea91a7b6117a9fe4220f8c4acb075ed5780a0baaaf5cc9
              • Opcode Fuzzy Hash: 261f77abb433bd1c06f9ab94990337782e8d9a9f23fa53f1ac6a1acb7faa27b9
              • Instruction Fuzzy Hash: DF415F725093449AC756EF64D441AEBB7E8EF88340F44492EB589C3151FB74D788CB72
              Function 00D97500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D97519
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D975C0
              • IsMenu.USER32(?), ref: 00D975D8
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D97620
              • DrawMenuBar.USER32 ref: 00D97633
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0
              • API String ID: 3866635326-4108050209
              • Opcode ID: 8acf8275fd23c51dae6090239bab878f8abe3baf8a902d6a0bed9dc539257a11
              • Instruction ID: 01f03c46c7204951d66f2677d557b3729eb83178a1e0820458be7e0081115598
              • Opcode Fuzzy Hash: 8acf8275fd23c51dae6090239bab878f8abe3baf8a902d6a0bed9dc539257a11
              • Instruction Fuzzy Hash: 93411475A15609AFDF60DF58D884EAABBB8FB09310F08812AE95597390D730ED50CFA0
              Function 00D9122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00D9125C
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D91286
              • FreeLibrary.KERNEL32(00000000), ref: 00D9133D
                • Part of subcall function 00D9122D: RegCloseKey.ADVAPI32(?), ref: 00D912A3
                • Part of subcall function 00D9122D: FreeLibrary.KERNEL32(?), ref: 00D912F5
                • Part of subcall function 00D9122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D91318
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00D912E0
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: 796dd752109012673b8f186573714fe6b19ad6ba99f34b2b7b0821618a95d0d4
              • Instruction ID: 3363e70348cd37c2930084e9639605841e05d1a88f4ac49ceda26e23cb68a653
              • Opcode Fuzzy Hash: 796dd752109012673b8f186573714fe6b19ad6ba99f34b2b7b0821618a95d0d4
              • Instruction Fuzzy Hash: 89310D75A0121ABFDF159F90DC89AFEB7BCEF08300F04016AE515E2251DA749E459AB4
              Function 00D9653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D9655B
              • GetWindowLongW.USER32(017B5BB8,000000F0), ref: 00D9658E
              • GetWindowLongW.USER32(017B5BB8,000000F0), ref: 00D965C3
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D965F5
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D9661F
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00D96630
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D9664A
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID:
              • API String ID: 2178440468-0
              • Opcode ID: de2f539c2c85c248fd2ec4abfa416bc1c48a8875e7bed3c3dcf9c8bc25c5deee
              • Instruction ID: c7cbf536947d81c8a5a4d4331e8be40765d8aaabd74f710df9aaed309d03b34e
              • Opcode Fuzzy Hash: de2f539c2c85c248fd2ec4abfa416bc1c48a8875e7bed3c3dcf9c8bc25c5deee
              • Instruction Fuzzy Hash: D131CE30605250AFDF218F68DC85F553BE1FB4A750F1A01A9F511CB2B6CB71E840DBA1
              Function 00D86486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D880A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D880CB
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D864D9
              • WSAGetLastError.WSOCK32(00000000), ref: 00D864E8
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D86521
              • connect.WSOCK32(00000000,?,00000010), ref: 00D8652A
              • WSAGetLastError.WSOCK32 ref: 00D86534
              • closesocket.WSOCK32(00000000), ref: 00D8655D
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D86576
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: 4fbf1567a60c820d7b1618bffd57c6f8780ba97f555179cbacfb111382d06c7e
              • Instruction ID: 74185245252f1e12fc8f6dd339be179d312b3ef9fb54e1d84e917e4aa545f227
              • Opcode Fuzzy Hash: 4fbf1567a60c820d7b1618bffd57c6f8780ba97f555179cbacfb111382d06c7e
              • Instruction Fuzzy Hash: 2031AF71600218ABDB10AF64DC95BBE7BA9EF44720F048069F945D7291DB74ED44CBB1
              Function 00D6E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D6E0FA
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D6E120
              • SysAllocString.OLEAUT32(00000000), ref: 00D6E123
              • SysAllocString.OLEAUT32 ref: 00D6E144
              • SysFreeString.OLEAUT32 ref: 00D6E14D
              • StringFromGUID2.OLE32(?,?,00000028), ref: 00D6E167
              • SysAllocString.OLEAUT32(?), ref: 00D6E175
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 879cfdd9e43faaf952bdc01ded1214b1cf48711262b266efae2608e49e7ab44e
              • Instruction ID: d6ff75f9e227bca3fc4fb5e15d849a14a70aa72e3988092d45f2d4245f65f399
              • Opcode Fuzzy Hash: 879cfdd9e43faaf952bdc01ded1214b1cf48711262b266efae2608e49e7ab44e
              • Instruction Fuzzy Hash: 85218379604318AFDB109FA8DC88CAB77ECEB0A760B148136F955CB260DA74DC419B74
              Function 00D6FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: 3b1e6e06162e6c2b7d7263cb31bdda2fdac41f7043548ceca299c917c3822e5d
              • Instruction ID: e05d738e8cc04d9dea5286f7ee5ac939ca69d542f2b563199b2edb38c9f29eaf
              • Opcode Fuzzy Hash: 3b1e6e06162e6c2b7d7263cb31bdda2fdac41f7043548ceca299c917c3822e5d
              • Instruction Fuzzy Hash: 90213732204A51ABD234E728FD52EB773D8EF66340F184435F88687141EB51E981D2B1
              Function 00D9783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D11D73
                • Part of subcall function 00D11D35: GetStockObject.GDI32(00000011), ref: 00D11D87
                • Part of subcall function 00D11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D11D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D978A1
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D978AE
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D978B9
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D978C8
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D978D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 7eb8c864829fc23413091406168d3a9a286ea6dc41ef066b727c270fdf4cbf65
              • Instruction ID: 703dbcc5c9ee217d1613afbf72f5007863f100ae5dc8e37e80c3b21e16c75099
              • Opcode Fuzzy Hash: 7eb8c864829fc23413091406168d3a9a286ea6dc41ef066b727c270fdf4cbf65
              • Instruction Fuzzy Hash: 051160B2550219BFEF159F64CC85EEB7F6DEF08768F014115BA04A6190CB72AC21DBB4
              Function 00D341C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00D34292,?), ref: 00D341E3
              • GetProcAddress.KERNEL32(00000000), ref: 00D341EA
              • EncodePointer.KERNEL32(00000000), ref: 00D341F6
              • DecodePointer.KERNEL32(00000001,00D34292,?), ref: 00D34213
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoInitialize$combase.dll
              • API String ID: 3489934621-340411864
              • Opcode ID: c114501e1c2d0a0ed27a726a680203a301860a023d02691ed6fd5c3a67e1b00c
              • Instruction ID: c088db07a3c74442f4d33eef55307631a526f55ca79d00be028fe3177242d48b
              • Opcode Fuzzy Hash: c114501e1c2d0a0ed27a726a680203a301860a023d02691ed6fd5c3a67e1b00c
              • Instruction Fuzzy Hash: E8E01AB5A91300AFEF205BB5EC09B143BA4BB21706F544426F451E52B0DBB950958F34
              Function 00D3429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D341B8), ref: 00D342B8
              • GetProcAddress.KERNEL32(00000000), ref: 00D342BF
              • EncodePointer.KERNEL32(00000000), ref: 00D342CA
              • DecodePointer.KERNEL32(00D341B8), ref: 00D342E5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: b43ebcacb5f772da05515adc74b0a1789a987105a8f04d0ce63472ee10652678
              • Instruction ID: dc1163541108702dac06e861059094743f07db8c057d7b124e9c5dd075741d64
              • Opcode Fuzzy Hash: b43ebcacb5f772da05515adc74b0a1789a987105a8f04d0ce63472ee10652678
              • Instruction Fuzzy Hash: 67E0B67C582311AFEB109BA5EC0DB163BA4B725742F144036F011F12B0CBB89584CA78
              Function 00D7675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
              • Instruction ID: 710cd92a9d79234a1f25c89c6c02123035c8156f6052322700ae2899f8175d17
              • Opcode Fuzzy Hash: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
              • Instruction Fuzzy Hash: 0A61AC3050465AABCF15EF20D8A2EFE77A4EF44308F048519F9595B192EF30E941CB71
              Function 00D9046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D90038,?,?), ref: 00D910BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D90548
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D90588
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00D905AB
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D905D4
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D90617
              • RegCloseKey.ADVAPI32(00000000), ref: 00D90624
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: cdfcf0114b76e0501de5f0b35180ad5d0b81d8e57d7c6d33dd5c2a32cf5d878c
              • Instruction ID: b264aae6b54cf888bea42adf34176c7a142423a3e473d9f85db87d8987801cf4
              • Opcode Fuzzy Hash: cdfcf0114b76e0501de5f0b35180ad5d0b81d8e57d7c6d33dd5c2a32cf5d878c
              • Instruction Fuzzy Hash: 01513931208200AFCB14EB64E885EAEBBE9FF88714F04491DF595872A1DB31E945CB72
              Function 00D95A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 00D95A82
              • GetMenuItemCount.USER32(00000000), ref: 00D95AB9
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D95AE1
              • GetMenuItemID.USER32(?,?), ref: 00D95B50
              • GetSubMenu.USER32(?,?), ref: 00D95B5E
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00D95BAF
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: 71ae7d9bca09e035b1e9ad3c1d632d0dcb8d8257ff64ce8fc43da5ba5319e61f
              • Instruction ID: 41e8ef6ce5d30dc9dffe75e822838fa99c0db9a38bc785f4d4b5a88291593608
              • Opcode Fuzzy Hash: 71ae7d9bca09e035b1e9ad3c1d632d0dcb8d8257ff64ce8fc43da5ba5319e61f
              • Instruction Fuzzy Hash: 8B519D31A00615EFCF11EFA4D851AAEB7B5EF48324F1440AAE845F7351CB30AE418BB0
              Function 00D6F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00D6F3F7
              • VariantClear.OLEAUT32(00000013), ref: 00D6F469
              • VariantClear.OLEAUT32(00000000), ref: 00D6F4C4
              • _memmove.LIBCMT ref: 00D6F4EE
              • VariantClear.OLEAUT32(?), ref: 00D6F53B
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D6F569
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: 814d34c481dc6033fea6db244bdcb34fbed9deddcdf0611dee91f8b2e9b43b09
              • Instruction ID: 448fb2ae1f52b71533fea08763c96b9efa384d4901a787af85a28d79437c89c5
              • Opcode Fuzzy Hash: 814d34c481dc6033fea6db244bdcb34fbed9deddcdf0611dee91f8b2e9b43b09
              • Instruction Fuzzy Hash: 7C5137B5A00209EFCB14CF58D884AAAB7F8FF4C354B15856AE959DB311E730E951CBA0
              Function 00D726F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D72747
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D72792
              • IsMenu.USER32(00000000), ref: 00D727B2
              • CreatePopupMenu.USER32 ref: 00D727E6
              • GetMenuItemCount.USER32(000000FF), ref: 00D72844
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00D72875
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: 8bdbf98a3d383e025535fcd7e317f9c0e8d4d7007960746d1f642b5ffe601595
              • Instruction ID: 202cea2fb84c1436eeb91e90df257bd4d3cb85ab767825a3084bf030eb115d91
              • Opcode Fuzzy Hash: 8bdbf98a3d383e025535fcd7e317f9c0e8d4d7007960746d1f642b5ffe601595
              • Instruction Fuzzy Hash: A7519F70A00385DBDF24CF68C988BBEBBF5EF44314F148269E4599B291E7718944CB72
              Function 00D11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00D1179A
              • GetWindowRect.USER32(?,?), ref: 00D117FE
              • ScreenToClient.USER32(?,?), ref: 00D1181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D1182C
              • EndPaint.USER32(?,?), ref: 00D11876
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 2d8f7966cca194c16ec60754eb9c611b0e0972b1b4deb754506e8f478e300d4e
              • Instruction ID: 2ede5aa7bd3f4631f1340358bcac243f690da16fe292aebede6ec6ab79e452aa
              • Opcode Fuzzy Hash: 2d8f7966cca194c16ec60754eb9c611b0e0972b1b4deb754506e8f478e300d4e
              • Instruction Fuzzy Hash: A8419D74104301AFD710DF24D885BBA7BE8EB49724F14462AFA94C62A1CB71D885DB71
              Function 00D9B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(00DD67B0,00000000,017B5BB8,?,?,00DD67B0,?,00D9B862,?,?), ref: 00D9B9CC
              • EnableWindow.USER32(00000000,00000000), ref: 00D9B9F0
              • ShowWindow.USER32(00DD67B0,00000000,017B5BB8,?,?,00DD67B0,?,00D9B862,?,?), ref: 00D9BA50
              • ShowWindow.USER32(00000000,00000004,?,00D9B862,?,?), ref: 00D9BA62
              • EnableWindow.USER32(00000000,00000001), ref: 00D9BA86
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00D9BAA9
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 3a63ffb0db5c968f979e8af94d81f421fbe62d75445e7289748e7b3b283d436e
              • Instruction ID: 6c06a4a5425e87678ffa83a51b9764a7e715defd59661633c3b43cff04cea512
              • Opcode Fuzzy Hash: 3a63ffb0db5c968f979e8af94d81f421fbe62d75445e7289748e7b3b283d436e
              • Instruction Fuzzy Hash: DA414F30600641AFDF21CF58E689B957BE0FB05320F1D42BAEA48CF2A2C771A845CF61
              Function 00D873B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,00D85134,?,?,00000000,00000001), ref: 00D873BF
                • Part of subcall function 00D83C94: GetWindowRect.USER32(?,?), ref: 00D83CA7
              • GetDesktopWindow.USER32 ref: 00D873E9
              • GetWindowRect.USER32(00000000), ref: 00D873F0
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D87422
                • Part of subcall function 00D754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D7555E
              • GetCursorPos.USER32(?), ref: 00D8744E
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D874AC
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: 42522518ed657bf7a77f34d2612a26618159c61ab385bb13c116474e49ab9ea5
              • Instruction ID: 0bb03c1d0fc88603f389f179f116f6e05ebab849435f353d20295ba093d7a8b5
              • Opcode Fuzzy Hash: 42522518ed657bf7a77f34d2612a26618159c61ab385bb13c116474e49ab9ea5
              • Instruction Fuzzy Hash: 0A31E472509305ABD720EF54D849F9BBBE9FF88314F10491AF588D7191D770E948CBA2
              Function 00D68D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D685F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D68608
                • Part of subcall function 00D685F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D68612
                • Part of subcall function 00D685F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D68621
                • Part of subcall function 00D685F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D68628
                • Part of subcall function 00D685F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D6863E
              • GetLengthSid.ADVAPI32(?,00000000,00D68977), ref: 00D68DAC
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D68DB8
              • HeapAlloc.KERNEL32(00000000), ref: 00D68DBF
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00D68DD8
              • GetProcessHeap.KERNEL32(00000000,00000000,00D68977), ref: 00D68DEC
              • HeapFree.KERNEL32(00000000), ref: 00D68DF3
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: f27474fae01c14e2bd611f542b9203ecbd4a422f0959b6b4abdb45b562d648a5
              • Instruction ID: 8399c3c57562bbac4770e16a0b299be0726c81d1a3a85daa757dded86657d834
              • Opcode Fuzzy Hash: f27474fae01c14e2bd611f542b9203ecbd4a422f0959b6b4abdb45b562d648a5
              • Instruction Fuzzy Hash: FC11BE71500705FFDB209FA4CC09BAE7BA9EF55315F14422AE885E7250DB369900EFB0
              Function 00D68AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D68B2A
              • OpenProcessToken.ADVAPI32(00000000), ref: 00D68B31
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D68B40
              • CloseHandle.KERNEL32(00000004), ref: 00D68B4B
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D68B7A
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00D68B8E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: b66eb191718cb2fc6d62c43c0a0fb9faa99c5ab9e80014dd2960bf29603ae44f
              • Instruction ID: 46d8a0367eb313d42200ecd40d1dc51f2d965bbc7374c1de0707161acf8d0230
              • Opcode Fuzzy Hash: b66eb191718cb2fc6d62c43c0a0fb9faa99c5ab9e80014dd2960bf29603ae44f
              • Instruction Fuzzy Hash: 591159B2500209ABDF118FA8ED49FDA7BA9EF08304F084165FE04E2160C7769D65AB70
              Function 00D9C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D1134D
                • Part of subcall function 00D112F3: SelectObject.GDI32(?,00000000), ref: 00D1135C
                • Part of subcall function 00D112F3: BeginPath.GDI32(?), ref: 00D11373
                • Part of subcall function 00D112F3: SelectObject.GDI32(?,00000000), ref: 00D1139C
              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00D9C1C4
              • LineTo.GDI32(00000000,00000003,?), ref: 00D9C1D8
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D9C1E6
              • LineTo.GDI32(00000000,00000000,?), ref: 00D9C1F6
              • EndPath.GDI32(00000000), ref: 00D9C206
              • StrokePath.GDI32(00000000), ref: 00D9C216
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
              • String ID:
              • API String ID: 43455801-0
              • Opcode ID: fe06b8737cab497e68d9c1b02255446b26339c02933ab3250e54911b58fdce45
              • Instruction ID: 58b2affe71cf30c41f6ebdb5c413badf36c5380fb943f7db0682542cb31d89da
              • Opcode Fuzzy Hash: fe06b8737cab497e68d9c1b02255446b26339c02933ab3250e54911b58fdce45
              • Instruction Fuzzy Hash: 9D11C97640024DBFDF119F94DC89FAA7FADEB08354F048022FA189A2A1D7719D55DBB0
              Function 00D303A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D303D3
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D303DB
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D303E6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D303F1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D303F9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D30401
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: 65d1d0c1822191e92c95ffb60ed76c24c6ce237d5df252c82c69bb6cc985326a
              • Instruction ID: b2821412e434c88f2dcab959948f1e1e6bb16e7799cf658d3c4b9ba933d498b3
              • Opcode Fuzzy Hash: 65d1d0c1822191e92c95ffb60ed76c24c6ce237d5df252c82c69bb6cc985326a
              • Instruction Fuzzy Hash: 12016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C87A41C7F5A864CBE5
              Function 00D7568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D7569B
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D756B1
              • GetWindowThreadProcessId.USER32(?,?), ref: 00D756C0
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D756CF
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D756D9
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D756E0
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: aa982ccaed5159de1808f440ed2f60668857b5017cbbb01fb1fd3b7a1e73def0
              • Instruction ID: 383ce2024ded34a35ee30cfe2ee4805ad6eec70b0d92384810bf01d02a095c9e
              • Opcode Fuzzy Hash: aa982ccaed5159de1808f440ed2f60668857b5017cbbb01fb1fd3b7a1e73def0
              • Instruction Fuzzy Hash: A8F03032241358BBE7215BA2EC0DEEF7B7CEFC6B11F00016AFA04D1150D7A11A0186B5
              Function 00D774D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00D774E5
              • EnterCriticalSection.KERNEL32(?,?,00D21044,?,?), ref: 00D774F6
              • TerminateThread.KERNEL32(00000000,000001F6,?,00D21044,?,?), ref: 00D77503
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D21044,?,?), ref: 00D77510
                • Part of subcall function 00D76ED7: CloseHandle.KERNEL32(00000000,?,00D7751D,?,00D21044,?,?), ref: 00D76EE1
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00D77523
              • LeaveCriticalSection.KERNEL32(?,?,00D21044,?,?), ref: 00D7752A
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 479bd058de596013897406196bfc3af47d7ef2e729882ae0a3f9c9162672d729
              • Instruction ID: a92d41e922fa43d944ba0d208f702720ce00b9f01180596f5a73216cef4e3fa8
              • Opcode Fuzzy Hash: 479bd058de596013897406196bfc3af47d7ef2e729882ae0a3f9c9162672d729
              • Instruction Fuzzy Hash: 7CF03A3A140712ABDB111B64EC88AEA772AEF45302B140933F242E11A0DB756811CBB4
              Function 00D68E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D68E7F
              • UnloadUserProfile.USERENV(?,?), ref: 00D68E8B
              • CloseHandle.KERNEL32(?), ref: 00D68E94
              • CloseHandle.KERNEL32(?), ref: 00D68E9C
              • GetProcessHeap.KERNEL32(00000000,?), ref: 00D68EA5
              • HeapFree.KERNEL32(00000000), ref: 00D68EAC
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 8db6a1a57a569807607febdac540b2f3ce79b0edc6ccfcfdf4044a41d03098ad
              • Instruction ID: 0420dbb56f23ca908cad4246bb037aba7109416f2cc69b243ed983586c2df73b
              • Opcode Fuzzy Hash: 8db6a1a57a569807607febdac540b2f3ce79b0edc6ccfcfdf4044a41d03098ad
              • Instruction Fuzzy Hash: 3FE0C236004201FBDA011FF1EC0C90ABB69FB99322B208232F219D1270CB32A421DBA0
              Function 00D88902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00D88928
              • CharUpperBuffW.USER32(?,?), ref: 00D88A37
              • VariantClear.OLEAUT32(?), ref: 00D88BAF
                • Part of subcall function 00D77804: VariantInit.OLEAUT32(00000000), ref: 00D77844
                • Part of subcall function 00D77804: VariantCopy.OLEAUT32(00000000,?), ref: 00D7784D
                • Part of subcall function 00D77804: VariantClear.OLEAUT32(00000000), ref: 00D77859
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: 22925a8b9080c1fbc9e9b5c062e771a92aa774ac1ed810de482027bb0a185d66
              • Instruction ID: 33a5e7212feb8ba295363d8819bf2abea2822458b319498517d577eee9839ecf
              • Opcode Fuzzy Hash: 22925a8b9080c1fbc9e9b5c062e771a92aa774ac1ed810de482027bb0a185d66
              • Instruction Fuzzy Hash: 5C916D716083019FC710EF28D49596ABBE4EFC9714F04896EF89A8B361DB31E945CB72
              Function 00D72F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D2FEC6: _wcscpy.LIBCMT ref: 00D2FEE9
              • _memset.LIBCMT ref: 00D73077
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D730A6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D73159
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D73187
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0
              • API String ID: 4152858687-4108050209
              • Opcode ID: d2fb2377082fd2083dddecdb8ca2a3791f046d6f184f9a0d005641ca510549fc
              • Instruction ID: 3edd1c04d0d0d23cd2e77505c9041cd42f641e306c2703cdcd54a20f79a0fe5d
              • Opcode Fuzzy Hash: d2fb2377082fd2083dddecdb8ca2a3791f046d6f184f9a0d005641ca510549fc
              • Instruction Fuzzy Hash: 7C51C4716083419FD7159F28D84566BB7E4EF45320F488A2EF899D32D1EB70CE44A7B2
              Function 00D6DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D6DAC5
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D6DAFB
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D6DB0C
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D6DB8E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: DllGetClassObject
              • API String ID: 753597075-1075368562
              • Opcode ID: 76fec111b83f0fe48055374874a76ab5be219377fc665059ae049459128635fd
              • Instruction ID: b60721119f104267ffd1a3574f7161264e54c3d0c1084b0a35b56201a1122dea
              • Opcode Fuzzy Hash: 76fec111b83f0fe48055374874a76ab5be219377fc665059ae049459128635fd
              • Instruction Fuzzy Hash: 03417371A00308DFDB15CF59E884A9A7BBAEF89350F1580AAAD05DF209D7B1D944CBB0
              Function 00D72C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D72CAF
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D72CCB
              • DeleteMenu.USER32(?,00000007,00000000), ref: 00D72D11
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00DD6890,00000000), ref: 00D72D5A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: 002670298cc0fb714c084a8cce23de6ed36dda974d11b227a3c23c6048cb2aed
              • Instruction ID: 13643991e346f0726d9a9849aa049d9acae3b0e14d2008946c131a945baee88e
              • Opcode Fuzzy Hash: 002670298cc0fb714c084a8cce23de6ed36dda974d11b227a3c23c6048cb2aed
              • Instruction Fuzzy Hash: 644174712043819FD724DF24D845B6AB7E4EF85320F18865DF9A9D7291E770E904CBB2
              Function 00D8DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D8DAD9
                • Part of subcall function 00D179AB: _memmove.LIBCMT ref: 00D179F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: 6173bd8526c38666378b17eb176183c49835189b4f1028f8747b076fc9c9a18b
              • Instruction ID: f673a37a7e241036df5256070f61b243707aeacef305b38afffdebebf0c2846b
              • Opcode Fuzzy Hash: 6173bd8526c38666378b17eb176183c49835189b4f1028f8747b076fc9c9a18b
              • Instruction Fuzzy Hash: 32316D7060061AABCF10EF54D8919EEB7B5FF45320B108A2AA865A76D1DB31A905CBB0
              Function 00D69372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D6B0E7
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D693F6
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D69409
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00D69439
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: 48c59ce3c62711a1d0520973f4c3c7bdc40b67abb720e4e1547e33d1657e2389
              • Instruction ID: be00a141e0488db72c29de9ff925e1af6005a0a36966353cc1adde632a94cf07
              • Opcode Fuzzy Hash: 48c59ce3c62711a1d0520973f4c3c7bdc40b67abb720e4e1547e33d1657e2389
              • Instruction Fuzzy Hash: 5B21D271A40204BFDB14ABA0EC95DFFB77CDF45360B14411AB825972E1DF35594A9630
              Function 00D96656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D11D73
                • Part of subcall function 00D11D35: GetStockObject.GDI32(00000011), ref: 00D11D87
                • Part of subcall function 00D11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D11D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D966D0
              • LoadLibraryW.KERNEL32(?), ref: 00D966D7
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D966EC
              • DestroyWindow.USER32(?), ref: 00D966F4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: ee69f92cec6f9c6e66bacacd42f2e3c306ba51de13ae2a3f1081c406feaff9da
              • Instruction ID: 70bf60408b9d0432e0fbad9018489c290cf1c7807279360b7d6cb6350fe11065
              • Opcode Fuzzy Hash: ee69f92cec6f9c6e66bacacd42f2e3c306ba51de13ae2a3f1081c406feaff9da
              • Instruction Fuzzy Hash: E9215871200206ABEF104FA4EC81EAB77ADEF59368F14462AFA51E21A0D771DC919770
              Function 00D7703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 00D7705E
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D77091
              • GetStdHandle.KERNEL32(0000000C), ref: 00D770A3
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00D770DD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: e1f381cd78d68b22969d47f7c4d82a2440c7af24e62f84debd355436ce82bd79
              • Instruction ID: 6e0ffb09063b6a7b89f445994217d8f9ea42d0b01a6a44e0bb823b62574968fa
              • Opcode Fuzzy Hash: e1f381cd78d68b22969d47f7c4d82a2440c7af24e62f84debd355436ce82bd79
              • Instruction Fuzzy Hash: 3D214F74604309ABDF209F38DC05A9A77B8FF44720F248A1AF8A9D72D0F77198508B70
              Function 00D7710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00D7712B
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D7715D
              • GetStdHandle.KERNEL32(000000F6), ref: 00D7716E
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00D771A8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 91c669c906ffa6ad5e441c67ac2ea2956c28f31b52411e34e642e432dd23adea
              • Instruction ID: 6e2ff4ca6248e191a17ecda7265619e6943f7f4f332ed9344df0b6270c431eb0
              • Opcode Fuzzy Hash: 91c669c906ffa6ad5e441c67ac2ea2956c28f31b52411e34e642e432dd23adea
              • Instruction Fuzzy Hash: BE21A1756047059BDF209F689C04AAAB7A8AF55720F648A1AFCA8D32D0F7709841CB74
              Function 00D7AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 00D7AEBF
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D7AF13
              • __swprintf.LIBCMT ref: 00D7AF2C
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00D9F910), ref: 00D7AF6A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: f62e93e0c9653cfdff4efedd5b28407576af67e9d09d42bc4a422b0cb26bf33d
              • Instruction ID: 892ce717ab7db8449b5b5c1ea70a229273777579a053fdaf2accce40a32485a0
              • Opcode Fuzzy Hash: f62e93e0c9653cfdff4efedd5b28407576af67e9d09d42bc4a422b0cb26bf33d
              • Instruction Fuzzy Hash: 5D214435600209AFCB10EF64D995EEEB7B8EF89704B104069F909EB251DB31EA45CB71
              Function 00D6A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
                • Part of subcall function 00D6A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D6A399
                • Part of subcall function 00D6A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D6A3AC
                • Part of subcall function 00D6A37C: GetCurrentThreadId.KERNEL32 ref: 00D6A3B3
                • Part of subcall function 00D6A37C: AttachThreadInput.USER32(00000000), ref: 00D6A3BA
              • GetFocus.USER32 ref: 00D6A554
                • Part of subcall function 00D6A3C5: GetParent.USER32(?), ref: 00D6A3D3
              • GetClassNameW.USER32(?,?,00000100), ref: 00D6A59D
              • EnumChildWindows.USER32(?,00D6A615), ref: 00D6A5C5
              • __swprintf.LIBCMT ref: 00D6A5DF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
              • String ID: %s%d
              • API String ID: 1941087503-1110647743
              • Opcode ID: d236c02735c98e84e4027523d0c186e1d2d343fa63577bdd5a4f10db46826134
              • Instruction ID: c64903b3ac79f8ff95dd8a8b851a743dc2f36bdcb276e6b28a94faea57c6739b
              • Opcode Fuzzy Hash: d236c02735c98e84e4027523d0c186e1d2d343fa63577bdd5a4f10db46826134
              • Instruction Fuzzy Hash: FC118171600309BBDF11BFA8EC85FEA7778EF49700F044075F948AA292DA7099958F75
              Function 00D72017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00D72048
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: 65284e9a1910be00e376d252023c966d6cddb99da3d5fb7072e4ca05c6e11dd9
              • Instruction ID: cc1e96bfe0f86e6d4c5bf1292b5b8a7d2fbd314ed0dc5bfff2d9d81167b03fea
              • Opcode Fuzzy Hash: 65284e9a1910be00e376d252023c966d6cddb99da3d5fb7072e4ca05c6e11dd9
              • Instruction Fuzzy Hash: 7111097491020A9FCF00EFA8E9519FEB7B4FF15308F548469D895A7352EB326906CB70
              Function 00D12218 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00D12231
              • SetTextColor.GDI32(?,000000FF), ref: 00D1223B
              • SetBkMode.GDI32(?,00000001), ref: 00D12250
              • GetStockObject.GDI32(00000005), ref: 00D12258
              • GetWindowDC.USER32(?,00000000), ref: 00D4C0D3
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D4C0E0
              • GetPixel.GDI32(00000000,?,00000000), ref: 00D4C0F9
              • GetPixel.GDI32(00000000,00000000,?), ref: 00D4C112
              • GetPixel.GDI32(00000000,?,?), ref: 00D4C132
              • ReleaseDC.USER32(?,00000000), ref: 00D4C13D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID: q0v
              • API String ID: 1946975507-2993000639
              • Opcode ID: 2bdca3879cb1ee8850462d917d7c9b2e0aa673a245613427c6b966bd2516590e
              • Instruction ID: d3ae5d186746963441ceb616d3c75dc5bdadf08a4aca74580e7e279ac2896a68
              • Opcode Fuzzy Hash: 2bdca3879cb1ee8850462d917d7c9b2e0aa673a245613427c6b966bd2516590e
              • Instruction Fuzzy Hash: AAE0C932604344EBDB615F64FC097D87B14EB15336F148367FA69D81E187724990DB71
              Function 00D8EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D8EF1B
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D8EF4B
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D8F07E
              • CloseHandle.KERNEL32(?), ref: 00D8F0FF
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: ae00b96d7b7864865490b96165bc90b01997d27a434ef1ecded5310a348bee9b
              • Instruction ID: 0c39e9908d9df15c0e24ebb223e9516bf71e114fe39b55c9f118ce0b6df9a695
              • Opcode Fuzzy Hash: ae00b96d7b7864865490b96165bc90b01997d27a434ef1ecded5310a348bee9b
              • Instruction Fuzzy Hash: 168161B1644300AFD720EF28D856F6AB7E5EF88710F14881DF599DB292DB71AC408BB1
              Function 00D3564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
              • Instruction ID: 2ae129fec2dcdcf418fb24f8d6e2a751fb1be8fb61bc95b07061e38725565d54
              • Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
              • Instruction Fuzzy Hash: 1351B174A00B05DFDB248FB9E88566EB7B5EF40320F688729F826962D8D770DD518B70
              Function 00D902C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D910A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D90038,?,?), ref: 00D910BC
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D90388
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D903C7
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D9040E
              • RegCloseKey.ADVAPI32(?,?), ref: 00D9043A
              • RegCloseKey.ADVAPI32(00000000), ref: 00D90447
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 37b46d242ca7a0fd094635dfe42ba753309ed28a2a792844eb273f9ae173d247
              • Instruction ID: 7909dbbcd28639a9300a60c31335abf9742887135616f280b0e7912db64a2318
              • Opcode Fuzzy Hash: 37b46d242ca7a0fd094635dfe42ba753309ed28a2a792844eb273f9ae173d247
              • Instruction Fuzzy Hash: C7513D31208205AFDB04EF64E891FAEB7E9FF84704F04891DB595872A1DB30E945CB72
              Function 00D8DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D8DC3B
              • GetProcAddress.KERNEL32(00000000,?), ref: 00D8DCBE
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00D8DCDA
              • GetProcAddress.KERNEL32(00000000,?), ref: 00D8DD1B
              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D8DD35
                • Part of subcall function 00D15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D77B20,?,?,00000000), ref: 00D15B8C
                • Part of subcall function 00D15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D77B20,?,?,00000000,?,?), ref: 00D15BB0
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: 8961bbbed93c0699d0118fd11122db2c630e94d4b42a605613a261d9bc62ea3b
              • Instruction ID: 62a4acefbee01daabd3efc93160a95a41ee5d9f45147b17f0b105b5cb886d1d3
              • Opcode Fuzzy Hash: 8961bbbed93c0699d0118fd11122db2c630e94d4b42a605613a261d9bc62ea3b
              • Instruction Fuzzy Hash: D4510975A00205EFCB00EF68D494DADB7F6FF58310B148069E859AB3A1DB74ED85CBA1
              Function 00D7E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D7E88A
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00D7E8B3
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D7E8F2
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D7E917
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D7E91F
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: de710e4e0519e3d25046939a0aab93eb20f6f401c977071f5f51b3708f3f252b
              • Instruction ID: e88ba0dea1676822811a6cd7a3a05222aad886c107afb2a161d4774a7ae157a0
              • Opcode Fuzzy Hash: de710e4e0519e3d25046939a0aab93eb20f6f401c977071f5f51b3708f3f252b
              • Instruction Fuzzy Hash: 20511A35A00205EFCB01EF64D991AAEBBF5EF48314B148099E849AB362DB31ED51DF71
              Function 00D9A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1b982b0cf4fe2c81ce265747cca2494cdf566344b27782c3d98c5d446734500
              • Instruction ID: b198b7917cde05bea85a23132a05ae56183525e8a5a6d80a96b1ebb4e9629a7c
              • Opcode Fuzzy Hash: d1b982b0cf4fe2c81ce265747cca2494cdf566344b27782c3d98c5d446734500
              • Instruction Fuzzy Hash: 5E419236900214ABDB10DFACCC48FA9BBA4EB09310F194165E959E72E1D770ED51DAF1
              Function 00D12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00D12357
              • ScreenToClient.USER32(00DD67B0,?), ref: 00D12374
              • GetAsyncKeyState.USER32(00000001), ref: 00D12399
              • GetAsyncKeyState.USER32(00000002), ref: 00D123A7
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 66e7a0ebf576b2138e86f1ec0f2693f10afb94bbc105d8f0d188a451e726e34c
              • Instruction ID: 038c864649cedbd87ef1642dbeb4626e2b172223753f43be22c2c56089c93513
              • Opcode Fuzzy Hash: 66e7a0ebf576b2138e86f1ec0f2693f10afb94bbc105d8f0d188a451e726e34c
              • Instruction Fuzzy Hash: 50418F31504219FBDF159F68D884AEDBB74FB05364F24431AF87892290CB7599A0DBB1
              Function 00D66920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D6695D
              • TranslateAcceleratorW.USER32(?,?,?), ref: 00D669A9
              • TranslateMessage.USER32(?), ref: 00D669D2
              • DispatchMessageW.USER32(?), ref: 00D669DC
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D669EB
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: 184710ad3ffd1161aaf08ffe9b9858706979a386f4c2f7447da8422e54130357
              • Instruction ID: 8a5adee3faef2bc35ec92a0c0731fcce2b8c7b8556220ab0d095ec4827d7ec44
              • Opcode Fuzzy Hash: 184710ad3ffd1161aaf08ffe9b9858706979a386f4c2f7447da8422e54130357
              • Instruction Fuzzy Hash: 72318171901346ABDB20CFB4DC44BBA7BBCEB01304F18416BE861D22A1E775D889DBB0
              Function 00D68F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00D68F12
              • PostMessageW.USER32(?,00000201,00000001), ref: 00D68FBC
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D68FC4
              • PostMessageW.USER32(?,00000202,00000000), ref: 00D68FD2
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D68FDA
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: 90fb7a6b902c871fa04037f695504199023c8c00eb5160624cf64796b0286808
              • Instruction ID: 255d7bca483f80f0494f7d86634bff6cc0572ad72a98c7c8666c9f370cc50c77
              • Opcode Fuzzy Hash: 90fb7a6b902c871fa04037f695504199023c8c00eb5160624cf64796b0286808
              • Instruction Fuzzy Hash: 4531DC71500219EFDF10CFA8D94CA9E7BB6EF14315F104229F924EB2D0CBB09950EBA0
              Function 00D6B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 00D6B6C7
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D6B6E4
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D6B71C
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D6B742
              • _wcsstr.LIBCMT ref: 00D6B74C
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: 4b80382f5dd279486930377299bd09b09e4cb6ba7a507c23c10ccea44a2ed464
              • Instruction ID: 5c1e48276da32df0771839fc2531ceade855336740729492c1f691a2ef4dbadc
              • Opcode Fuzzy Hash: 4b80382f5dd279486930377299bd09b09e4cb6ba7a507c23c10ccea44a2ed464
              • Instruction Fuzzy Hash: 6421D432604304BBEB255B79DC49E7B7BA8DF89720F14403BF905CA2A1EB61DC8096B0
              Function 00D9B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • GetWindowLongW.USER32(?,000000F0), ref: 00D9B44C
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00D9B471
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D9B489
              • GetSystemMetrics.USER32(00000004), ref: 00D9B4B2
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00D81184,00000000), ref: 00D9B4D0
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: 312c02db69b0ef73f9e06491df3c4fe76978fab4ca4e75ec58fae9c441883660
              • Instruction ID: cfbe9bc6ba0465121ac2683620382ae1d2306605ad3b1938a6f416a1a291ebdc
              • Opcode Fuzzy Hash: 312c02db69b0ef73f9e06491df3c4fe76978fab4ca4e75ec58fae9c441883660
              • Instruction Fuzzy Hash: 23219171610255AFCF109F38ED04A6A37A4EB05738F16473AF926C72E1E730D810EBA0
              Function 00D697E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D69802
                • Part of subcall function 00D17D2C: _memmove.LIBCMT ref: 00D17D66
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D69834
              • __itow.LIBCMT ref: 00D6984C
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D69874
              • __itow.LIBCMT ref: 00D69885
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: b79db3a6bc3ce7f07b27949015ff0c5c69e02ff24f82dcb81e29e3ff0971f12c
              • Instruction ID: 398b6ec32b554646c49917f184140d089a6491e650b495134e51e603c075a099
              • Opcode Fuzzy Hash: b79db3a6bc3ce7f07b27949015ff0c5c69e02ff24f82dcb81e29e3ff0971f12c
              • Instruction Fuzzy Hash: 8C216571B00308BBDB109BA59C9AEEEBBBDEF4A710F084029F905DB251DA709D4597F1
              Function 00D112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D1134D
              • SelectObject.GDI32(?,00000000), ref: 00D1135C
              • BeginPath.GDI32(?), ref: 00D11373
              • SelectObject.GDI32(?,00000000), ref: 00D1139C
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: c154803acff4cfca0ff2d37fd21f82a0dc2bd4a63c44c546919ef0b91d434666
              • Instruction ID: 6528228a9d9c18b9968bd9070bfad38d74412f38f6d6751e1b21dc90b593e006
              • Opcode Fuzzy Hash: c154803acff4cfca0ff2d37fd21f82a0dc2bd4a63c44c546919ef0b91d434666
              • Instruction Fuzzy Hash: CF215C70801308EBDB109F65EC047A97BB8EB10361F188227F924D66E4DB71D895EBF0
              Function 00D6C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 6087bbc4a346d4fe489a7ddf72251655a7a4a2098819838377eb3e64ac7ece62
              • Instruction ID: 2b621037c61957a68ec1e3ef49ab74b0a0c25d6910c410b398b1cf8fe1204df8
              • Opcode Fuzzy Hash: 6087bbc4a346d4fe489a7ddf72251655a7a4a2098819838377eb3e64ac7ece62
              • Instruction Fuzzy Hash: 6C01B1B26153067BE214B7259C42FBB739CDB633A4F084021FD4596283EA64EE1582F1
              Function 00D74D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00D74D5C
              • __beginthreadex.LIBCMT ref: 00D74D7A
              • MessageBoxW.USER32(?,?,?,?), ref: 00D74D8F
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D74DA5
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D74DAC
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: e2fec0c23527f93441d063d631064b2c83b909a0e7f3fda206d1c49395f1830e
              • Instruction ID: ad312a59faad557e083b5055acb15519aa5255b945cce49dbac77008db29c660
              • Opcode Fuzzy Hash: e2fec0c23527f93441d063d631064b2c83b909a0e7f3fda206d1c49395f1830e
              • Instruction Fuzzy Hash: 2311E1B2904348AFC7119BA89C08A9A7FACEB45320F188266F958D3391E675DD4487F0
              Function 00D6874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D68766
              • GetLastError.KERNEL32(?,00D6822A,?,?,?), ref: 00D68770
              • GetProcessHeap.KERNEL32(00000008,?,?,00D6822A,?,?,?), ref: 00D6877F
              • HeapAlloc.KERNEL32(00000000,?,00D6822A,?,?,?), ref: 00D68786
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D6879D
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 281166515abc69ba12e9549eb44b436e7d49fa95d4251132fa14ffa54b77ed60
              • Instruction ID: 36c4197cb6d816221d980dfb8a17247f9f1951365c1105057d9e76e9d9cf112a
              • Opcode Fuzzy Hash: 281166515abc69ba12e9549eb44b436e7d49fa95d4251132fa14ffa54b77ed60
              • Instruction Fuzzy Hash: F001F671605304FFDB204FA6DC88D6B7BADEF9A756B24056AF849D3260DA319D00DAB0
              Function 00D754E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D75502
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D75510
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D75518
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00D75522
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D7555E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: f47bae7284b45d1043a5615ad00e1b8767d44e63ce9b7706bfbae5b526b1adac
              • Instruction ID: 0534daa6c3aa3b8a1c07a360805a0c059a4ec6d097aac8d09c7ee57949aeb4ce
              • Opcode Fuzzy Hash: f47bae7284b45d1043a5615ad00e1b8767d44e63ce9b7706bfbae5b526b1adac
              • Instruction Fuzzy Hash: AE013935C00A19DBCF00DFE8E8496EDBB79FB09711F044156E945F2244EB70955087B2
              Function 00D67652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?,?,?,00D6799D), ref: 00D6766F
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?,?), ref: 00D6768A
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?,?), ref: 00D67698
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?), ref: 00D676A8
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D6758C,80070057,?,?), ref: 00D676B4
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 822b9c3c3d6525b4a3b2b7b4ca4fe434ee2c1c3590abce97b4498ef6e67d7565
              • Instruction ID: 8b7bd0aa608893bbd3ff5153f7e542d86ccd73884334e891a7dd8852fe6eeb22
              • Opcode Fuzzy Hash: 822b9c3c3d6525b4a3b2b7b4ca4fe434ee2c1c3590abce97b4498ef6e67d7565
              • Instruction Fuzzy Hash: B601D4B2600708BBDB504F98DC08BAA7BACEB44B55F140129FD05D2321E771DD5087B0
              Function 00D685F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D68608
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D68612
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D68621
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D68628
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D6863E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 801049be6089679dca30091eaf16cfcb2602a6b752b0fa65428b86746981c9bf
              • Instruction ID: 08124c37293cc3bdaf41f0fdd5b19882f09471e88249683f4430784f1b55489e
              • Opcode Fuzzy Hash: 801049be6089679dca30091eaf16cfcb2602a6b752b0fa65428b86746981c9bf
              • Instruction Fuzzy Hash: B5F04F31241304AFEB100FE5DC8AF6F3BACEF89754B144626F949D6260CB619C41EA70
              Function 00D68652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D68669
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D68673
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D68682
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D68689
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D6869F
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 3f7a166c5d71542380aae20d1838144c5c7a1be21059868493ea3a6bb1349e6a
              • Instruction ID: 45aecc2b3b6418bfb90476bc77250ac4e49456bef233ef6536004cf9664ddfac
              • Opcode Fuzzy Hash: 3f7a166c5d71542380aae20d1838144c5c7a1be21059868493ea3a6bb1349e6a
              • Instruction Fuzzy Hash: 63F06271200304BFEB111FA5EC89E6B3BACEF89758B140126F949D7250CB71DD41EA70
              Function 00D6C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 00D6C6BA
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00D6C6D1
              • MessageBeep.USER32(00000000), ref: 00D6C6E9
              • KillTimer.USER32(?,0000040A), ref: 00D6C705
              • EndDialog.USER32(?,00000001), ref: 00D6C71F
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: 67adc4f11c51ade8330f0cb265ea02b6d3fbc36cb5264a7059dbc0229cdbcee6
              • Instruction ID: f33e5f418d1b066ed78da5308520f59f5504cf91b92deb2171140df2f4c46ff7
              • Opcode Fuzzy Hash: 67adc4f11c51ade8330f0cb265ea02b6d3fbc36cb5264a7059dbc0229cdbcee6
              • Instruction Fuzzy Hash: 38016270510704ABEB219B60ED4EFA677B8FF00705F04166AF592E15F1DBE4A9548FA0
              Function 00D113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 00D113BF
              • StrokeAndFillPath.GDI32(?,?,00D4BAD8,00000000,?), ref: 00D113DB
              • SelectObject.GDI32(?,00000000), ref: 00D113EE
              • DeleteObject.GDI32 ref: 00D11401
              • StrokePath.GDI32(?), ref: 00D1141C
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: 7bada1bfe145a334a8ad476ecf26d773a93d826150347b26a13cfd64243b4a16
              • Instruction ID: bf48772bf677b1bfdf4771c842baa831641f83e068a31de2cfdfaad11a18a543
              • Opcode Fuzzy Hash: 7bada1bfe145a334a8ad476ecf26d773a93d826150347b26a13cfd64243b4a16
              • Instruction Fuzzy Hash: C6F0EC74005308EBDB115F66EC0C7983FA9A701726F58C226F669C52F1CB3199A5EFB0
              Function 00D7C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00D7C69D
              • CoCreateInstance.OLE32(00DA2D6C,00000000,00000001,00DA2BDC,?), ref: 00D7C6B5
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
              • CoUninitialize.OLE32 ref: 00D7C922
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: 71e897fe97394816c7af1f3f4918d3d5f8037d6a7f0378a8095d5f7db3fa079a
              • Instruction ID: dad45afcfa21fa2268b0491543e28fafdb27afd14f80e58cd7c81a5de8a438cb
              • Opcode Fuzzy Hash: 71e897fe97394816c7af1f3f4918d3d5f8037d6a7f0378a8095d5f7db3fa079a
              • Instruction Fuzzy Hash: C2A12C71208305AFD700EF54D8A1EABB7E8EF98704F00491DF156971A2EB70EA49CB72
              Function 00D22E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D30FF6: std::exception::exception.LIBCMT ref: 00D3102C
                • Part of subcall function 00D30FF6: __CxxThrowException@8.LIBCMT ref: 00D31041
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D17BB1: _memmove.LIBCMT ref: 00D17C0B
              • __swprintf.LIBCMT ref: 00D2302D
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D22EC6
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: 39d9ed79cfaaf51278c17056806dcdaa930be314947690598f611d70ab66b4a7
              • Instruction ID: 7ef5d51aecb40e0e5e5cf7d8c6e8fabde369e93fc585bb09b77b3774433973a4
              • Opcode Fuzzy Hash: 39d9ed79cfaaf51278c17056806dcdaa930be314947690598f611d70ab66b4a7
              • Instruction Fuzzy Hash: B0916C71508311AFCB18EF24E995CAEB7B4EF95704F04491DF885972A1DE24EE48CB72
              Function 00D7BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D148AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D148A1,?,?,00D137C0,?), ref: 00D148CE
              • CoInitialize.OLE32(00000000), ref: 00D7BC26
              • CoCreateInstance.OLE32(00DA2D6C,00000000,00000001,00DA2BDC,?), ref: 00D7BC3F
              • CoUninitialize.OLE32 ref: 00D7BC5C
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: 26ed60ee6f947a3312e93f5081f209a636d40c42d60d04621ae69e48b8afccac
              • Instruction ID: c1db5d78def4d36eb7db3030678f547cfbfe8bd62f528278a6d1ce6e6de61ea4
              • Opcode Fuzzy Hash: 26ed60ee6f947a3312e93f5081f209a636d40c42d60d04621ae69e48b8afccac
              • Instruction Fuzzy Hash: 5FA16A75604301AFCB10DF24C494E6ABBE5FF88324F148989F89A9B361DB31ED45CBA1
              Function 00D3524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 00D352DD
                • Part of subcall function 00D40340: __87except.LIBCMT ref: 00D4037B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 6eaa49645d996a2b97d779bd3825e5552988b9f4b5a153670aaae8c0e2a4c568
              • Instruction ID: 6d7cf2c57792b402f426055fbc630566bd96dc399e5faefd5ba37754103377c3
              • Opcode Fuzzy Hash: 6eaa49645d996a2b97d779bd3825e5552988b9f4b5a153670aaae8c0e2a4c568
              • Instruction Fuzzy Hash: F2513831A0DB0187CB117B24E94137E2F94DB00750F288958E6D9862EEEF74CDD49AB6
              Function 00D3023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID: #$+
              • API String ID: 0-2552117581
              • Opcode ID: 4b7bab2dab275a0a3e32ed38497eb61d078b497ee26c58b468b864e527295de9
              • Instruction ID: 2298d2287257301dea20e11ba24bdfafcafbca2007d69fffc126462f7479ef64
              • Opcode Fuzzy Hash: 4b7bab2dab275a0a3e32ed38497eb61d078b497ee26c58b468b864e527295de9
              • Instruction Fuzzy Hash: AA511075504646DFCF25DF28E898AFA7BA4EF1A310F184055E8919B2E4D7349C82CB70
              Function 00D262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: ERCP
              • API String ID: 2532777613-1384759551
              • Opcode ID: 5393b7a99071472b15da68088a74ba9e6fee0de12ac84cfdd1416aab10f7bd2f
              • Instruction ID: 7548227040513a74cc1da53e8d627ea6dd741c9418cb4c49757c81a36860d9db
              • Opcode Fuzzy Hash: 5393b7a99071472b15da68088a74ba9e6fee0de12ac84cfdd1416aab10f7bd2f
              • Instruction Fuzzy Hash: C0511671904319DFCB24DF64D881BAABBF4EF14318F28856EE58AC7240E771D681CBA0
              Function 00D1152E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
              Download Yara Rule
              APIs
              • BeginPath.GDI32(00000000), ref: 00D1154C
              • PolyDraw.GDI32(00000000,00000002,?,?), ref: 00D115C3
              • PolyDraw.GDI32(00000000,00000002,00000810,?), ref: 00D11602
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: DrawPoly$BeginPath
              • String ID: 0v
              • API String ID: 695094842-4066190830
              • Opcode ID: 0657a90fd23892ed66059cb1e0b8deb2483d81cfc84f3fa67a25a1d18def8430
              • Instruction ID: 16f65c94a1ae9f7f5694ad340b12799ce8990e0cf08ff9c001208c2a2219c25e
              • Opcode Fuzzy Hash: 0657a90fd23892ed66059cb1e0b8deb2483d81cfc84f3fa67a25a1d18def8430
              • Instruction Fuzzy Hash: B7418579900208FFCB14DF94D8809FEB7B9FF44320F148259E95697250DB30AA85DFA0
              Function 00D97BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D9F910,00000000,?,?,?,?), ref: 00D97C4E
              • GetWindowLongW.USER32 ref: 00D97C6B
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D97C7B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: ffcf19389ecf15b543d6ef68c7d970c21525604f28686f94ac8b9c2abb029615
              • Instruction ID: e3be5d6099d9d7d304eecb93aeab36121d0c2dc1fb563aef740b8ac5a43a2a37
              • Opcode Fuzzy Hash: ffcf19389ecf15b543d6ef68c7d970c21525604f28686f94ac8b9c2abb029615
              • Instruction Fuzzy Hash: 3131AD31214206ABDF119F38DC41BEA77A9EF09324F284725F875E22E0C731E8509B70
              Function 00D97648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D976D0
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D976E4
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D97708
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: f5a89fd4e5e6ffdb2fb049ef74e73d7422048697251b10f392dc76158ac980ab
              • Instruction ID: b3491af4c1a1c290bf7d204e3ea8dbdd02a96e3693ebf75e1bd06546d49ef112
              • Opcode Fuzzy Hash: f5a89fd4e5e6ffdb2fb049ef74e73d7422048697251b10f392dc76158ac980ab
              • Instruction Fuzzy Hash: 3B21DE32610219BBDF11CFA4DC46FEA3B69EF48724F150214FE15AB1D0DAB1E8508BB0
              Function 00D96F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D96FAA
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D96FBA
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D96FDF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: 4ffd6ee9b615401acb01d907601d53fbb2154f8f34b6b3137eb2ec95b8b5eebb
              • Instruction ID: 98ecf4de37a56924ac8d0714644a9b694a43f6d7b288e1b50f91c39b7763ceb5
              • Opcode Fuzzy Hash: 4ffd6ee9b615401acb01d907601d53fbb2154f8f34b6b3137eb2ec95b8b5eebb
              • Instruction Fuzzy Hash: B8219F32610218BFDF118F54EC85FEB3BAAEF89764F058125FA149B190CA71EC518BB0
              Function 00D9797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D979E1
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D979F6
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D97A03
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 35ea5be6752a1d9e204940cc5acf67d65273418a9c507e32563dcc9cab6fb082
              • Instruction ID: 26ddcb52ca474d18dbf81099c11a82e3e1362b0d34870fe8f42d4a4908bf612a
              • Opcode Fuzzy Hash: 35ea5be6752a1d9e204940cc5acf67d65273418a9c507e32563dcc9cab6fb082
              • Instruction Fuzzy Hash: ED11E372254208BFEF109F64CC05FEB37A9EF89764F060519FA45A6090D671E851CB70
              Function 00D14C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00D14C2E), ref: 00D14CA3
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D14CB5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 0ce6a3d0743240606d3857e705454e757030b60d3c23db040fa189ff55111827
              • Instruction ID: 5023aa7fdc1c79315500829a44773a2ecd1ad33c0212c16b1a68c8d43527c43e
              • Opcode Fuzzy Hash: 0ce6a3d0743240606d3857e705454e757030b60d3c23db040fa189ff55111827
              • Instruction Fuzzy Hash: 9DD05B31510723DFDB205F31ED1864676D5AF05795B15C83ED885D6250DF70D4C0CAB0
              Function 00D14D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00D14CE1,?), ref: 00D14DA2
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D14DB4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 049abfa7088c0d7486116e579be9f41ec79b3b40464acf3f1db4ee016a6d948c
              • Instruction ID: 15b90b88fa0882b4f4f6024cf2e4a7e34598e4bce303fbc8c3e98bdd34774b5f
              • Opcode Fuzzy Hash: 049abfa7088c0d7486116e579be9f41ec79b3b40464acf3f1db4ee016a6d948c
              • Instruction Fuzzy Hash: 98D01731654713DFDB209F31E808A8676E4AF06365B15883ED8C6E6260EB70D8C0CAB1
              Function 00D14D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00D14D2E,?,00D14F4F,?,00DD62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D14D6F
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D14D81
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: 39251d7f46a89e07a22b558afae798fc4611a685519ecdac79221b7b878b5dac
              • Instruction ID: 3326d88851c1d930a85f741c83dc36883313db2f371f436593b818b871b0dc70
              • Opcode Fuzzy Hash: 39251d7f46a89e07a22b558afae798fc4611a685519ecdac79221b7b878b5dac
              • Instruction Fuzzy Hash: 07D01731610713DFDB209F31E80865676E8AF15352B29883ED486E6260EA70D8C0CBB1
              Function 00D91072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,00D912C1), ref: 00D91080
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D91092
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: eabacf71cb49f3f508edd04805d4eb645cb9ba6b365a3d2c7863b4cfb317a97c
              • Instruction ID: 836775abd7d156e5b778bfca42d4a11b4ba07a0a29c9cad8625eadc0418e56fc
              • Opcode Fuzzy Hash: eabacf71cb49f3f508edd04805d4eb645cb9ba6b365a3d2c7863b4cfb317a97c
              • Instruction Fuzzy Hash: F1D0E235510713CFDB209F35D819A1AB6E8AF05362B15882EA48AEA260E770C8C08AA0
              Function 00D893F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00D89009,?,00D9F910), ref: 00D89403
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D89415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 23bcb51888fdab9aec24b420243b0f1eba7f1e736dfa16d1151c353809d981b3
              • Instruction ID: 92c088ed121f1f1d045751700a761d34e39114507dfee64fae496aaadcb2f2ff
              • Opcode Fuzzy Hash: 23bcb51888fdab9aec24b420243b0f1eba7f1e736dfa16d1151c353809d981b3
              • Instruction Fuzzy Hash: 1AD01735610717CFDB20AF39DA58616B6E5AF05355B19C83FA4C6E6660E670C884CBB0
              Function 00D676C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0823a538df592317d5163f827ebd776fc6d0fed2a2d8982b70c8002dd8961dd3
              • Instruction ID: 094299c072a129bed3cb66a4f0c6cf28469989e1f1bf870d8a0b4fcd118e4fa5
              • Opcode Fuzzy Hash: 0823a538df592317d5163f827ebd776fc6d0fed2a2d8982b70c8002dd8961dd3
              • Instruction Fuzzy Hash: 27C16275A0421AEFCB14CFA4C884EAEB7F5FF48718B158599E845EB251D730DE41CBA0
              Function 00D8E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 00D8E3D2
              • CharLowerBuffW.USER32(?,?), ref: 00D8E415
                • Part of subcall function 00D8DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D8DAD9
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00D8E615
              • _memmove.LIBCMT ref: 00D8E628
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: e3d4ac4dd805b541d82c9a5b0a493f2f32ca2de32d475b0199afdf38068d2863
              • Instruction ID: d8aeaa2e3ffea99a5af66148523056daf0735d37a8a4e36e1ce5f82fccc6b292
              • Opcode Fuzzy Hash: e3d4ac4dd805b541d82c9a5b0a493f2f32ca2de32d475b0199afdf38068d2863
              • Instruction Fuzzy Hash: 22C15B716083119FC714EF28C49096ABBE4FF88718F18896DF8999B351D731E945CFA2
              Function 00D883A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 00D883D8
              • CoUninitialize.OLE32 ref: 00D883E3
                • Part of subcall function 00D6DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D6DAC5
              • VariantInit.OLEAUT32(?), ref: 00D883EE
              • VariantClear.OLEAUT32(?), ref: 00D886BF
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 49d64eed373f5d5f7de356fededbf6e20fa405467308dbf7c3c7901808e139e9
              • Instruction ID: 535fcdba06d835a5a9af5971e0307811fddffe8eaa57ba675f57265a98158586
              • Opcode Fuzzy Hash: 49d64eed373f5d5f7de356fededbf6e20fa405467308dbf7c3c7901808e139e9
              • Instruction Fuzzy Hash: 46A13B75204701AFCB10EF24D4A1A6AB7E5FF88314F584449F99A9B3A1DF30ED44DB61
              Function 00D67A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00DA2C7C,?), ref: 00D67C32
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00DA2C7C,?), ref: 00D67C4A
              • CLSIDFromProgID.OLE32(?,?,00000000,00D9FB80,000000FF,?,00000000,00000800,00000000,?,00DA2C7C,?), ref: 00D67C6F
              • _memcmp.LIBCMT ref: 00D67C90
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID:
              • API String ID: 314563124-0
              • Opcode ID: dff59856287a65ffd08fd57bbf02895b618a111778afbc41bff457084920a3e0
              • Instruction ID: 153f24205ad55e28ad91dfb60743f9e7847f873d66da87780c43d46542c28be7
              • Opcode Fuzzy Hash: dff59856287a65ffd08fd57bbf02895b618a111778afbc41bff457084920a3e0
              • Instruction Fuzzy Hash: 4C811A71A00109EFCB04DF98C984EEEB7B9FF89315F244198E506EB250DB71AE06CB60
              Function 00D66DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: 31c51b13c5a896b5b200106188198db450c6cf393d5deec4d817c87ed56ad994
              • Instruction ID: 66a480194c850e04efae1940b37e714a6f8b17228a776312cd9f453cccf8970c
              • Opcode Fuzzy Hash: 31c51b13c5a896b5b200106188198db450c6cf393d5deec4d817c87ed56ad994
              • Instruction Fuzzy Hash: 4251B5316083059BDB20AF65E891A6EF3F5EF48314F24881FE596CB291EF70D8849B31
              Function 00D99A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(017BE0C8,?), ref: 00D99AD2
              • ScreenToClient.USER32(00000002,00000002), ref: 00D99B05
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00D99B72
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID:
              • API String ID: 3880355969-0
              • Opcode ID: 9366b1c99fdb363f3c57c792839c7b69de6d2748d16a190eead66766fd15775a
              • Instruction ID: 99780cd608e28c24a72b1813bd8c61e425a22ee4852aa4687dc810344b50dd3a
              • Opcode Fuzzy Hash: 9366b1c99fdb363f3c57c792839c7b69de6d2748d16a190eead66766fd15775a
              • Instruction Fuzzy Hash: 14512C35A00209AFCF10DF68E8909AEBBB5FB55324F14825EF815DB290D734AD81DBA0
              Function 00D86CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 00D86CE4
              • WSAGetLastError.WSOCK32(00000000), ref: 00D86CF4
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D86D58
              • WSAGetLastError.WSOCK32(00000000), ref: 00D86D64
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: 8a68be8b4be1893e8a4ed040b6b4f17ba1980b56d0a58877755eda4b0da4403a
              • Instruction ID: fd900915fdb0d578b44718e0be63c221c965ee617d841aaba852e7e2f735484f
              • Opcode Fuzzy Hash: 8a68be8b4be1893e8a4ed040b6b4f17ba1980b56d0a58877755eda4b0da4403a
              • Instruction Fuzzy Hash: EF418174740200BFEB20AF24EC96F7A77A5DF04B20F548018FA599B2D2DE719D418BB1
              Function 00D8672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00D9F910), ref: 00D867BA
              • _strlen.LIBCMT ref: 00D867EC
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: 6e00c69ed67357465c0b849ee0ec0e31d72e2e236c635bf112afbf745df7bc67
              • Instruction ID: f26b7fd5fc5de83f6cc6335e5b16e396ea81d3ba56619e39701d03486413eae6
              • Opcode Fuzzy Hash: 6e00c69ed67357465c0b849ee0ec0e31d72e2e236c635bf112afbf745df7bc67
              • Instruction Fuzzy Hash: F0417331A00104ABCB14FB64EDD5EAEB7A9EF48324F148165F51997291DF30ED44CB70
              Function 00D7BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D7BB09
              • GetLastError.KERNEL32(?,00000000), ref: 00D7BB2F
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D7BB54
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D7BB80
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: 891da08a63a4bd4459e4f00d50c0a94e3c2b0588f2cad3251af57db5f12784ab
              • Instruction ID: 035c25b86e4238177886f32b3b06102a83194f41f46cbd6c79359e13f8b2bbcd
              • Opcode Fuzzy Hash: 891da08a63a4bd4459e4f00d50c0a94e3c2b0588f2cad3251af57db5f12784ab
              • Instruction Fuzzy Hash: A8410739600610EFCB11EF25D5A5A5DBBE1EF49320B198499EC4A9B362CB34FD41CBA1
              Function 00D98AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D98B4D
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID:
              • API String ID: 634782764-0
              • Opcode ID: 9d0cbff24a0114865de7ef8155fdadd29664b40f6f79b4cc871d1235e422d118
              • Instruction ID: 8ad5f3f2f8d90bece869b0ec427836b6aa2aa48e69721d5f2be7c33747b0006c
              • Opcode Fuzzy Hash: 9d0cbff24a0114865de7ef8155fdadd29664b40f6f79b4cc871d1235e422d118
              • Instruction Fuzzy Hash: 7831A1B4600304BEEF209B58CC95FA937A4EB07B18F6C4616FA55D72A1CE31E950A7B1
              Function 00D9ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 00D9AE1A
              • GetWindowRect.USER32(?,?), ref: 00D9AE90
              • PtInRect.USER32(?,?,00D9C304), ref: 00D9AEA0
              • MessageBeep.USER32(00000000), ref: 00D9AF11
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID:
              • API String ID: 1352109105-0
              • Opcode ID: f479b3aed7b20c0e00e972b3d6901e89b3dd06baedf30e6c748c3f807e83e32c
              • Instruction ID: 8c572dd69225fb989ee83f43f5defa10c5f58b98a7ebf72e8417bdbab45f3f82
              • Opcode Fuzzy Hash: f479b3aed7b20c0e00e972b3d6901e89b3dd06baedf30e6c748c3f807e83e32c
              • Instruction Fuzzy Hash: 3C4115726002199FCF11DF58C884AA9BBF5FF49350F2881AAF815DB351D730E941DBA2
              Function 00D70FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00D71037
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00D71053
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00D710B9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00D7110B
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: d3aeff34d85e1d537af466029227ec8dfa497cabfdfeda6236bf1ec2262bd953
              • Instruction ID: 4ce25762f58df5f84ac256952c9a2ad52af00a1beb681460761bb9d40531468e
              • Opcode Fuzzy Hash: d3aeff34d85e1d537af466029227ec8dfa497cabfdfeda6236bf1ec2262bd953
              • Instruction Fuzzy Hash: DC313534E40698AEFB308B6D8C05BFABBA9AB44310F08C31AE588921D1E37489C49771
              Function 00D71121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,76BFC520,?,00008000), ref: 00D71176
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00D71192
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00D711F1
              • SendInput.USER32(00000001,?,0000001C,76BFC520,?,00008000), ref: 00D71243
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: c6dfe45d4386289f7d658ea44699c52a64d9658f227ed8018687b3c544f98170
              • Instruction ID: 76fc95af4baa969a1154fac6baa31ee5670b2fb159ebf26110b7142314afbe3b
              • Opcode Fuzzy Hash: c6dfe45d4386289f7d658ea44699c52a64d9658f227ed8018687b3c544f98170
              • Instruction Fuzzy Hash: A3314834A40318AAEF308B6D8C05BFA7BAAAB49310F58C31FE988D61D1E3348D549775
              Function 00D46415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D4644B
              • __isleadbyte_l.LIBCMT ref: 00D46479
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D464A7
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D464DD
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 0476c130e10ac3f25c74b25391bcbea39de31d75bab446ea89b2a0a1edb95ee1
              • Instruction ID: 5db04824c98bd35d31fb8ad4398b1836e7a2bd65210f28dd8a5ad6755df9e70b
              • Opcode Fuzzy Hash: 0476c130e10ac3f25c74b25391bcbea39de31d75bab446ea89b2a0a1edb95ee1
              • Instruction Fuzzy Hash: 0231E13160824AAFDF258F74C844BAA7BA5FF42710F194429F85A87190D731DC90DBB2
              Function 00D95175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 00D95189
                • Part of subcall function 00D7387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D73897
                • Part of subcall function 00D7387D: GetCurrentThreadId.KERNEL32 ref: 00D7389E
                • Part of subcall function 00D7387D: AttachThreadInput.USER32(00000000,?,00D752A7), ref: 00D738A5
              • GetCaretPos.USER32(?), ref: 00D9519A
              • ClientToScreen.USER32(00000000,?), ref: 00D951D5
              • GetForegroundWindow.USER32 ref: 00D951DB
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 76c928438fbc9b64564a80054a72feea524ffca734db98753a0c1a0fcff2b3b1
              • Instruction ID: ddae070555bc91ae7f91b7b957aac026ce7fedd9c53f63c5aab71cff9cc24d1f
              • Opcode Fuzzy Hash: 76c928438fbc9b64564a80054a72feea524ffca734db98753a0c1a0fcff2b3b1
              • Instruction Fuzzy Hash: 5D310D72900208AFDB00EFA5D895AEFF7F9EF98300F10406AE415E7251EA759E45CBB1
              Function 00D9C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • GetCursorPos.USER32(?), ref: 00D9C7C2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D4BBFB,?,?,?,?,?), ref: 00D9C7D7
              • GetCursorPos.USER32(?), ref: 00D9C824
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D4BBFB,?,?,?), ref: 00D9C85E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID:
              • API String ID: 2864067406-0
              • Opcode ID: 0b6f291f1bca3f68d566529629084a65ad97c1e64bce0d7a625dcfef9afab8c8
              • Instruction ID: 0d3c5dbf6ea193d6670173cf734ecff770d299e5e5669f47207399548e1417e5
              • Opcode Fuzzy Hash: 0b6f291f1bca3f68d566529629084a65ad97c1e64bce0d7a625dcfef9afab8c8
              • Instruction Fuzzy Hash: 16315C75610118AFDF15CF98C898EEA7BBAEB49710F48416AF905CB2A1C7319D60DBB0
              Function 00D30BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 00D30BF2
                • Part of subcall function 00D15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D77B20,?,?,00000000), ref: 00D15B8C
                • Part of subcall function 00D15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D77B20,?,?,00000000,?,?), ref: 00D15BB0
              • _fprintf.LIBCMT ref: 00D30C29
              • OutputDebugStringW.KERNEL32(?), ref: 00D66331
                • Part of subcall function 00D34CDA: _flsall.LIBCMT ref: 00D34CF3
              • __setmode.LIBCMT ref: 00D30C5E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: 29b97a59247e7f13a06c756be98886c95a1b4801ec9ca0f048aa35d6c12712db
              • Instruction ID: 4fbd6a09be1b5ab8c9078a8e0854263e778c688783b7ed40937b03b90b8504e9
              • Opcode Fuzzy Hash: 29b97a59247e7f13a06c756be98886c95a1b4801ec9ca0f048aa35d6c12712db
              • Instruction Fuzzy Hash: 59110A72904208BBCB04B7B4AC47AFEBB69DF45320F14415AF104972D1EF256D8597F5
              Function 00D68B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D68669
                • Part of subcall function 00D68652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D68673
                • Part of subcall function 00D68652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D68682
                • Part of subcall function 00D68652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D68689
                • Part of subcall function 00D68652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D6869F
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D68BEB
              • _memcmp.LIBCMT ref: 00D68C0E
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D68C44
              • HeapFree.KERNEL32(00000000), ref: 00D68C4B
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: bb9c5823ed7c6928c123cd57920a24e129a4ed37379edb9c4bd8c2ab1db59d6f
              • Instruction ID: db8651410f0786112615bbbeac71c99b868906686db30b03a54ad935aa56340d
              • Opcode Fuzzy Hash: bb9c5823ed7c6928c123cd57920a24e129a4ed37379edb9c4bd8c2ab1db59d6f
              • Instruction Fuzzy Hash: 4C217A71E01209EFDB10DFA4C945BEEB7B8EF44355F194159E454A7240DB31AA06EBB0
              Function 00D81A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D81A97
                • Part of subcall function 00D81B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D81B40
                • Part of subcall function 00D81B21: InternetCloseHandle.WININET(00000000), ref: 00D81BDD
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: d7c7c6a695059364a959ccd6d26101bce8454c46468418f3b717f821d60f4289
              • Instruction ID: 2fb777830f62186d1378d581ff2b062be0ed9ddab2cc3a2336beeae8ab0aaa45
              • Opcode Fuzzy Hash: d7c7c6a695059364a959ccd6d26101bce8454c46468418f3b717f821d60f4289
              • Instruction Fuzzy Hash: 67219F79201601BFDB15AF60CC01FBAB7ADFF45711F14001AFA56D6650EB71E8169BB0
              Function 00D6E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D6F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00D6E1C4,?,?,?,00D6EFB7,00000000,000000EF,00000119,?,?), ref: 00D6F5BC
                • Part of subcall function 00D6F5AD: lstrcpyW.KERNEL32(00000000,?,?,00D6E1C4,?,?,?,00D6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D6F5E2
                • Part of subcall function 00D6F5AD: lstrcmpiW.KERNEL32(00000000,?,00D6E1C4,?,?,?,00D6EFB7,00000000,000000EF,00000119,?,?), ref: 00D6F613
              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00D6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D6E1DD
              • lstrcpyW.KERNEL32(00000000,?,?,00D6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D6E203
              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00D6EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D6E237
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: lstrcmpilstrcpylstrlen
              • String ID: cdecl
              • API String ID: 4031866154-3896280584
              • Opcode ID: 595ebe191c07b430f71e0cbf5f2296f99cfffe8c96a3c45787ed5489ad6db2b4
              • Instruction ID: 2507a3bbe527fda8d81189ba84091323e0b31978206f619f95459d0b3f8ee33a
              • Opcode Fuzzy Hash: 595ebe191c07b430f71e0cbf5f2296f99cfffe8c96a3c45787ed5489ad6db2b4
              • Instruction Fuzzy Hash: AA11D03A200301EFCB25AF64DC45E7A77AAFF89310B44402AF806CB2A4EB71D850C7B4
              Function 00D45332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00D45351
                • Part of subcall function 00D3594C: __FF_MSGBANNER.LIBCMT ref: 00D35963
                • Part of subcall function 00D3594C: __NMSG_WRITE.LIBCMT ref: 00D3596A
                • Part of subcall function 00D3594C: RtlAllocateHeap.NTDLL(017A0000,00000000,00000001,00000000,?,?,?,00D31013,?), ref: 00D3598F
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: fe05848375b6ae117fdb629ca6a293a154477acddd7969553c0754644704848f
              • Instruction ID: 4a5bb40edb2d12508a7c585d24e2dd15daa7a561ee87f7eb26e22a8df4998da2
              • Opcode Fuzzy Hash: fe05848375b6ae117fdb629ca6a293a154477acddd7969553c0754644704848f
              • Instruction Fuzzy Hash: 7411A332905B15AFCB313F70BC4966D3798DF103A0F28042AF945DA196DE75CD4197B0
              Function 00D14531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D14560
                • Part of subcall function 00D1410D: _memset.LIBCMT ref: 00D1418D
                • Part of subcall function 00D1410D: _wcscpy.LIBCMT ref: 00D141E1
                • Part of subcall function 00D1410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D141F1
              • KillTimer.USER32(?,00000001,?,?), ref: 00D145B5
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D145C4
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D4D6CE
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: 902c5a90f3fdc4f09216bed9d7ac9989410557ffa5b16c07c35522d56b41e64c
              • Instruction ID: d425f0fca39f3dc90a4d508274fd7ade98de0f7e53a1446210b170fd71b537b8
              • Opcode Fuzzy Hash: 902c5a90f3fdc4f09216bed9d7ac9989410557ffa5b16c07c35522d56b41e64c
              • Instruction Fuzzy Hash: 5421A770904798AFEB328B24D855BEBBBED9F01304F04009EE69E96242CB745AC49B71
              Function 00D8667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00D77B20,?,?,00000000), ref: 00D15B8C
                • Part of subcall function 00D15B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00D77B20,?,?,00000000,?,?), ref: 00D15BB0
              • gethostbyname.WSOCK32(?,?,?), ref: 00D866AC
              • WSAGetLastError.WSOCK32(00000000), ref: 00D866B7
              • _memmove.LIBCMT ref: 00D866E4
              • inet_ntoa.WSOCK32(?), ref: 00D866EF
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: 19809bde0da4cab36fb731c7ba58767714eb1b04cbaed095e5da85be36a47f39
              • Instruction ID: 780d7da1715d14df18cc8a445ad1d4a8dc60bfb3fa9fa12ab6d3e5af6ba0a827
              • Opcode Fuzzy Hash: 19809bde0da4cab36fb731c7ba58767714eb1b04cbaed095e5da85be36a47f39
              • Instruction Fuzzy Hash: BC113A75500509AFCB04FBA4E996DEEB7B9EF44310B144065F506A7261DF30AE449BB1
              Function 00D69023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00D69043
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D69055
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D6906B
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D69086
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 213d0d4513b947afa6bd0823999ec7a683617fa0a975f7bbacb5fa252e6a0081
              • Instruction ID: 5950637ba8c32231df3f606490c943daa5e7d0d8ed7287f23918edb1f87ee9c7
              • Opcode Fuzzy Hash: 213d0d4513b947afa6bd0823999ec7a683617fa0a975f7bbacb5fa252e6a0081
              • Instruction Fuzzy Hash: 05115E79900218FFDB10DFA5CD84E9DFB78FB48310F204095E904B7250D6716E10DBA0
              Function 00D11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D12612: GetWindowLongW.USER32(?,000000EB), ref: 00D12623
              • DefDlgProcW.USER32(?,00000020,?), ref: 00D112D8
              • GetClientRect.USER32(?,?), ref: 00D4B84B
              • GetCursorPos.USER32(?), ref: 00D4B855
              • ScreenToClient.USER32(?,?), ref: 00D4B860
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: d1cf96f6c9cd737224e8a312b1da42d4395025f25c50786c179f33d96b860229
              • Instruction ID: 8bf0a2db497a03119cf6a6d9b311fd5b69c5be4a8a0876a9ca896d0125538093
              • Opcode Fuzzy Hash: d1cf96f6c9cd737224e8a312b1da42d4395025f25c50786c179f33d96b860229
              • Instruction Fuzzy Hash: 9A112839901219BBCF10DF98E8869FE77B8FB05301F100456FA41E7250CB34BA918BB9
              Function 00D71652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D701FD,?,00D71250,?,00008000), ref: 00D7166F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00D701FD,?,00D71250,?,00008000), ref: 00D71694
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00D701FD,?,00D71250,?,00008000), ref: 00D7169E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,00D701FD,?,00D71250,?,00008000), ref: 00D716D1
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID:
              • API String ID: 2875609808-0
              • Opcode ID: 53e14eaacc46df4eab096b0f5ab4d0def5e9e108a38690f136751846ea019f60
              • Instruction ID: a251ac200c6dc66fe9367143aeb384599a865184e3ca8f633f8d44b7c0eb06a1
              • Opcode Fuzzy Hash: 53e14eaacc46df4eab096b0f5ab4d0def5e9e108a38690f136751846ea019f60
              • Instruction Fuzzy Hash: 7A113035C0061DD7CF009FA9D945AEEBB78FF19751F058156D984F6240DB3095508BF5
              Function 00D47207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: d2fd27ab08981fa06c0327e9099ce60e57634570ecb9a7cff19dc6278959deb0
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 8E01803204414ABBCF125E84CC418EE3F22FF19344B498615FA5858031C377C9B1ABA5
              Function 00D9B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00D9B59E
              • ScreenToClient.USER32(?,?), ref: 00D9B5B6
              • ScreenToClient.USER32(?,?), ref: 00D9B5DA
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D9B5F5
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: 7c2fce36317a3f4256dcfc546a2dce47613009df59a97a29b14bb92ca95ed762
              • Instruction ID: 181a7ce3df8502a0bf0b61a7d8bed594558b9d6631aa18381458ebf2e80e3f49
              • Opcode Fuzzy Hash: 7c2fce36317a3f4256dcfc546a2dce47613009df59a97a29b14bb92ca95ed762
              • Instruction Fuzzy Hash: 051146B5D00209EFDB41CF99D544AEEFBB5FB08310F104166E954E3620D735AA558F60
              Function 00D9B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D9B8FE
              • _memset.LIBCMT ref: 00D9B90D
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00DD7F20,00DD7F64), ref: 00D9B93C
              • CloseHandle.KERNEL32 ref: 00D9B94E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID:
              • API String ID: 3277943733-0
              • Opcode ID: 8f5a7e8293b2815c173134f0adf7e300d21c6b4257dd28b2be5fbf4509f7b49d
              • Instruction ID: 0ea08fb56d1a3b67a9985ce0eb4b6324b8ce0ad9d78a069cc2699e5d37945fa7
              • Opcode Fuzzy Hash: 8f5a7e8293b2815c173134f0adf7e300d21c6b4257dd28b2be5fbf4509f7b49d
              • Instruction Fuzzy Hash: 47F05EB26493007BE2202B71AC05FBB3B5CEF09394F4000A2FA08D5392E775590087B8
              Function 00D76E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 00D76E88
                • Part of subcall function 00D7794E: _memset.LIBCMT ref: 00D77983
              • _memmove.LIBCMT ref: 00D76EAB
              • _memset.LIBCMT ref: 00D76EB8
              • LeaveCriticalSection.KERNEL32(?), ref: 00D76EC8
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: ed1373e2fec9d17b48a89a17ed08e4076a0697dd1e02e078cb8011dda99b5609
              • Instruction ID: 2f3ab1a21b9f1698eadfd4804e1c3badb20012e8691c68682a22e198e7e07609
              • Opcode Fuzzy Hash: ed1373e2fec9d17b48a89a17ed08e4076a0697dd1e02e078cb8011dda99b5609
              • Instruction Fuzzy Hash: 93F05E3A200200ABCF016F55DC85B8ABB2AEF45360F04C062FE08DE22AD731A911DBB4
              Function 00D9C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D1134D
                • Part of subcall function 00D112F3: SelectObject.GDI32(?,00000000), ref: 00D1135C
                • Part of subcall function 00D112F3: BeginPath.GDI32(?), ref: 00D11373
                • Part of subcall function 00D112F3: SelectObject.GDI32(?,00000000), ref: 00D1139C
              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D9C030
              • LineTo.GDI32(00000000,?,?), ref: 00D9C03D
              • EndPath.GDI32(00000000), ref: 00D9C04D
              • StrokePath.GDI32(00000000), ref: 00D9C05B
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
              • String ID:
              • API String ID: 1539411459-0
              • Opcode ID: 7c8a558c6464677461bf762aea95fbebb95292868f03d9267a5a6593b91ab9ee
              • Instruction ID: 3846a036bace2c610293a2881f657456e4ac8f8d516993a244531fc4f0bd9c2e
              • Opcode Fuzzy Hash: 7c8a558c6464677461bf762aea95fbebb95292868f03d9267a5a6593b91ab9ee
              • Instruction Fuzzy Hash: 1EF03A31005359BADB126F95AC0AFCA3B59AF05311F184102FA19A12E287755661DBF5
              Function 00D6A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
              Download Yara Rule
              APIs
              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D6A399
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D6A3AC
              • GetCurrentThreadId.KERNEL32 ref: 00D6A3B3
              • AttachThreadInput.USER32(00000000), ref: 00D6A3BA
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
              • String ID:
              • API String ID: 2710830443-0
              • Opcode ID: 369514ba44199e3e43cd55ef2970b3666071fbbb21ebab59bf7a3156b4d8773b
              • Instruction ID: b5f5c7a6d269fdea4d4679ba50f69be2757565d093a18b60036d5b7acbcb9e5b
              • Opcode Fuzzy Hash: 369514ba44199e3e43cd55ef2970b3666071fbbb21ebab59bf7a3156b4d8773b
              • Instruction Fuzzy Hash: E2E0C972545328BBDB206BA6DC0DEDB7F5CEF167A1F048026F649E5160C671C540DBB1
              Function 00D68C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 00D68C63
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00D6882E), ref: 00D68C6A
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D6882E), ref: 00D68C77
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00D6882E), ref: 00D68C7E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: 23c8499c70bf7e039e746ccc326d9a695734f82d5c59df06baa0d88cfae34d2c
              • Instruction ID: 3dad749ac1cb4946bf2255533753c95ac64142f4a13c5570d59d3ba3db1d72c9
              • Opcode Fuzzy Hash: 23c8499c70bf7e039e746ccc326d9a695734f82d5c59df06baa0d88cfae34d2c
              • Instruction Fuzzy Hash: 0EE08676642311DBD7205FB06D0DB563BACEF50792F194929F249D9080DA748441DB71
              Function 00D52187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 00D52187
              • GetDC.USER32(00000000), ref: 00D52191
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D521B1
              • ReleaseDC.USER32(?), ref: 00D521D2
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 0b8b2a93cb178dc007a637e5b7347017874e8d295e69172e7ce4417360a91dfe
              • Instruction ID: d08c90e02c5bed78d0ccdb711401e186dc4efbc03cab609e69d00985dd5b47e2
              • Opcode Fuzzy Hash: 0b8b2a93cb178dc007a637e5b7347017874e8d295e69172e7ce4417360a91dfe
              • Instruction Fuzzy Hash: 9EE0E575840704EFDB019F60D808AAD7BB5EB4C351F208426FD5AD7360CB788181DF60
              Function 00D5219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDesktopWindow.USER32 ref: 00D5219B
              • GetDC.USER32(00000000), ref: 00D521A5
              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D521B1
              • ReleaseDC.USER32(?), ref: 00D521D2
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CapsDesktopDeviceReleaseWindow
              • String ID:
              • API String ID: 2889604237-0
              • Opcode ID: 15ac9d4a85a1efd48d9c78a2d4af1639168aa98f5bc93294e74a25ccb4054028
              • Instruction ID: 2a215f1f762fcd07acdd993a13dbbc0512f2a290c739546f9cd9683b714063cb
              • Opcode Fuzzy Hash: 15ac9d4a85a1efd48d9c78a2d4af1639168aa98f5bc93294e74a25ccb4054028
              • Instruction Fuzzy Hash: E4E07EB6940304AFCB119FA0D80869DBBA6EB5C351F21842AF95AE7360DB789581DF60
              Function 00D6B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 00D6B981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container
              • API String ID: 3565006973-3941886329
              • Opcode ID: 05f5425e7a42c19c19fd1a600b2180de4692cdc407c56bb2c658279187986234
              • Instruction ID: eeb9ecab7509dfe897ae553093cc39cdc34489ae0798386fc7203e2ea1ccb4ac
              • Opcode Fuzzy Hash: 05f5425e7a42c19c19fd1a600b2180de4692cdc407c56bb2c658279187986234
              • Instruction Fuzzy Hash: 77914B706002019FDB24DF68C895B6ABBE8FF48720F14856EF949CB791DB70E881CB60
              Function 00D7B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D2FEC6: _wcscpy.LIBCMT ref: 00D2FEE9
                • Part of subcall function 00D19997: __itow.LIBCMT ref: 00D199C2
                • Part of subcall function 00D19997: __swprintf.LIBCMT ref: 00D19A0C
              • __wcsnicmp.LIBCMT ref: 00D7B298
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00D7B361
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: 4b3aed649da2ea809f9da2df36473ad6a8cf24d2a5d955466b794cae74ecd1d6
              • Instruction ID: 8c13f6990dd9d1ea0d667269773b8298a89e6f2e56f6309d104d7b3559238b64
              • Opcode Fuzzy Hash: 4b3aed649da2ea809f9da2df36473ad6a8cf24d2a5d955466b794cae74ecd1d6
              • Instruction Fuzzy Hash: E9616475A00215EFCB14DF94D995FAEB7B4EF08310F15806AF54AAB251EB70AE84CB70
              Function 00D22AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00D22AC8
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D22AE1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 2267d8b9603eb73e1dfd59f468b7b302ce9e6fdd263fa4c2daeb54e0a145b6b6
              • Instruction ID: 1036e78e5c38437fb3d86b07697a5bd7c37082715a0a65b47694159878368962
              • Opcode Fuzzy Hash: 2267d8b9603eb73e1dfd59f468b7b302ce9e6fdd263fa4c2daeb54e0a145b6b6
              • Instruction Fuzzy Hash: E1514971418744ABD320EF10E896BABB7E8FF84314F42485DF2D9911A6DF308569CB76
              Function 00D799BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D1506B: __fread_nolock.LIBCMT ref: 00D15089
              • _wcscmp.LIBCMT ref: 00D79AAE
              • _wcscmp.LIBCMT ref: 00D79AC1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: 8e7d13a6701a66e7373b3f11fd5d4a6d3c033cdaa67797fa957f82ea8256efe7
              • Instruction ID: 5674cde335fda6f889098515eb03a7affd646a816a5d0b3fab3bc0f1450117e7
              • Opcode Fuzzy Hash: 8e7d13a6701a66e7373b3f11fd5d4a6d3c033cdaa67797fa957f82ea8256efe7
              • Instruction Fuzzy Hash: C0410772A00609BADF209EE4EC86FEFB7BDDF49710F004069F904A7185DA75AA4487B1
              Function 00D82882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D82892
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D828C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 9085144049ad308a1ac4606592c75b2ff65386e6646e8fb8ac653efd4eb38396
              • Instruction ID: 7cc3c90eb7d29a2dfe89bd681d7dac11536779178fdfbb770b1b504a1126574b
              • Opcode Fuzzy Hash: 9085144049ad308a1ac4606592c75b2ff65386e6646e8fb8ac653efd4eb38396
              • Instruction Fuzzy Hash: 7731F771800119AFCF01AFA1DC85EEEBBB9FF08310F144069E815A6166DA319A96DBB0
              Function 00D96CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 00D96D86
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D96DC2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: 3e44e612b1653c54e306905d3f0c61c4d7cd44905cc098fc1270ffb26113cf79
              • Instruction ID: 8d9fd4f458fc181459514bc77d6e97f6217b822e36ba9f61ce690d3e2fb18d5e
              • Opcode Fuzzy Hash: 3e44e612b1653c54e306905d3f0c61c4d7cd44905cc098fc1270ffb26113cf79
              • Instruction Fuzzy Hash: 96316971210604AAEF109F68DC80AFB77A9FF48720F14861AF9A9D7190DA71EC91CB70
              Function 00D72D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D72E00
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D72E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: ecad8fda015caf802cdc0d06766377f514ec48ef192b707164e003877b38d2d3
              • Instruction ID: 963123e309c1ea7172fe9d94e6ebefdda6a6d825f296a75bc5366643e6f708ae
              • Opcode Fuzzy Hash: ecad8fda015caf802cdc0d06766377f514ec48ef192b707164e003877b38d2d3
              • Instruction Fuzzy Hash: 1A31D531600385ABEB248F58C945BBEBBB9EF05350F18802AF9C9D62A0F7709940CB71
              Function 00D96943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D969D0
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D969DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: 50d93e6c8c4de4b65b6b10bf48aa0eb8d4ff57ea84583fa0f122a4274c585928
              • Instruction ID: 6a4bb1deff38dda4bec20505c06cbdf8559347658108619d5bdeb53a394b5f74
              • Opcode Fuzzy Hash: 50d93e6c8c4de4b65b6b10bf48aa0eb8d4ff57ea84583fa0f122a4274c585928
              • Instruction Fuzzy Hash: 8511BF717002097FEF119F24DC90EEB376AEB893A4F150229F9589B290D671DC918BB0
              Function 00D96E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D11D73
                • Part of subcall function 00D11D35: GetStockObject.GDI32(00000011), ref: 00D11D87
                • Part of subcall function 00D11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D11D91
              • GetWindowRect.USER32(00000000,?), ref: 00D96EE0
              • GetSysColor.USER32(00000012), ref: 00D96EFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 32ab7888dd84d0b99ad3bd34479b31754771eb0a08f1ad9eda33225450a73840
              • Instruction ID: 6b82b5d11297de0382381a76ac25518eaddffe39fd84787ae954cc9433e28928
              • Opcode Fuzzy Hash: 32ab7888dd84d0b99ad3bd34479b31754771eb0a08f1ad9eda33225450a73840
              • Instruction Fuzzy Hash: 8921267661020AAFDF04DFA8DD45AEA7BB8FB08314F054629F955D3250E634E8619B60
              Function 00D96B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 00D96C11
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D96C20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 4070a3f7a7bd765e513efbe094f7a133b0618b5e65e5c459a4c4fa94fa086167
              • Instruction ID: 07a405e3d4c8ed5e295f66111d5052e723ac05722ac499507f794e2f472e710f
              • Opcode Fuzzy Hash: 4070a3f7a7bd765e513efbe094f7a133b0618b5e65e5c459a4c4fa94fa086167
              • Instruction Fuzzy Hash: 8D119A71100208ABEF108F64DC41AEB3B69EB04378F204724F9A0D31E0D635DC909B70
              Function 00D72E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00D72F11
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00D72F30
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 521b3e8df78968a6fb01060a472b20c4449a2048f677aea4b9bb9e813cd52b57
              • Instruction ID: 16a176909011f5ffc5dcb2d3654c1082f4aa45ef774a9f798edae0d0fde36392
              • Opcode Fuzzy Hash: 521b3e8df78968a6fb01060a472b20c4449a2048f677aea4b9bb9e813cd52b57
              • Instruction Fuzzy Hash: CB116031901294ABDB25DB59DC44BB9B7B9EF05310F1980A6F898E72A0E7B0ED0487B1
              Function 00D824CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D82520
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D82549
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 3139dd2901c76e87bd8b74a2fe1aeaf223c4adb6138d4b34acb8908842dcc71d
              • Instruction ID: 003e7684ac0a5a4d8b8026dbb2f7f202076a9379e0281cbfc64f96c6708e4471
              • Opcode Fuzzy Hash: 3139dd2901c76e87bd8b74a2fe1aeaf223c4adb6138d4b34acb8908842dcc71d
              • Instruction Fuzzy Hash: 061102B0140225BEDB24AF558C99EBBFF68FF16761F10816AF94582140D270A940DBF0
              Function 00D880A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D8830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00D880C8,?,00000000,?,?), ref: 00D88322
              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D880CB
              • htons.WSOCK32(00000000,?,00000000), ref: 00D88108
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ByteCharMultiWidehtonsinet_addr
              • String ID: 255.255.255.255
              • API String ID: 2496851823-2422070025
              • Opcode ID: 4f77926ed909672199e79e2c5e7de065594160b91bf0226e7aefd815cb274a03
              • Instruction ID: d6b13e60920073c6742778bcfb8d7d1558342c91a0146648d4ec687b44270269
              • Opcode Fuzzy Hash: 4f77926ed909672199e79e2c5e7de065594160b91bf0226e7aefd815cb274a03
              • Instruction Fuzzy Hash: 03118274500305ABDB20AFA4DC46FADB364EF44310F508516E91197291DE71A81597B5
              Function 00D692E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D6B0E7
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D69355
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 9d5fb03b80d328434d4c5e8c28e10ff2ef367d018c43cb6f34f387e05ec3145c
              • Instruction ID: 040885e0a7cf208e68a30bd0f51a665820800e1227e960c11cef48093dd90762
              • Opcode Fuzzy Hash: 9d5fb03b80d328434d4c5e8c28e10ff2ef367d018c43cb6f34f387e05ec3145c
              • Instruction Fuzzy Hash: 07019E71A45215BB8B04EBA4DCA1CFEB76DFF46320B140619B872973D2DF31694C8670
              Function 00D7901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: 3d7a3f4435924b7f4747a4be6950925545d8c0a90af5b4e35a78014d4ebc8f24
              • Instruction ID: 1c830e63c9c5c96b6c7823b10b6e9905797ad4250b4138d901309e4132d34e8e
              • Opcode Fuzzy Hash: 3d7a3f4435924b7f4747a4be6950925545d8c0a90af5b4e35a78014d4ebc8f24
              • Instruction Fuzzy Hash: C701F9728042186EDB28C6A8D816FEEBBF8DB01301F00419EF556D2181E575E608C770
              Function 00D691DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D6B0E7
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00D6924D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: d5ab72d1ce8fc029f27d7ce6a51c7c12a5342aaf70510aa705faf588359c33b0
              • Instruction ID: 9d7d86fb304b9f73d54b8c7bdefaea1931949ad169564a9773dc6bace5f8abd4
              • Opcode Fuzzy Hash: d5ab72d1ce8fc029f27d7ce6a51c7c12a5342aaf70510aa705faf588359c33b0
              • Instruction Fuzzy Hash: 80018471B41205BBCB04EBA0D9A6EFFB7ACDF49310F540019B912A72D2EF256E4C9671
              Function 00D69264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D17F41: _memmove.LIBCMT ref: 00D17F82
                • Part of subcall function 00D6B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D6B0E7
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00D692D0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 2da1b6c0c03ffb00816d31c9626c6c90bb49237d5857e1ee922df65096e3eb78
              • Instruction ID: d20a0a2952324fedd1e71e0d1273cca002d9a1b70fcc1a46a4285bced3baac1b
              • Opcode Fuzzy Hash: 2da1b6c0c03ffb00816d31c9626c6c90bb49237d5857e1ee922df65096e3eb78
              • Instruction Fuzzy Hash: 2301A771A41205BBCB04E7A0D9A2EFFB7ACDF15310F540116B812A32D2DF355E4C9675
              Function 00D751CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: 4914cbe1a4b29c4e41be99b8413ffdeab2b859b56edffbb0e1e75de3466a5dbb
              • Instruction ID: 4ab4d791d42ba59038e2315583f1a99c16fd7ab5ae4fe30f0ac5e0740a8969b8
              • Opcode Fuzzy Hash: 4914cbe1a4b29c4e41be99b8413ffdeab2b859b56edffbb0e1e75de3466a5dbb
              • Instruction Fuzzy Hash: 50E06872A0032D2BE3209B99AC0AFA7F7ECEB40771F00016BFD14D3140E5609A048BF1
              Function 00D681BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
              Download Yara Rule
              APIs
              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D681CA
                • Part of subcall function 00D33598: _doexit.LIBCMT ref: 00D335A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: Message_doexit
              • String ID: AutoIt$Error allocating memory.
              • API String ID: 1993061046-4017498283
              • Opcode ID: e6ca56bb85b235f7197f33b572e2c2c40fa28212acd4a92d200ac83007ceb02f
              • Instruction ID: abe20ee66a774c7e3113677bea43c4bf3cfdbfebcc6d189b4718a1224c0a09ce
              • Opcode Fuzzy Hash: e6ca56bb85b235f7197f33b572e2c2c40fa28212acd4a92d200ac83007ceb02f
              • Instruction Fuzzy Hash: B8D05B363C531936D21433A56D0BFC57588CB05B53F044026BB08955D38DD555D142FD
              Function 00D4B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00D4B564: _memset.LIBCMT ref: 00D4B571
                • Part of subcall function 00D30B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D4B540,?,?,?,00D1100A), ref: 00D30B89
              • IsDebuggerPresent.KERNEL32(?,?,?,00D1100A), ref: 00D4B544
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D1100A), ref: 00D4B553
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D4B54E
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: a52aec89e1f532dfb2426d623df252a1818eb53b94482c2769ba7903215eb662
              • Instruction ID: 9580fced00281ecdbb1aead4ae0c63a8df28063993d8214202d16139ea86e008
              • Opcode Fuzzy Hash: a52aec89e1f532dfb2426d623df252a1818eb53b94482c2769ba7903215eb662
              • Instruction Fuzzy Hash: A2E06D702003108FD320DF69E404382BBE0AB14754F04892EF446C2760DBB4D444CBB1
              Function 00D95BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D95BF5
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D95C08
                • Part of subcall function 00D754E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00D7555E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1376716059.0000000000D11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D10000, based on PE: true
              • Associated: 00000000.00000002.1376691665.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000D9F000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376826690.0000000000DC5000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376912442.0000000000DCF000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1376938848.0000000000DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_d10000_FGTFTj8GLM.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: cf170475d92e81fb39214e63e12b113a364880f29402a1cc9c91f9c1a2ca40ff
              • Instruction ID: 3418887d21e46a562c9b921c58e755d949cff38b5bf94ee48457362cc41aa2d8
              • Opcode Fuzzy Hash: cf170475d92e81fb39214e63e12b113a364880f29402a1cc9c91f9c1a2ca40ff
              • Instruction Fuzzy Hash: E0D0C931388311BBE764AB70AC0BF976A14AB00B55F05082AB649EA2D0D9E45841C670