Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0Ie2kYdPTW.exe

Overview

General Information

Sample name:0Ie2kYdPTW.exe
renamed because original name is a hash value
Original sample name:11ce734d359c1372c1d1dac9b9018bc39945e2daf246c78dca5a553cd948c885.exe
Analysis ID:1587651
MD5:3a2945f49ea2a7ba9751f199ae156a6f
SHA1:acefda3ad62327cee89bfa6b0315649c3d78d934
SHA256:11ce734d359c1372c1d1dac9b9018bc39945e2daf246c78dca5a553cd948c885
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0Ie2kYdPTW.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\0Ie2kYdPTW.exe" MD5: 3A2945F49EA2A7BA9751F199AE156A6F)
    • svchost.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\0Ie2kYdPTW.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1556174811.0000000000A00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1555925858.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", CommandLine: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", ParentImage: C:\Users\user\Desktop\0Ie2kYdPTW.exe, ParentProcessId: 7724, ParentProcessName: 0Ie2kYdPTW.exe, ProcessCommandLine: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", ProcessId: 7784, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", CommandLine: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", ParentImage: C:\Users\user\Desktop\0Ie2kYdPTW.exe, ParentProcessId: 7724, ParentProcessName: 0Ie2kYdPTW.exe, ProcessCommandLine: "C:\Users\user\Desktop\0Ie2kYdPTW.exe", ProcessId: 7784, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 0Ie2kYdPTW.exeReversingLabs: Detection: 71%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1556174811.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1555925858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 0Ie2kYdPTW.exeJoe Sandbox ML: detected
          Source: 0Ie2kYdPTW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: 0Ie2kYdPTW.exe, 00000000.00000003.1359289773.0000000003640000.00000004.00001000.00020000.00000000.sdmp, 0Ie2kYdPTW.exe, 00000000.00000003.1360158724.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1556432218.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1556432218.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1519409181.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521246773.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 0Ie2kYdPTW.exe, 00000000.00000003.1359289773.0000000003640000.00000004.00001000.00020000.00000000.sdmp, 0Ie2kYdPTW.exe, 00000000.00000003.1360158724.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1556432218.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1556432218.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1519409181.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521246773.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0078445A
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078C6D1 FindFirstFileW,FindClose,0_2_0078C6D1
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0078C75C
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0078EF95
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0078F0F2
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0078F3F3
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007837EF
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00783B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00783B12
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0078BCBC
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007922EE
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00794164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00794164
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00794164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00794164
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00793F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00793F66
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0078001C
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007ACABC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1556174811.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1555925858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: This is a third-party compiled AutoIt script.0_2_00723B3A
          Source: 0Ie2kYdPTW.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: 0Ie2kYdPTW.exe, 00000000.00000000.1347404427.00000000007D4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e73f191f-2
          Source: 0Ie2kYdPTW.exe, 00000000.00000000.1347404427.00000000007D4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e52d3504-0
          Source: 0Ie2kYdPTW.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_14d480f3-0
          Source: 0Ie2kYdPTW.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_412a12d1-c
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C583 NtClose,2_2_0042C583
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B20 NtClose,LdrInitializeThunk,2_2_03472B20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473590 NtCreateMutant,LdrInitializeThunk,2_2_03473590
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474320 NtSetContextThread,2_2_03474320
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474630 NtSuspendThread,2_2_03474630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B40 NtQueryInformationFile,2_2_03472B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtEnumerateValueKey,2_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BC0 NtQueryInformationProcess,2_2_03472BC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtQueryValueKey,2_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BB0 NtAllocateVirtualMemory,2_2_03472BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472A70 NtWaitForSingleObject,2_2_03472A70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472A90 NtReadFile,2_2_03472A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWriteFile,2_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F50 NtProtectVirtualMemory,2_2_03472F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtQuerySection,2_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F70 NtResumeThread,2_2_03472F70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F20 NtCreateProcessEx,2_2_03472F20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FD0 NtOpenDirectoryObject,2_2_03472FD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtCreateFile,2_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E40 NtReadVirtualMemory,2_2_03472E40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E60 NtAdjustPrivilegesToken,2_2_03472E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EF0 NtCreateSection,2_2_03472EF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtQueueApcThread,2_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D70 NtEnumerateKey,2_2_03472D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtWriteVirtualMemory,2_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D90 NtDelayExecution,2_2_03472D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtQueryInformationToken,2_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C20 NtCreateKey,2_2_03472C20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C30 NtFreeVirtualMemory,2_2_03472C30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtSetInformationFile,2_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CD0 NtMapViewOfSection,2_2_03472CD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtUnmapViewOfSection,2_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C80 NtQueryVirtualMemory,2_2_03472C80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CB0 NtOpenProcess,2_2_03472CB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473050 NtSetValueKey,2_2_03473050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473980 NtGetContextThread,2_2_03473980
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D40 NtOpenThread,2_2_03473D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473CE0 NtOpenProcessToken,2_2_03473CE0
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0078A1EF
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00778310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00778310
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007851BD
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0072E6A00_2_0072E6A0
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0074D9750_2_0074D975
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0072FCE00_2_0072FCE0
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007421C50_2_007421C5
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007562D20_2_007562D2
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007A03DA0_2_007A03DA
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0075242E0_2_0075242E
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007425FA0_2_007425FA
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0077E6160_2_0077E616
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007366E10_2_007366E1
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0075878F0_2_0075878F
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007A08570_2_007A0857
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007568440_2_00756844
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007388080_2_00738808
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007888890_2_00788889
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0074CB210_2_0074CB21
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00756DB60_2_00756DB6
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00736F9E0_2_00736F9E
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007330300_2_00733030
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0074F1D90_2_0074F1D9
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007431870_2_00743187
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007212870_2_00721287
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007414840_2_00741484
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007355200_2_00735520
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007476960_2_00747696
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007357600_2_00735760
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007419780_2_00741978
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00759AB50_2_00759AB5
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007A7DDB0_2_007A7DDB
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0074BDA60_2_0074BDA6
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00741D900_2_00741D90
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0072DF000_2_0072DF00
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00733FE00_2_00733FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028102_2_00402810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E0F72_2_0040E0F7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1032_2_0040E103
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031D02_2_004031D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012402_2_00401240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EBD32_2_0042EBD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C8A2_2_00402C8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C902_2_00402C90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024902_2_00402490
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004015092_2_00401509
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004015102_2_00401510
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDB32_2_0040FDB3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167132_2_00416713
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FFD32_2_0040FFD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFA92_2_0040DFA9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFB32_2_0040DFB3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3602_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350012E2_2_0350012E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034300C02_2_034300C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE0962_2_034EE096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7402_2_0343C740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F67772_2_034F6777
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647102_2_03464710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034427B02_2_034427B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A7B02_2_0344A7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6502_2_0345C650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E02_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA6E02_2_034FA6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A5462_2_0350A546
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A52_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEB402_2_034BEB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B702_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEA7B2_2_034FEA7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA002_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCA332_2_034FCA33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE02_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429102_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FE9C62_2_034FE9C6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E08452_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D22_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268882_2_03426888
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8B02_2_0346E8B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F482_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CF502_2_0344CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F082_2_03482F08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEFDF2_2_034FEFDF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0E7D2_2_034E0E7D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E002_2_03452E00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0ECD2_2_034F0ECD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343AD602_2_0343AD60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350AD0B2_2_0350AD0B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458D2F2_2_03458D2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440DC92_2_03440DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EEC6C2_2_034EEC6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430C722_2_03430C72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AC702_2_0344AC70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6C892_2_034F6C89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEC802_2_034FEC80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF3502_2_034FF350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D30C2_2_0342D30C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034313E02_2_034313E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD3A02_2_034AD3A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F126C2_2_034F126C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348721A2_2_0348721A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452102_2_03445210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2302_2_0345B230
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347514C2_2_0347514C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD1402_2_034DD140
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F71112_2_034F7111
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1202_2_0344B120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1322_2_0342F132
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470302_2_03447030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7162_2_034FF716
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B97D22_2_034B97D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B57902_2_034B5790
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ED6662_2_034ED666
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B360C2_2_034B360C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD63C2_2_034DD63C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF5E92_2_034FF5E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75E62_2_034F75E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB4E2_2_034FFB4E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB402_2_0345FB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBD92_2_0347DBD9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485A802_2_03485A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFAA92_2_034FFAA9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F79132_2_034F7913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438502_2_03443850
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034498C02_2_034498C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B8C02_2_0345B8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F18FA2_2_034F18FA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF8922_2_034FF892
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F022_2_03441F02
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1FE62_2_034F1FE6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF832_2_034FFF83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BFE602_2_034BFE60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DFE042_2_034DFE04
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449E202_2_03449E20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F9EF22_2_034F9EF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFD472_2_034FFD47
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D6C2_2_034F7D6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FD802_2_0345FD80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C7CF82_2_034C7CF8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D9CA82_2_034D9CA8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443CB02_2_03443CB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AE5B2 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B930 appears 272 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487C84 appears 98 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BEE30 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475110 appears 37 times
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: String function: 00748900 appears 42 times
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: String function: 00727DE1 appears 36 times
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: String function: 00740AE3 appears 70 times
          Source: 0Ie2kYdPTW.exe, 00000000.00000003.1357813166.00000000035C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 0Ie2kYdPTW.exe
          Source: 0Ie2kYdPTW.exe, 00000000.00000003.1358586493.000000000376D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 0Ie2kYdPTW.exe
          Source: 0Ie2kYdPTW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078A06A GetLastError,FormatMessageW,0_2_0078A06A
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007781CB AdjustTokenPrivileges,CloseHandle,0_2_007781CB
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007787E1
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0078B333
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0079EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0079EE0D
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_007983BB
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00724E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00724E89
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeFile created: C:\Users\user\AppData\Local\Temp\aut1D83.tmpJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCommand line argument: d0_2_007247D0
          Source: 0Ie2kYdPTW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 0Ie2kYdPTW.exeReversingLabs: Detection: 71%
          Source: unknownProcess created: C:\Users\user\Desktop\0Ie2kYdPTW.exe "C:\Users\user\Desktop\0Ie2kYdPTW.exe"
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\0Ie2kYdPTW.exe"
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\0Ie2kYdPTW.exe"Jump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: ntmarta.dllJump to behavior
          Source: 0Ie2kYdPTW.exeStatic file information: File size 1199104 > 1048576
          Source: 0Ie2kYdPTW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 0Ie2kYdPTW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 0Ie2kYdPTW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 0Ie2kYdPTW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 0Ie2kYdPTW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 0Ie2kYdPTW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 0Ie2kYdPTW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: 0Ie2kYdPTW.exe, 00000000.00000003.1359289773.0000000003640000.00000004.00001000.00020000.00000000.sdmp, 0Ie2kYdPTW.exe, 00000000.00000003.1360158724.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1556432218.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1556432218.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1519409181.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521246773.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 0Ie2kYdPTW.exe, 00000000.00000003.1359289773.0000000003640000.00000004.00001000.00020000.00000000.sdmp, 0Ie2kYdPTW.exe, 00000000.00000003.1360158724.00000000034F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1556432218.000000000352D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1556432218.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1519409181.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521246773.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: 0Ie2kYdPTW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 0Ie2kYdPTW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 0Ie2kYdPTW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 0Ie2kYdPTW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 0Ie2kYdPTW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00724B37 LoadLibraryA,GetProcAddress,0_2_00724B37
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0072C4C7 push A30072BAh; retn 0072h0_2_0072C50D
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00748945 push ecx; ret 0_2_00748958
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A027 push eax; retf 2_2_0041A028
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F084 push ss; retf 2_2_0041F085
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418A33 push ecx; ret 2_2_00418A59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AB95 push es; retf 2_2_0040AB99
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BCE8 push ecx; ret 2_2_0040BCEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403480 push eax; ret 2_2_00403482
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5F4 push FFFFFF8Ah; iretd 2_2_0040E5FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423691 push eax; retf 2_2_00423692
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00424F63 push edi; retf 2_2_00424F6E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343092D push ecx; mov dword ptr [esp], ecx2_2_03430936
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007248D7
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007A5376
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00743187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00743187
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeAPI/Special instruction interceptor: Address: 6F3244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E rdtsc 2_2_0347092E
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-101663
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeAPI coverage: 3.9 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7788Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0078445A
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078C6D1 FindFirstFileW,FindClose,0_2_0078C6D1
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0078C75C
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0078EF95
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0078F0F2
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0078F3F3
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007837EF
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00783B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00783B12
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0078BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0078BCBC
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007249A0
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeAPI call chain: ExitProcess graph end nodegraph_0-100893
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E rdtsc 2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004176A3 LdrLoadDll,2_2_004176A3
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00793F09 BlockInput,0_2_00793F09
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00723B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00723B3A
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00755A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00755A7C
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00724B37 LoadLibraryA,GetProcAddress,0_2_00724B37
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A340 mov eax, dword ptr fs:[00000030h]2_2_0343A340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438340 mov eax, dword ptr fs:[00000030h]2_2_03438340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E348 mov eax, dword ptr fs:[00000030h]2_2_0342E348
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E348 mov eax, dword ptr fs:[00000030h]2_2_0342E348
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E348 mov eax, dword ptr fs:[00000030h]2_2_0342E348
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440359 mov eax, dword ptr fs:[00000030h]2_2_03440359
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E360 mov eax, dword ptr fs:[00000030h]2_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E360 mov eax, dword ptr fs:[00000030h]2_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E360 mov eax, dword ptr fs:[00000030h]2_2_0344E360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428367 mov eax, dword ptr fs:[00000030h]2_2_03428367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428367 mov eax, dword ptr fs:[00000030h]2_2_03428367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428367 mov eax, dword ptr fs:[00000030h]2_2_03428367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0363 mov eax, dword ptr fs:[00000030h]2_2_034B0363
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034683C2 mov eax, dword ptr fs:[00000030h]2_2_034683C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034683C2 mov eax, dword ptr fs:[00000030h]2_2_034683C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034683C2 mov eax, dword ptr fs:[00000030h]2_2_034683C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034523CA mov eax, dword ptr fs:[00000030h]2_2_034523CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E3E0 mov eax, dword ptr fs:[00000030h]2_2_0342E3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E3E0 mov eax, dword ptr fs:[00000030h]2_2_0342E3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E3E0 mov eax, dword ptr fs:[00000030h]2_2_0342E3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C3E7 mov eax, dword ptr fs:[00000030h]2_2_0342C3E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A3E0 mov eax, dword ptr fs:[00000030h]2_2_0345A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A3E0 mov eax, dword ptr fs:[00000030h]2_2_0345A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A3E0 mov eax, dword ptr fs:[00000030h]2_2_0345A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A3F0 mov eax, dword ptr fs:[00000030h]2_2_0346A3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE381 mov eax, dword ptr fs:[00000030h]2_2_034BE381
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663BF mov eax, dword ptr fs:[00000030h]2_2_034663BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC3B0 mov eax, dword ptr fs:[00000030h]2_2_034BC3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A243 mov eax, dword ptr fs:[00000030h]2_2_0343A243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E244 mov eax, dword ptr fs:[00000030h]2_2_0346E244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E244 mov eax, dword ptr fs:[00000030h]2_2_0346E244
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440251 mov eax, dword ptr fs:[00000030h]2_2_03440251
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440251 mov eax, dword ptr fs:[00000030h]2_2_03440251
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440251 mov eax, dword ptr fs:[00000030h]2_2_03440251
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346425B mov ecx, dword ptr fs:[00000030h]2_2_0346425B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346425B mov eax, dword ptr fs:[00000030h]2_2_0346425B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346425B mov eax, dword ptr fs:[00000030h]2_2_0346425B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F820E mov eax, dword ptr fs:[00000030h]2_2_034F820E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F820E mov eax, dword ptr fs:[00000030h]2_2_034F820E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342820B mov eax, dword ptr fs:[00000030h]2_2_0342820B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A220 mov eax, dword ptr fs:[00000030h]2_2_0342A220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440220 mov eax, dword ptr fs:[00000030h]2_2_03440220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440220 mov eax, dword ptr fs:[00000030h]2_2_03440220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A2CB mov eax, dword ptr fs:[00000030h]2_2_0346A2CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A2CB mov eax, dword ptr fs:[00000030h]2_2_0346A2CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A2CB mov eax, dword ptr fs:[00000030h]2_2_0346A2CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C2D0 mov ecx, dword ptr fs:[00000030h]2_2_0342C2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC2D0 mov eax, dword ptr fs:[00000030h]2_2_034AC2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE2FD mov eax, dword ptr fs:[00000030h]2_2_034BE2FD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034542FF mov eax, dword ptr fs:[00000030h]2_2_034542FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034542FF mov eax, dword ptr fs:[00000030h]2_2_034542FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B42F5 mov eax, dword ptr fs:[00000030h]2_2_034B42F5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450280 mov ecx, dword ptr fs:[00000030h]2_2_03450280
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE292 mov eax, dword ptr fs:[00000030h]2_2_034AE292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0291 mov eax, dword ptr fs:[00000030h]2_2_034B0291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0291 mov eax, dword ptr fs:[00000030h]2_2_034B0291
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470145 mov eax, dword ptr fs:[00000030h]2_2_03470145
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0147 mov eax, dword ptr fs:[00000030h]2_2_034B0147
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0147 mov eax, dword ptr fs:[00000030h]2_2_034B0147
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0147 mov eax, dword ptr fs:[00000030h]2_2_034B0147
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A167 mov eax, dword ptr fs:[00000030h]2_2_0342A167
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A167 mov eax, dword ptr fs:[00000030h]2_2_0342A167
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A167 mov eax, dword ptr fs:[00000030h]2_2_0342A167
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C116 mov eax, dword ptr fs:[00000030h]2_2_0342C116
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034361D9 mov eax, dword ptr fs:[00000030h]2_2_034361D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034341E0 mov eax, dword ptr fs:[00000030h]2_2_034341E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034341E0 mov eax, dword ptr fs:[00000030h]2_2_034341E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034341E0 mov eax, dword ptr fs:[00000030h]2_2_034341E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034641FF mov eax, dword ptr fs:[00000030h]2_2_034641FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1A9 mov eax, dword ptr fs:[00000030h]2_2_034AE1A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601B8 mov eax, dword ptr fs:[00000030h]2_2_034601B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA050 mov eax, dword ptr fs:[00000030h]2_2_034BA050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438069 mov eax, dword ptr fs:[00000030h]2_2_03438069
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343200A mov eax, dword ptr fs:[00000030h]2_2_0343200A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC000 mov ecx, dword ptr fs:[00000030h]2_2_034BC000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034360D4 mov eax, dword ptr fs:[00000030h]2_2_034360D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034360D4 mov eax, dword ptr fs:[00000030h]2_2_034360D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034600E4 mov eax, dword ptr fs:[00000030h]2_2_034600E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C60A0 mov eax, dword ptr fs:[00000030h]2_2_034C60A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035040A0 mov eax, dword ptr fs:[00000030h]2_2_035040A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0B3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0B0 mov eax, dword ptr fs:[00000030h]2_2_0342C0B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720B0 mov ecx, dword ptr fs:[00000030h]2_2_034720B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C740 mov eax, dword ptr fs:[00000030h]2_2_0343C740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345275D mov eax, dword ptr fs:[00000030h]2_2_0345275D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345275D mov eax, dword ptr fs:[00000030h]2_2_0345275D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345275D mov eax, dword ptr fs:[00000030h]2_2_0345275D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE760 mov eax, dword ptr fs:[00000030h]2_2_034DE760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343477B mov eax, dword ptr fs:[00000030h]2_2_0343477B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343477B mov eax, dword ptr fs:[00000030h]2_2_0343477B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346670D mov esi, dword ptr fs:[00000030h]2_2_0346670D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346670D mov eax, dword ptr fs:[00000030h]2_2_0346670D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346670D mov eax, dword ptr fs:[00000030h]2_2_0346670D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472710 mov eax, dword ptr fs:[00000030h]2_2_03472710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472710 mov eax, dword ptr fs:[00000030h]2_2_03472710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343072F mov eax, dword ptr fs:[00000030h]2_2_0343072F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456730 mov eax, dword ptr fs:[00000030h]2_2_03456730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456730 mov eax, dword ptr fs:[00000030h]2_2_03456730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CC7C0 mov eax, dword ptr fs:[00000030h]2_2_034CC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CC7C0 mov eax, dword ptr fs:[00000030h]2_2_034CC7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347D9 mov eax, dword ptr fs:[00000030h]2_2_034347D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347D9 mov eax, dword ptr fs:[00000030h]2_2_034347D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A7F0 mov eax, dword ptr fs:[00000030h]2_2_0346A7F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC790 mov eax, dword ptr fs:[00000030h]2_2_034BC790
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov ecx, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527A5 mov eax, dword ptr fs:[00000030h]2_2_034527A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B47AF mov eax, dword ptr fs:[00000030h]2_2_034B47AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034427B0 mov ecx, dword ptr fs:[00000030h]2_2_034427B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C666 mov eax, dword ptr fs:[00000030h]2_2_0346C666
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466670 mov eax, dword ptr fs:[00000030h]2_2_03466670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434610 mov eax, dword ptr fs:[00000030h]2_2_03434610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434610 mov eax, dword ptr fs:[00000030h]2_2_03434610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC612 mov eax, dword ptr fs:[00000030h]2_2_034AC612
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC612 mov eax, dword ptr fs:[00000030h]2_2_034AC612
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A620 mov eax, dword ptr fs:[00000030h]2_2_0346A620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A620 mov eax, dword ptr fs:[00000030h]2_2_0346A620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504620 mov eax, dword ptr fs:[00000030h]2_2_03504620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462634 mov eax, dword ptr fs:[00000030h]2_2_03462634
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6C0 mov eax, dword ptr fs:[00000030h]2_2_0346C6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F86C8 mov eax, dword ptr fs:[00000030h]2_2_034F86C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F86C8 mov eax, dword ptr fs:[00000030h]2_2_034F86C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034306D0 mov eax, dword ptr fs:[00000030h]2_2_034306D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034606D0 mov eax, dword ptr fs:[00000030h]2_2_034606D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D86D2 mov eax, dword ptr fs:[00000030h]2_2_034D86D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034406E0 mov eax, dword ptr fs:[00000030h]2_2_034406E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6E0 mov eax, dword ptr fs:[00000030h]2_2_0346C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6E0 mov eax, dword ptr fs:[00000030h]2_2_0346C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C66E0 mov eax, dword ptr fs:[00000030h]2_2_034C66E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C66E0 mov eax, dword ptr fs:[00000030h]2_2_034C66E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA6E0 mov eax, dword ptr fs:[00000030h]2_2_034FA6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034386F0 mov eax, dword ptr fs:[00000030h]2_2_034386F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034626FC mov eax, dword ptr fs:[00000030h]2_2_034626FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034626FC mov ecx, dword ptr fs:[00000030h]2_2_034626FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034626FC mov eax, dword ptr fs:[00000030h]2_2_034626FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A687 mov ebx, dword ptr fs:[00000030h]2_2_0346A687
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A687 mov eax, dword ptr fs:[00000030h]2_2_0346A687
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430690 mov eax, dword ptr fs:[00000030h]2_2_03430690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6BD mov eax, dword ptr fs:[00000030h]2_2_034AE6BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464548 mov eax, dword ptr fs:[00000030h]2_2_03464548
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436550 mov eax, dword ptr fs:[00000030h]2_2_03436550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8553 mov esi, dword ptr fs:[00000030h]2_2_034B8553
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8553 mov eax, dword ptr fs:[00000030h]2_2_034B8553
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8553 mov eax, dword ptr fs:[00000030h]2_2_034B8553
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E55C mov eax, dword ptr fs:[00000030h]2_2_0346E55C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432560 mov eax, dword ptr fs:[00000030h]2_2_03432560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6560 mov eax, dword ptr fs:[00000030h]2_2_034C6560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA573 mov eax, dword ptr fs:[00000030h]2_2_034FA573
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344257B mov eax, dword ptr fs:[00000030h]2_2_0344257B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432502 mov eax, dword ptr fs:[00000030h]2_2_03432502
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432502 mov ecx, dword ptr fs:[00000030h]2_2_03432502
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC51C mov eax, dword ptr fs:[00000030h]2_2_034BC51C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454521 mov eax, dword ptr fs:[00000030h]2_2_03454521
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454521 mov eax, dword ptr fs:[00000030h]2_2_03454521
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346652A mov eax, dword ptr fs:[00000030h]2_2_0346652A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346652A mov eax, dword ptr fs:[00000030h]2_2_0346652A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346652A mov eax, dword ptr fs:[00000030h]2_2_0346652A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034725D9 mov eax, dword ptr fs:[00000030h]2_2_034725D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034665E0 mov eax, dword ptr fs:[00000030h]2_2_034665E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034685E0 mov eax, dword ptr fs:[00000030h]2_2_034685E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E58F mov eax, dword ptr fs:[00000030h]2_2_0346E58F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E58F mov eax, dword ptr fs:[00000030h]2_2_0346E58F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE580 mov eax, dword ptr fs:[00000030h]2_2_034BE580
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E597 mov eax, dword ptr fs:[00000030h]2_2_0344E597
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A590 mov eax, dword ptr fs:[00000030h]2_2_0346A590
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A590 mov eax, dword ptr fs:[00000030h]2_2_0346A590
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5A7 mov eax, dword ptr fs:[00000030h]2_2_0345E5A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5AD mov eax, dword ptr fs:[00000030h]2_2_0346C5AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5AD mov eax, dword ptr fs:[00000030h]2_2_0346C5AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325AC mov eax, dword ptr fs:[00000030h]2_2_034325AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C5B0 mov eax, dword ptr fs:[00000030h]2_2_0344C5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC5B1 mov eax, dword ptr fs:[00000030h]2_2_034BC5B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464470 mov ecx, dword ptr fs:[00000030h]2_2_03464470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E403 mov eax, dword ptr fs:[00000030h]2_2_0346E403
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE412 mov eax, dword ptr fs:[00000030h]2_2_034BE412
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE412 mov eax, dword ptr fs:[00000030h]2_2_034BE412
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6410 mov eax, dword ptr fs:[00000030h]2_2_034C6410
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6410 mov eax, dword ptr fs:[00000030h]2_2_034C6410
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343642B mov eax, dword ptr fs:[00000030h]2_2_0343642B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342642D mov eax, dword ptr fs:[00000030h]2_2_0342642D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC43D mov eax, dword ptr fs:[00000030h]2_2_034BC43D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B84CA mov eax, dword ptr fs:[00000030h]2_2_034B84CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C84CB mov eax, dword ptr fs:[00000030h]2_2_034C84CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034384D0 mov eax, dword ptr fs:[00000030h]2_2_034384D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034384D0 mov eax, dword ptr fs:[00000030h]2_2_034384D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B04E6 mov eax, dword ptr fs:[00000030h]2_2_034B04E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E4FE mov eax, dword ptr fs:[00000030h]2_2_0345E4FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA484 mov eax, dword ptr fs:[00000030h]2_2_034FA484
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034404A5 mov eax, dword ptr fs:[00000030h]2_2_034404A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE4A8 mov eax, dword ptr fs:[00000030h]2_2_034AE4A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE4A8 mov eax, dword ptr fs:[00000030h]2_2_034AE4A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304A5 mov ecx, dword ptr fs:[00000030h]2_2_034304A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC4B2 mov eax, dword ptr fs:[00000030h]2_2_034BC4B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430B4D mov eax, dword ptr fs:[00000030h]2_2_03430B4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430B4D mov eax, dword ptr fs:[00000030h]2_2_03430B4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430B4D mov eax, dword ptr fs:[00000030h]2_2_03430B4D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438B70 mov eax, dword ptr fs:[00000030h]2_2_03438B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438B70 mov eax, dword ptr fs:[00000030h]2_2_03438B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438B70 mov eax, dword ptr fs:[00000030h]2_2_03438B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B70 mov eax, dword ptr fs:[00000030h]2_2_03440B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B08 mov eax, dword ptr fs:[00000030h]2_2_03504B08
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B2E mov eax, dword ptr fs:[00000030h]2_2_03440B2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440B2E mov eax, dword ptr fs:[00000030h]2_2_03440B2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB3E mov eax, dword ptr fs:[00000030h]2_2_0342CB3E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450B3B mov eax, dword ptr fs:[00000030h]2_2_03450B3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450B3B mov eax, dword ptr fs:[00000030h]2_2_03450B3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450B3B mov eax, dword ptr fs:[00000030h]2_2_03450B3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CBC0 mov eax, dword ptr fs:[00000030h]2_2_0346CBC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8BDE mov eax, dword ptr fs:[00000030h]2_2_034F8BDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ABD0 mov eax, dword ptr fs:[00000030h]2_2_0343ABD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436BD0 mov eax, dword ptr fs:[00000030h]2_2_03436BD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436BD0 mov eax, dword ptr fs:[00000030h]2_2_03436BD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436BD0 mov eax, dword ptr fs:[00000030h]2_2_03436BD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342EBE0 mov eax, dword ptr fs:[00000030h]2_2_0342EBE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D6BEE mov ebx, dword ptr fs:[00000030h]2_2_034D6BEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D6BEE mov eax, dword ptr fs:[00000030h]2_2_034D6BEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B87 mov eax, dword ptr fs:[00000030h]2_2_03504B87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E6B97 mov eax, dword ptr fs:[00000030h]2_2_034E6B97
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBBC mov eax, dword ptr fs:[00000030h]2_2_0345EBBC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA40 mov eax, dword ptr fs:[00000030h]2_2_034BCA40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA40 mov eax, dword ptr fs:[00000030h]2_2_034BCA40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA40 mov eax, dword ptr fs:[00000030h]2_2_034BCA40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430A50 mov eax, dword ptr fs:[00000030h]2_2_03430A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A50 mov edx, dword ptr fs:[00000030h]2_2_03468A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CAA50 mov eax, dword ptr fs:[00000030h]2_2_034CAA50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034CAA50 mov eax, dword ptr fs:[00000030h]2_2_034CAA50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA00 mov eax, dword ptr fs:[00000030h]2_2_0343EA00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0A1F mov eax, dword ptr fs:[00000030h]2_2_034B0A1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0A1F mov eax, dword ptr fs:[00000030h]2_2_034B0A1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0A1F mov eax, dword ptr fs:[00000030h]2_2_034B0A1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438A20 mov eax, dword ptr fs:[00000030h]2_2_03438A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438A20 mov eax, dword ptr fs:[00000030h]2_2_03438A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA2F mov eax, dword ptr fs:[00000030h]2_2_0346CA2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA2F mov eax, dword ptr fs:[00000030h]2_2_0346CA2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA2F mov eax, dword ptr fs:[00000030h]2_2_0346CA2F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EAE0 mov eax, dword ptr fs:[00000030h]2_2_0345EAE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EAE0 mov eax, dword ptr fs:[00000030h]2_2_0345EAE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4AE0 mov eax, dword ptr fs:[00000030h]2_2_034B4AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0AF0 mov eax, dword ptr fs:[00000030h]2_2_034D0AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464A90 mov eax, dword ptr fs:[00000030h]2_2_03464A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464A90 mov eax, dword ptr fs:[00000030h]2_2_03464A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAAE mov eax, dword ptr fs:[00000030h]2_2_0346AAAE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAAE mov eax, dword ptr fs:[00000030h]2_2_0346AAAE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E6AA0 mov eax, dword ptr fs:[00000030h]2_2_034E6AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F894E mov eax, dword ptr fs:[00000030h]2_2_034F894E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F894E mov eax, dword ptr fs:[00000030h]2_2_034F894E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A950 mov eax, dword ptr fs:[00000030h]2_2_0343A950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350494D mov eax, dword ptr fs:[00000030h]2_2_0350494D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4977 mov eax, dword ptr fs:[00000030h]2_2_034B4977
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4977 mov eax, dword ptr fs:[00000030h]2_2_034B4977
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C890B mov eax, dword ptr fs:[00000030h]2_2_034C890B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442910 mov eax, dword ptr fs:[00000030h]2_2_03442910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E mov eax, dword ptr fs:[00000030h]2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E mov edx, dword ptr fs:[00000030h]2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347092E mov eax, dword ptr fs:[00000030h]2_2_0347092E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343092D mov eax, dword ptr fs:[00000030h]2_2_0343092D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343092D mov eax, dword ptr fs:[00000030h]2_2_0343092D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov ecx, dword ptr fs:[00000030h]2_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034409CB mov eax, dword ptr fs:[00000030h]2_2_034409CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034409CB mov eax, dword ptr fs:[00000030h]2_2_034409CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869DA mov eax, dword ptr fs:[00000030h]2_2_034869DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869DA mov eax, dword ptr fs:[00000030h]2_2_034869DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869DA mov eax, dword ptr fs:[00000030h]2_2_034869DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034369D0 mov eax, dword ptr fs:[00000030h]2_2_034369D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C9E4 mov eax, dword ptr fs:[00000030h]2_2_0346C9E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E9EE mov eax, dword ptr fs:[00000030h]2_2_0345E9EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C9F8 mov eax, dword ptr fs:[00000030h]2_2_0346C9F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035029EF mov eax, dword ptr fs:[00000030h]2_2_035029EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035029EF mov eax, dword ptr fs:[00000030h]2_2_035029EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464990 mov eax, dword ptr fs:[00000030h]2_2_03464990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0990 mov eax, dword ptr fs:[00000030h]2_2_034D0990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0990 mov eax, dword ptr fs:[00000030h]2_2_034D0990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034549A5 mov eax, dword ptr fs:[00000030h]2_2_034549A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034549A5 mov eax, dword ptr fs:[00000030h]2_2_034549A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034869B2 mov eax, dword ptr fs:[00000030h]2_2_034869B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629B9 mov eax, dword ptr fs:[00000030h]2_2_034629B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629B9 mov eax, dword ptr fs:[00000030h]2_2_034629B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov ecx, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov eax, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov eax, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC840 mov eax, dword ptr fs:[00000030h]2_2_034AC840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0845 mov eax, dword ptr fs:[00000030h]2_2_034E0845
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430807 mov eax, dword ptr fs:[00000030h]2_2_03430807
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460814 mov eax, dword ptr fs:[00000030h]2_2_03460814
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B88C0 mov eax, dword ptr fs:[00000030h]2_2_034B88C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D2 mov eax, dword ptr fs:[00000030h]2_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D2 mov eax, dword ptr fs:[00000030h]2_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034568D2 mov eax, dword ptr fs:[00000030h]2_2_034568D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034288E8 mov eax, dword ptr fs:[00000030h]2_2_034288E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034288E8 mov eax, dword ptr fs:[00000030h]2_2_034288E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E880 mov eax, dword ptr fs:[00000030h]2_2_0345E880
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E88B0 mov eax, dword ptr fs:[00000030h]2_2_034E88B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E88B0 mov eax, dword ptr fs:[00000030h]2_2_034E88B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C8B9 mov eax, dword ptr fs:[00000030h]2_2_0346C8B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C8B9 mov eax, dword ptr fs:[00000030h]2_2_0346C8B9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CF40 mov eax, dword ptr fs:[00000030h]2_2_0346CF40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432F48 mov eax, dword ptr fs:[00000030h]2_2_03432F48
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CF50 mov eax, dword ptr fs:[00000030h]2_2_0344CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CF50 mov eax, dword ptr fs:[00000030h]2_2_0344CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0F59 mov eax, dword ptr fs:[00000030h]2_2_034D0F59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0F59 mov eax, dword ptr fs:[00000030h]2_2_034D0F59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D0F59 mov eax, dword ptr fs:[00000030h]2_2_034D0F59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462F58 mov eax, dword ptr fs:[00000030h]2_2_03462F58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462F58 mov eax, dword ptr fs:[00000030h]2_2_03462F58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EAF70 mov ecx, dword ptr fs:[00000030h]2_2_034EAF70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EEF07 mov eax, dword ptr fs:[00000030h]2_2_034EEF07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CF10 mov eax, dword ptr fs:[00000030h]2_2_0342CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CF10 mov eax, dword ptr fs:[00000030h]2_2_0346CF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504F3D mov eax, dword ptr fs:[00000030h]2_2_03504F3D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345AFC2 mov eax, dword ptr fs:[00000030h]2_2_0345AFC2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov ecx, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440FE0 mov eax, dword ptr fs:[00000030h]2_2_03440FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EEFF3 mov eax, dword ptr fs:[00000030h]2_2_034EEFF3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EEF86 mov eax, dword ptr fs:[00000030h]2_2_034EEF86
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504F9C mov eax, dword ptr fs:[00000030h]2_2_03504F9C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342EF98 mov eax, dword ptr fs:[00000030h]2_2_0342EF98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342EF98 mov eax, dword ptr fs:[00000030h]2_2_0342EF98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342EF98 mov eax, dword ptr fs:[00000030h]2_2_0342EF98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470FB6 mov eax, dword ptr fs:[00000030h]2_2_03470FB6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470FB6 mov eax, dword ptr fs:[00000030h]2_2_03470FB6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470FB6 mov eax, dword ptr fs:[00000030h]2_2_03470FB6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470FB6 mov eax, dword ptr fs:[00000030h]2_2_03470FB6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6FB0 mov eax, dword ptr fs:[00000030h]2_2_034B6FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8E46 mov eax, dword ptr fs:[00000030h]2_2_034F8E46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8E46 mov eax, dword ptr fs:[00000030h]2_2_034F8E46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8E46 mov eax, dword ptr fs:[00000030h]2_2_034F8E46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8E46 mov eax, dword ptr fs:[00000030h]2_2_034F8E46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6E40 mov eax, dword ptr fs:[00000030h]2_2_034C6E40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6E40 mov eax, dword ptr fs:[00000030h]2_2_034C6E40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8E5C mov eax, dword ptr fs:[00000030h]2_2_034B8E5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8E5C mov eax, dword ptr fs:[00000030h]2_2_034B8E5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8E5C mov ecx, dword ptr fs:[00000030h]2_2_034B8E5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8E5C mov ecx, dword ptr fs:[00000030h]2_2_034B8E5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462E5C mov eax, dword ptr fs:[00000030h]2_2_03462E5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462E5C mov ecx, dword ptr fs:[00000030h]2_2_03462E5C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342AE60 mov eax, dword ptr fs:[00000030h]2_2_0342AE60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342AE60 mov eax, dword ptr fs:[00000030h]2_2_0342AE60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342AE60 mov eax, dword ptr fs:[00000030h]2_2_0342AE60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436E60 mov eax, dword ptr fs:[00000030h]2_2_03436E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436E60 mov eax, dword ptr fs:[00000030h]2_2_03436E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436E60 mov eax, dword ptr fs:[00000030h]2_2_03436E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436E60 mov eax, dword ptr fs:[00000030h]2_2_03436E60
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_007780A9
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0074A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0074A155
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0074A124 SetUnhandledExceptionFilter,0_2_0074A124

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 9A4008Jump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007787B1 LogonUserW,0_2_007787B1
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00723B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00723B3A
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007248D7
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00784C7F mouse_event,0_2_00784C7F
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\0Ie2kYdPTW.exe"Jump to behavior
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00777CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00777CAF
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0077874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0077874B
          Source: 0Ie2kYdPTW.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: 0Ie2kYdPTW.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_0074862B cpuid 0_2_0074862B
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00754E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00754E87
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00761E06 GetUserNameW,0_2_00761E06
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00753F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00753F3A
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_007249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007249A0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1556174811.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1555925858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: 0Ie2kYdPTW.exeBinary or memory string: WIN_81
          Source: 0Ie2kYdPTW.exeBinary or memory string: WIN_XP
          Source: 0Ie2kYdPTW.exeBinary or memory string: WIN_XPe
          Source: 0Ie2kYdPTW.exeBinary or memory string: WIN_VISTA
          Source: 0Ie2kYdPTW.exeBinary or memory string: WIN_7
          Source: 0Ie2kYdPTW.exeBinary or memory string: WIN_8
          Source: 0Ie2kYdPTW.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1556174811.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1555925858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00796283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00796283
          Source: C:\Users\user\Desktop\0Ie2kYdPTW.exeCode function: 0_2_00796747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00796747

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS115
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
          Process Injection          		2
          Valid Accounts          		LSA Secrets15
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
          Process Injection          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          0Ie2kYdPTW.exe71%ReversingLabsWin32.Trojan.AZORult
          0Ie2kYdPTW.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.fb-t-msedge.net
          		13.107.253.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1587651
            Start date and time:2025-01-10 16:18:14 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 40s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:0Ie2kYdPTW.exe
            renamed because original name is a hash value
            Original Sample Name:11ce734d359c1372c1d1dac9b9018bc39945e2daf246c78dca5a553cd948c885.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 47
            • Number of non-executed functions: 280
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.253.45, 52.149.20.212
            • Excluded domains from analysis (whitelisted): www.bing.com, azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • VT rate limit hit for: 0Ie2kYdPTW.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:19:25API Interceptor3x Sleep call for process: svchost.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.fb-t-msedge.net97q26I8OtN.exeGet hashmaliciousFormBookBrowse
            • 13.107.253.45
            nkCBRtd25H.exeGet hashmaliciousUnknownBrowse
            • 13.107.253.45
            https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
            • 13.107.253.45
            https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
            • 13.107.253.45
            http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
            • 13.107.253.45
            fghj.exeGet hashmaliciousLummaCBrowse
            • 13.107.253.45
            https://p3rsa.appdocumentcenter.com/BpdLOGet hashmaliciousHTMLPhisherBrowse
            • 13.107.253.45
            dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 13.107.253.45
            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
            • 13.107.253.45
            Notification of a Compromised Email Account.msgGet hashmaliciousUnknownBrowse
            • 13.107.253.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\aut1D83.tmp

            Download File
            Process:C:\Users\user\Desktop\0Ie2kYdPTW.exe
            File Type:data
            Category:dropped
            Size (bytes):288256
            Entropy (8bit):7.995159894329931
            Encrypted:true
            SSDEEP:6144:sJ//////O//////////////////////////////////////////////////////e:sJ//////O//////////////////////e
            MD5:2BEFAC8FAEC7E077ED48AA00FC5F531F
            SHA1:73640503A1861033974AE1E9056472CCAA3DFE4B
            SHA-256:73C3BC9860BB6634F9F3C3962FAC42CC8F34D43E23619168517CA8FF3312CB67
            SHA-512:C0A4FD64BD451946C328962FC24309ACD2676AFBF3DA5C765CEA2102623189516A3543F414DFD6A6897C2EEA4CDCBD2514984F678EC27F42D0C8F515C71FCC6B
            Malicious:false
            Reputation:low
            Preview:.c.IWKD92M3Q..LS.ZV3K98I.KD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3.98IZT.76.:.b.M..{.["J.9&$#KW .2"7"<$z4VkKM't"*.r.`q.6(6~W[9o98ITKD9OL:.~9+.m:1.vY_.N....-T.Y..l:1.Q...h+#.d$P9~9+.PZV3K98I..D9zL2Qz.e.PZV3K98I.KF8=L8QC.HSPZV3K98ID^D96]3QC)HSPZ.3K)8ITID90M3QCYLSVZV3K98IT;@96O3QCYLSRZ..K9(IT[D96M#QCILSPZV3[98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3Qm-)+$ZV3.k<IT[D96.7QCILSPZV3K98ITKD9.M31CYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3

            C:\Users\user\AppData\Local\Temp\overroughly

            Download File
            Process:C:\Users\user\Desktop\0Ie2kYdPTW.exe
            File Type:data
            Category:dropped
            Size (bytes):288256
            Entropy (8bit):7.995159894329931
            Encrypted:true
            SSDEEP:6144:sJ//////O//////////////////////////////////////////////////////e:sJ//////O//////////////////////e
            MD5:2BEFAC8FAEC7E077ED48AA00FC5F531F
            SHA1:73640503A1861033974AE1E9056472CCAA3DFE4B
            SHA-256:73C3BC9860BB6634F9F3C3962FAC42CC8F34D43E23619168517CA8FF3312CB67
            SHA-512:C0A4FD64BD451946C328962FC24309ACD2676AFBF3DA5C765CEA2102623189516A3543F414DFD6A6897C2EEA4CDCBD2514984F678EC27F42D0C8F515C71FCC6B
            Malicious:false
            Reputation:low
            Preview:.c.IWKD92M3Q..LS.ZV3K98I.KD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3.98IZT.76.:.b.M..{.["J.9&$#KW .2"7"<$z4VkKM't"*.r.`q.6(6~W[9o98ITKD9OL:.~9+.m:1.vY_.N....-T.Y..l:1.Q...h+#.d$P9~9+.PZV3K98I..D9zL2Qz.e.PZV3K98I.KF8=L8QC.HSPZV3K98ID^D96]3QC)HSPZ.3K)8ITID90M3QCYLSVZV3K98IT;@96O3QCYLSRZ..K9(IT[D96M#QCILSPZV3[98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3Qm-)+$ZV3.k<IT[D96.7QCILSPZV3K98ITKD9.M31CYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3K98ITKD96M3QCYLSPZV3

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.180938401923745
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:0Ie2kYdPTW.exe
            File size:1'199'104 bytes
            MD5:3a2945f49ea2a7ba9751f199ae156a6f
            SHA1:acefda3ad62327cee89bfa6b0315649c3d78d934
            SHA256:11ce734d359c1372c1d1dac9b9018bc39945e2daf246c78dca5a553cd948c885
            SHA512:c09b93f3a7dfc3bb059e4e54f8f20335269ca4154cd5af7643cbd09532307e817cad580be6293efa867b284c62290c384a8f6223eb6210fb6cb8006bd663cad5
            SSDEEP:24576:mu6J33O0c+JY5UZ+XC0kGso6Fa2S7srE5VZhewMROwHWY:ou0c++OCvkGs9Fa28srEnZkIY
            TLSH:BA45CF22B3DEC361CB669173BF29B7056EBF7C214630B85B1F880D7DA950162162D7A3
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x427dcd
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x676DEA42 [Thu Dec 26 23:44:02 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007FF4693446FAh
            jmp 00007FF4693374C4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007FF46933764Ah
            cmp edi, eax
            jc 00007FF4693379AEh
            bt dword ptr [004C31FCh], 01h
            jnc 00007FF469337649h
            rep movsb
            jmp 00007FF46933795Ch
            cmp ecx, 00000080h
            jc 00007FF469337814h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007FF469337650h
            bt dword ptr [004BE324h], 01h
            jc 00007FF469337B20h
            bt dword ptr [004C31FCh], 00000000h
            jnc 00007FF4693377EDh
            test edi, 00000003h
            jne 00007FF4693377FEh
            test esi, 00000003h
            jne 00007FF4693377DDh
            bt edi, 02h
            jnc 00007FF46933764Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007FF469337653h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007FF4693376A5h
            bt esi, 03h
            jnc 00007FF4693376F8h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD4 build 31101
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5c374.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x711c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc70000x5c3740x5c4007cf7f48de2b83da094d0d1572820fcceFalse0.9289570630081301data7.896417575729427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1240000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcf7b80x5363bdata1.0003249766514524
            RT_GROUP_ICON0x122df40x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x122e6c0x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x122e800x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x122e940x14dataEnglishGreat Britain1.25
            RT_VERSION0x122ea80xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x122f840x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 10, 2025 16:19:03.879201889 CET1.1.1.1192.168.2.30x6d78No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
            Jan 10, 2025 16:19:03.879201889 CET1.1.1.1192.168.2.30x6d78No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 10, 2025 16:19:03.879201889 CET1.1.1.1192.168.2.30x6d78No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:10:19:07
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\0Ie2kYdPTW.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\0Ie2kYdPTW.exe"
            Imagebase:0x720000
            File size:1'199'104 bytes
            MD5 hash:3A2945F49EA2A7BA9751F199AE156A6F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:10:19:08
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\0Ie2kYdPTW.exe"
            Imagebase:0xa70000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1556174811.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1555925858.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:3.4%
              Dynamic/Decrypted Code Coverage:0.4%
              Signature Coverage:8.6%
              Total number of Nodes:2000
              Total number of Limit Nodes:168
              execution_graph 100512 723633 100513 72366a 100512->100513 100514 7236e7 100513->100514 100515 723688 100513->100515 100556 7236e5 100513->100556 100516 75d0cc 100514->100516 100517 7236ed 100514->100517 100518 723695 100515->100518 100519 72374b PostQuitMessage 100515->100519 100561 731070 10 API calls Mailbox 100516->100561 100521 7236f2 100517->100521 100522 723715 SetTimer RegisterWindowMessageW 100517->100522 100524 75d154 100518->100524 100525 7236a0 100518->100525 100552 7236d8 100519->100552 100520 7236ca DefWindowProcW 100520->100552 100526 75d06f 100521->100526 100527 7236f9 KillTimer 100521->100527 100529 72373e CreatePopupMenu 100522->100529 100522->100552 100577 782527 71 API calls _memset 100524->100577 100530 723755 100525->100530 100531 7236a8 100525->100531 100539 75d074 100526->100539 100540 75d0a8 MoveWindow 100526->100540 100557 72443a Shell_NotifyIconW _memset 100527->100557 100528 75d0f3 100562 731093 331 API calls Mailbox 100528->100562 100529->100552 100559 7244a0 64 API calls _memset 100530->100559 100535 7236b3 100531->100535 100536 75d139 100531->100536 100542 75d124 100535->100542 100551 7236be 100535->100551 100536->100520 100576 777c36 59 API calls Mailbox 100536->100576 100537 75d166 100537->100520 100537->100552 100544 75d097 SetFocus 100539->100544 100545 75d078 100539->100545 100540->100552 100541 72370c 100558 723114 DeleteObject DestroyWindow Mailbox 100541->100558 100575 782d36 81 API calls _memset 100542->100575 100543 723764 100543->100552 100544->100552 100546 75d081 100545->100546 100545->100551 100560 731070 10 API calls Mailbox 100546->100560 100551->100520 100563 72443a Shell_NotifyIconW _memset 100551->100563 100554 75d118 100564 72434a 100554->100564 100556->100520 100557->100541 100558->100552 100559->100543 100560->100552 100561->100528 100562->100551 100563->100554 100565 724375 _memset 100564->100565 100578 724182 100565->100578 100569 7243fa 100570 724430 Shell_NotifyIconW 100569->100570 100571 724414 Shell_NotifyIconW 100569->100571 100572 724422 100570->100572 100571->100572 100582 72407c 100572->100582 100574 724429 100574->100556 100575->100543 100576->100556 100577->100537 100579 724196 100578->100579 100580 75d423 100578->100580 100579->100569 100604 782f94 62 API calls _W_store_winword 100579->100604 100580->100579 100581 75d42c DestroyIcon 100580->100581 100581->100579 100583 724098 100582->100583 100584 72416f Mailbox 100582->100584 100605 727a16 100583->100605 100584->100574 100587 7240b3 100610 727bcc 100587->100610 100588 75d3c8 LoadStringW 100591 75d3e2 100588->100591 100590 7240c8 100590->100591 100592 7240d9 100590->100592 100593 727b2e 59 API calls 100591->100593 100594 7240e3 100592->100594 100595 724174 100592->100595 100598 75d3ec 100593->100598 100619 727b2e 100594->100619 100628 728047 100595->100628 100601 7240ed _memset _wcscpy 100598->100601 100632 727cab 100598->100632 100600 75d40e 100602 727cab 59 API calls 100600->100602 100603 724155 Shell_NotifyIconW 100601->100603 100602->100601 100603->100584 100604->100569 100639 740db6 100605->100639 100607 727a3b 100649 728029 100607->100649 100611 727c45 100610->100611 100612 727bd8 __wsetenvp 100610->100612 100681 727d2c 100611->100681 100614 727c13 100612->100614 100615 727bee 100612->100615 100617 728029 59 API calls 100614->100617 100680 727f27 59 API calls Mailbox 100615->100680 100618 727bf6 _memmove 100617->100618 100618->100590 100620 727b40 100619->100620 100621 75ec6b 100619->100621 100689 727a51 100620->100689 100695 777bdb 59 API calls _memmove 100621->100695 100624 727b4c 100624->100601 100625 75ec75 100626 728047 59 API calls 100625->100626 100627 75ec7d Mailbox 100626->100627 100629 728052 100628->100629 100630 72805a 100628->100630 100696 727f77 59 API calls 2 library calls 100629->100696 100630->100601 100633 727cbf 100632->100633 100634 75ed4a 100632->100634 100697 727c50 100633->100697 100636 728029 59 API calls 100634->100636 100638 75ed55 __wsetenvp _memmove 100636->100638 100637 727cca 100637->100600 100640 740dbe 100639->100640 100642 740dd8 100640->100642 100644 740ddc std::exception::exception 100640->100644 100652 74571c 100640->100652 100669 7433a1 DecodePointer 100640->100669 100642->100607 100670 74859b RaiseException 100644->100670 100646 740e06 100671 7484d1 58 API calls _free 100646->100671 100648 740e18 100648->100607 100650 740db6 Mailbox 59 API calls 100649->100650 100651 7240a6 100650->100651 100651->100587 100651->100588 100653 745797 100652->100653 100665 745728 100652->100665 100678 7433a1 DecodePointer 100653->100678 100655 74579d 100679 748b28 58 API calls __getptd_noexit 100655->100679 100658 74575b RtlAllocateHeap 100658->100665 100668 74578f 100658->100668 100660 745783 100676 748b28 58 API calls __getptd_noexit 100660->100676 100664 745733 100664->100665 100672 74a16b 58 API calls 2 library calls 100664->100672 100673 74a1c8 58 API calls 8 library calls 100664->100673 100674 74309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100664->100674 100665->100658 100665->100660 100665->100664 100666 745781 100665->100666 100675 7433a1 DecodePointer 100665->100675 100677 748b28 58 API calls __getptd_noexit 100666->100677 100668->100640 100669->100640 100670->100646 100671->100648 100672->100664 100673->100664 100675->100665 100676->100666 100677->100668 100678->100655 100679->100668 100680->100618 100682 727d43 _memmove 100681->100682 100683 727d3a 100681->100683 100682->100618 100683->100682 100685 727e4f 100683->100685 100686 727e62 100685->100686 100688 727e5f _memmove 100685->100688 100687 740db6 Mailbox 59 API calls 100686->100687 100687->100688 100688->100682 100690 727a5f 100689->100690 100692 727a85 _memmove 100689->100692 100691 740db6 Mailbox 59 API calls 100690->100691 100690->100692 100693 727ad4 100691->100693 100692->100624 100694 740db6 Mailbox 59 API calls 100693->100694 100694->100692 100695->100625 100696->100630 100698 727c5f __wsetenvp 100697->100698 100699 728029 59 API calls 100698->100699 100700 727c70 _memmove 100698->100700 100701 75ed07 _memmove 100699->100701 100700->100637 100702 747c56 100703 747c62 __alloc_osfhnd 100702->100703 100739 749e08 GetStartupInfoW 100703->100739 100705 747c67 100741 748b7c GetProcessHeap 100705->100741 100707 747cbf 100708 747cca 100707->100708 100824 747da6 58 API calls 3 library calls 100707->100824 100742 749ae6 100708->100742 100711 747cd0 100712 747cdb __RTC_Initialize 100711->100712 100825 747da6 58 API calls 3 library calls 100711->100825 100763 74d5d2 100712->100763 100715 747cea 100716 747cf6 GetCommandLineW 100715->100716 100826 747da6 58 API calls 3 library calls 100715->100826 100782 754f23 GetEnvironmentStringsW 100716->100782 100719 747cf5 100719->100716 100722 747d10 100723 747d1b 100722->100723 100827 7430b5 58 API calls 3 library calls 100722->100827 100792 754d58 100723->100792 100726 747d21 100727 747d2c 100726->100727 100828 7430b5 58 API calls 3 library calls 100726->100828 100806 7430ef 100727->100806 100730 747d3f __wwincmdln 100812 7247d0 100730->100812 100731 747d34 100731->100730 100829 7430b5 58 API calls 3 library calls 100731->100829 100734 747d53 100735 747d62 100734->100735 100830 743358 58 API calls _doexit 100734->100830 100831 7430e0 58 API calls _doexit 100735->100831 100738 747d67 __alloc_osfhnd 100740 749e1e 100739->100740 100740->100705 100741->100707 100832 743187 36 API calls 2 library calls 100742->100832 100744 749aeb 100833 749d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 100744->100833 100746 749af0 100747 749af4 100746->100747 100835 749d8a TlsAlloc 100746->100835 100834 749b5c 61 API calls 2 library calls 100747->100834 100750 749af9 100750->100711 100751 749b06 100751->100747 100752 749b11 100751->100752 100836 7487d5 100752->100836 100755 749b53 100844 749b5c 61 API calls 2 library calls 100755->100844 100758 749b32 100758->100755 100760 749b38 100758->100760 100759 749b58 100759->100711 100843 749a33 58 API calls 4 library calls 100760->100843 100762 749b40 GetCurrentThreadId 100762->100711 100764 74d5de __alloc_osfhnd 100763->100764 100856 749c0b 100764->100856 100766 74d5e5 100767 7487d5 __calloc_crt 58 API calls 100766->100767 100768 74d5f6 100767->100768 100769 74d661 GetStartupInfoW 100768->100769 100770 74d601 __alloc_osfhnd @_EH4_CallFilterFunc@8 100768->100770 100776 74d676 100769->100776 100779 74d7a5 100769->100779 100770->100715 100771 74d86d 100865 74d87d LeaveCriticalSection _doexit 100771->100865 100773 7487d5 __calloc_crt 58 API calls 100773->100776 100774 74d7f2 GetStdHandle 100774->100779 100775 74d805 GetFileType 100775->100779 100776->100773 100777 74d6c4 100776->100777 100776->100779 100778 74d6f8 GetFileType 100777->100778 100777->100779 100863 749e2b InitializeCriticalSectionAndSpinCount 100777->100863 100778->100777 100779->100771 100779->100774 100779->100775 100864 749e2b InitializeCriticalSectionAndSpinCount 100779->100864 100783 754f34 100782->100783 100784 747d06 100782->100784 100905 74881d 58 API calls 2 library calls 100783->100905 100788 754b1b GetModuleFileNameW 100784->100788 100786 754f5a _memmove 100787 754f70 FreeEnvironmentStringsW 100786->100787 100787->100784 100789 754b4f _wparse_cmdline 100788->100789 100791 754b8f _wparse_cmdline 100789->100791 100906 74881d 58 API calls 2 library calls 100789->100906 100791->100722 100793 754d71 __wsetenvp 100792->100793 100797 754d69 100792->100797 100794 7487d5 __calloc_crt 58 API calls 100793->100794 100802 754d9a __wsetenvp 100794->100802 100795 754df1 100796 742d55 _free 58 API calls 100795->100796 100796->100797 100797->100726 100798 7487d5 __calloc_crt 58 API calls 100798->100802 100799 754e16 100800 742d55 _free 58 API calls 100799->100800 100800->100797 100802->100795 100802->100797 100802->100798 100802->100799 100803 754e2d 100802->100803 100907 754607 58 API calls __wcsnicmp_l 100802->100907 100908 748dc6 IsProcessorFeaturePresent 100803->100908 100805 754e39 100805->100726 100808 7430fb __IsNonwritableInCurrentImage 100806->100808 100931 74a4d1 100808->100931 100809 743119 __initterm_e 100811 743138 __cinit __IsNonwritableInCurrentImage 100809->100811 100934 742d40 100809->100934 100811->100731 100813 7247ea 100812->100813 100823 724889 100812->100823 100814 724824 IsThemeActive 100813->100814 100969 74336c 100814->100969 100818 724850 100981 7248fd SystemParametersInfoW SystemParametersInfoW 100818->100981 100820 72485c 100982 723b3a 100820->100982 100822 724864 SystemParametersInfoW 100822->100823 100823->100734 100824->100708 100825->100712 100826->100719 100830->100735 100831->100738 100832->100744 100833->100746 100834->100750 100835->100751 100839 7487dc 100836->100839 100838 748817 100838->100755 100842 749de6 TlsSetValue 100838->100842 100839->100838 100841 7487fa 100839->100841 100845 7551f6 100839->100845 100841->100838 100841->100839 100853 74a132 Sleep 100841->100853 100842->100758 100843->100762 100844->100759 100846 755201 100845->100846 100850 75521c 100845->100850 100847 75520d 100846->100847 100846->100850 100854 748b28 58 API calls __getptd_noexit 100847->100854 100848 75522c HeapAlloc 100848->100850 100851 755212 100848->100851 100850->100848 100850->100851 100855 7433a1 DecodePointer 100850->100855 100851->100839 100853->100841 100854->100851 100855->100850 100857 749c1c 100856->100857 100858 749c2f EnterCriticalSection 100856->100858 100866 749c93 100857->100866 100858->100766 100860 749c22 100860->100858 100890 7430b5 58 API calls 3 library calls 100860->100890 100863->100777 100864->100779 100865->100770 100867 749c9f __alloc_osfhnd 100866->100867 100868 749cc0 100867->100868 100869 749ca8 100867->100869 100877 749ce1 __alloc_osfhnd 100868->100877 100894 74881d 58 API calls 2 library calls 100868->100894 100891 74a16b 58 API calls 2 library calls 100869->100891 100872 749cad 100892 74a1c8 58 API calls 8 library calls 100872->100892 100873 749cd5 100875 749cdc 100873->100875 100876 749ceb 100873->100876 100895 748b28 58 API calls __getptd_noexit 100875->100895 100881 749c0b __lock 58 API calls 100876->100881 100877->100860 100878 749cb4 100893 74309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100878->100893 100883 749cf2 100881->100883 100884 749d17 100883->100884 100885 749cff 100883->100885 100897 742d55 100884->100897 100896 749e2b InitializeCriticalSectionAndSpinCount 100885->100896 100888 749d0b 100903 749d33 LeaveCriticalSection _doexit 100888->100903 100891->100872 100892->100878 100894->100873 100895->100877 100896->100888 100898 742d5e RtlFreeHeap 100897->100898 100899 742d87 __dosmaperr 100897->100899 100898->100899 100900 742d73 100898->100900 100899->100888 100904 748b28 58 API calls __getptd_noexit 100900->100904 100902 742d79 GetLastError 100902->100899 100903->100877 100904->100902 100905->100786 100906->100791 100907->100802 100909 748dd1 100908->100909 100914 748c59 100909->100914 100913 748dec 100913->100805 100915 748c73 _memset __call_reportfault 100914->100915 100916 748c93 IsDebuggerPresent 100915->100916 100922 74a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 100916->100922 100919 748d57 __call_reportfault 100923 74c5f6 100919->100923 100920 748d7a 100921 74a140 GetCurrentProcess TerminateProcess 100920->100921 100921->100913 100922->100919 100924 74c600 IsProcessorFeaturePresent 100923->100924 100925 74c5fe 100923->100925 100927 75590a 100924->100927 100925->100920 100930 7558b9 5 API calls 2 library calls 100927->100930 100929 7559ed 100929->100920 100930->100929 100932 74a4d4 EncodePointer 100931->100932 100932->100932 100933 74a4ee 100932->100933 100933->100809 100937 742c44 100934->100937 100936 742d4b 100936->100811 100938 742c50 __alloc_osfhnd 100937->100938 100945 743217 100938->100945 100944 742c77 __alloc_osfhnd 100944->100936 100946 749c0b __lock 58 API calls 100945->100946 100947 742c59 100946->100947 100948 742c88 DecodePointer DecodePointer 100947->100948 100949 742cb5 100948->100949 100950 742c65 100948->100950 100949->100950 100962 7487a4 59 API calls __wcsnicmp_l 100949->100962 100959 742c82 100950->100959 100952 742d18 EncodePointer EncodePointer 100952->100950 100953 742cc7 100953->100952 100954 742cec 100953->100954 100963 748864 61 API calls 2 library calls 100953->100963 100954->100950 100957 742d06 EncodePointer 100954->100957 100964 748864 61 API calls 2 library calls 100954->100964 100957->100952 100958 742d00 100958->100950 100958->100957 100965 743220 100959->100965 100962->100953 100963->100954 100964->100958 100968 749d75 LeaveCriticalSection 100965->100968 100967 742c87 100967->100944 100968->100967 100970 749c0b __lock 58 API calls 100969->100970 100971 743377 DecodePointer EncodePointer 100970->100971 101034 749d75 LeaveCriticalSection 100971->101034 100973 724849 100974 7433d4 100973->100974 100975 7433f8 100974->100975 100976 7433de 100974->100976 100975->100818 100976->100975 101035 748b28 58 API calls __getptd_noexit 100976->101035 100978 7433e8 101036 748db6 9 API calls __wcsnicmp_l 100978->101036 100980 7433f3 100980->100818 100981->100820 100983 723b47 __ftell_nolock 100982->100983 101037 727667 100983->101037 100987 723b7a IsDebuggerPresent 100988 75d272 MessageBoxA 100987->100988 100989 723b88 100987->100989 100992 75d28c 100988->100992 100990 723c61 100989->100990 100989->100992 100993 723ba5 100989->100993 100991 723c68 SetCurrentDirectoryW 100990->100991 100994 723c75 Mailbox 100991->100994 101241 727213 59 API calls Mailbox 100992->101241 101123 727285 100993->101123 100994->100822 100997 75d29c 101003 75d2b2 SetCurrentDirectoryW 100997->101003 100999 723bc3 GetFullPathNameW 101000 727bcc 59 API calls 100999->101000 101001 723bfe 101000->101001 101139 73092d 101001->101139 101003->100994 101005 723c1c 101006 723c26 101005->101006 101242 77874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101005->101242 101155 723a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101006->101155 101009 75d2cf 101009->101006 101012 75d2e0 101009->101012 101243 724706 101012->101243 101013 723c30 101015 723c43 101013->101015 101017 72434a 68 API calls 101013->101017 101163 7309d0 101015->101163 101016 75d2e8 101250 727de1 101016->101250 101017->101015 101020 723c4e 101020->100990 101240 72443a Shell_NotifyIconW _memset 101020->101240 101021 75d2f5 101022 75d324 101021->101022 101023 75d2ff 101021->101023 101025 727cab 59 API calls 101022->101025 101026 727cab 59 API calls 101023->101026 101027 75d320 GetForegroundWindow ShellExecuteW 101025->101027 101028 75d30a 101026->101028 101031 75d354 Mailbox 101027->101031 101030 727b2e 59 API calls 101028->101030 101032 75d317 101030->101032 101031->100990 101034->100973 101035->100978 101036->100980 101038 740db6 Mailbox 59 API calls 101037->101038 101039 727688 101038->101039 101040 740db6 Mailbox 59 API calls 101039->101040 101041 723b51 GetCurrentDirectoryW 101040->101041 101042 723766 101041->101042 101043 727667 59 API calls 101042->101043 101044 72377c 101043->101044 101254 723d31 101044->101254 101046 72379a 101047 724706 61 API calls 101046->101047 101048 7237ae 101047->101048 101049 727de1 59 API calls 101048->101049 101050 7237bb 101049->101050 101268 724ddd 101050->101268 101053 75d173 101335 78955b 101053->101335 101054 7237dc Mailbox 101057 728047 59 API calls 101054->101057 101060 7237ef 101057->101060 101058 75d192 101059 742d55 _free 58 API calls 101058->101059 101062 75d19f 101059->101062 101292 72928a 101060->101292 101064 724e4a 84 API calls 101062->101064 101066 75d1a8 101064->101066 101070 723ed0 59 API calls 101066->101070 101067 727de1 59 API calls 101068 723808 101067->101068 101295 7284c0 101068->101295 101072 75d1c3 101070->101072 101071 72381a Mailbox 101073 727de1 59 API calls 101071->101073 101074 723ed0 59 API calls 101072->101074 101075 723840 101073->101075 101076 75d1df 101074->101076 101077 7284c0 69 API calls 101075->101077 101078 724706 61 API calls 101076->101078 101079 72384f Mailbox 101077->101079 101080 75d204 101078->101080 101083 727667 59 API calls 101079->101083 101081 723ed0 59 API calls 101080->101081 101082 75d210 101081->101082 101084 728047 59 API calls 101082->101084 101085 72386d 101083->101085 101086 75d21e 101084->101086 101299 723ed0 101085->101299 101088 723ed0 59 API calls 101086->101088 101090 75d22d 101088->101090 101096 728047 59 API calls 101090->101096 101092 723887 101092->101066 101093 723891 101092->101093 101094 742efd _W_store_winword 60 API calls 101093->101094 101095 72389c 101094->101095 101095->101072 101097 7238a6 101095->101097 101098 75d24f 101096->101098 101099 742efd _W_store_winword 60 API calls 101097->101099 101100 723ed0 59 API calls 101098->101100 101101 7238b1 101099->101101 101102 75d25c 101100->101102 101101->101076 101103 7238bb 101101->101103 101102->101102 101104 742efd _W_store_winword 60 API calls 101103->101104 101105 7238c6 101104->101105 101105->101090 101106 723907 101105->101106 101108 723ed0 59 API calls 101105->101108 101106->101090 101107 723914 101106->101107 101315 7292ce 101107->101315 101109 7238ea 101108->101109 101111 728047 59 API calls 101109->101111 101113 7238f8 101111->101113 101115 723ed0 59 API calls 101113->101115 101115->101106 101118 72928a 59 API calls 101120 72394f 101118->101120 101119 728ee0 60 API calls 101119->101120 101120->101118 101120->101119 101121 723ed0 59 API calls 101120->101121 101122 723995 Mailbox 101120->101122 101121->101120 101122->100987 101124 727292 __ftell_nolock 101123->101124 101125 75ea22 _memset 101124->101125 101126 7272ab 101124->101126 101129 75ea3e GetOpenFileNameW 101125->101129 101963 724750 101126->101963 101131 75ea8d 101129->101131 101133 727bcc 59 API calls 101131->101133 101135 75eaa2 101133->101135 101135->101135 101136 7272c9 101991 72686a 101136->101991 101140 73093a __ftell_nolock 101139->101140 102252 726d80 101140->102252 101142 73093f 101154 723c14 101142->101154 102263 73119e 89 API calls 101142->102263 101144 73094c 101144->101154 102264 733ee7 91 API calls Mailbox 101144->102264 101146 730955 101147 730959 GetFullPathNameW 101146->101147 101146->101154 101148 727bcc 59 API calls 101147->101148 101149 730985 101148->101149 101150 727bcc 59 API calls 101149->101150 101151 730992 101150->101151 101152 764cab _wcscat 101151->101152 101153 727bcc 59 API calls 101151->101153 101153->101154 101154->100997 101154->101005 101156 723ab0 LoadImageW RegisterClassExW 101155->101156 101157 75d261 101155->101157 102297 723041 7 API calls 101156->102297 102298 7247a0 LoadImageW EnumResourceNamesW 101157->102298 101160 723b34 101162 7239d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101160->101162 101161 75d26a 101162->101013 101164 764cc3 101163->101164 101177 7309f5 101163->101177 102433 789e4a 89 API calls 4 library calls 101164->102433 101166 730cfa 101166->101020 101169 730ee4 101169->101166 101171 730ef1 101169->101171 101170 730a4b PeekMessageW 101239 730a05 Mailbox 101170->101239 102431 731093 331 API calls Mailbox 101171->102431 101174 730ef8 LockWindowUpdate DestroyWindow GetMessageW 101174->101166 101175 730f2a 101174->101175 101179 765c58 TranslateMessage DispatchMessageW GetMessageW 101175->101179 101176 730ce4 101176->101166 102430 731070 10 API calls Mailbox 101176->102430 101177->101239 102434 729e5d 60 API calls 101177->102434 102435 776349 331 API calls 101177->102435 101178 764e81 Sleep 101178->101239 101179->101179 101181 765c88 101179->101181 101181->101166 101182 764d50 TranslateAcceleratorW 101183 730e43 PeekMessageW 101182->101183 101182->101239 101183->101239 101184 730ea5 TranslateMessage DispatchMessageW 101184->101183 101185 730d13 timeGetTime 101185->101239 101186 76581f WaitForSingleObject 101188 76583c GetExitCodeProcess CloseHandle 101186->101188 101186->101239 101222 730f95 101188->101222 101189 730e5f Sleep 101224 730e70 Mailbox 101189->101224 101190 728047 59 API calls 101190->101239 101191 727667 59 API calls 101191->101224 101192 740db6 59 API calls Mailbox 101192->101239 101193 765af8 Sleep 101193->101224 101195 74049f timeGetTime 101195->101224 101197 730f4e timeGetTime 102432 729e5d 60 API calls 101197->102432 101200 765b8f GetExitCodeProcess 101205 765ba5 WaitForSingleObject 101200->101205 101206 765bbb CloseHandle 101200->101206 101203 7a5f25 110 API calls 101203->101224 101204 72b7dd 109 API calls 101204->101224 101205->101206 101205->101239 101206->101224 101208 765874 101208->101222 101209 765c17 Sleep 101209->101239 101210 765078 Sleep 101210->101239 101212 727de1 59 API calls 101212->101224 101215 729e5d 60 API calls 101215->101239 101221 727de1 59 API calls 101221->101239 101222->101020 101224->101191 101224->101195 101224->101200 101224->101203 101224->101204 101224->101208 101224->101209 101224->101210 101224->101212 101224->101222 101224->101239 102460 782408 60 API calls 101224->102460 102461 729e5d 60 API calls 101224->102461 102462 7289b3 69 API calls Mailbox 101224->102462 102463 72b73c 331 API calls 101224->102463 102464 7764da 60 API calls 101224->102464 102465 785244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101224->102465 102466 783c55 66 API calls Mailbox 101224->102466 101226 789e4a 89 API calls 101226->101239 101227 729c90 59 API calls Mailbox 101227->101239 101228 72b73c 304 API calls 101228->101239 101229 729ea0 304 API calls 101229->101239 101230 77617e 59 API calls Mailbox 101230->101239 101232 7284c0 69 API calls 101232->101239 101233 7289b3 69 API calls 101233->101239 101234 7655d5 VariantClear 101234->101239 101235 776e8f 59 API calls 101235->101239 101236 76566b VariantClear 101236->101239 101237 765419 VariantClear 101237->101239 101238 728cd4 59 API calls Mailbox 101238->101239 101239->101170 101239->101176 101239->101178 101239->101182 101239->101183 101239->101184 101239->101185 101239->101186 101239->101189 101239->101190 101239->101192 101239->101193 101239->101197 101239->101215 101239->101221 101239->101222 101239->101224 101239->101226 101239->101227 101239->101228 101239->101229 101239->101230 101239->101232 101239->101233 101239->101234 101239->101235 101239->101236 101239->101237 101239->101238 102299 72e6a0 101239->102299 102330 72f460 101239->102330 102348 72e420 331 API calls 101239->102348 102349 72fce0 101239->102349 102429 7231ce IsDialogMessageW GetClassLongW 101239->102429 102436 7a6018 59 API calls 101239->102436 102437 789a15 59 API calls Mailbox 101239->102437 102438 77d4f2 59 API calls 101239->102438 102439 729837 101239->102439 102457 7760ef 59 API calls 2 library calls 101239->102457 102458 728401 59 API calls 101239->102458 102459 7282df 59 API calls Mailbox 101239->102459 101240->100990 101241->100997 101242->101009 101244 751940 __ftell_nolock 101243->101244 101245 724713 GetModuleFileNameW 101244->101245 101246 727de1 59 API calls 101245->101246 101247 724739 101246->101247 101248 724750 60 API calls 101247->101248 101249 724743 Mailbox 101248->101249 101249->101016 101251 727df0 __wsetenvp _memmove 101250->101251 101252 740db6 Mailbox 59 API calls 101251->101252 101253 727e2e 101252->101253 101253->101021 101255 723d3e __ftell_nolock 101254->101255 101256 723ea4 Mailbox 101255->101256 101257 727bcc 59 API calls 101255->101257 101256->101046 101259 723d70 101257->101259 101267 723da6 Mailbox 101259->101267 101376 7279f2 101259->101376 101260 7279f2 59 API calls 101260->101267 101261 723e77 101261->101256 101262 727de1 59 API calls 101261->101262 101264 723e98 101262->101264 101263 727de1 59 API calls 101263->101267 101265 723f74 59 API calls 101264->101265 101265->101256 101267->101256 101267->101260 101267->101261 101267->101263 101379 723f74 101267->101379 101385 724bb5 101268->101385 101273 75d8e6 101276 724e4a 84 API calls 101273->101276 101274 724e08 LoadLibraryExW 101395 724b6a 101274->101395 101278 75d8ed 101276->101278 101280 724b6a 3 API calls 101278->101280 101282 75d8f5 101280->101282 101281 724e2f 101281->101282 101283 724e3b 101281->101283 101421 724f0b 101282->101421 101285 724e4a 84 API calls 101283->101285 101287 7237d4 101285->101287 101287->101053 101287->101054 101289 75d91c 101429 724ec7 101289->101429 101291 75d929 101293 740db6 Mailbox 59 API calls 101292->101293 101294 7237fb 101293->101294 101294->101067 101296 7284cb 101295->101296 101298 7284f2 101296->101298 101683 7289b3 69 API calls Mailbox 101296->101683 101298->101071 101300 723ef3 101299->101300 101301 723eda 101299->101301 101303 727bcc 59 API calls 101300->101303 101302 728047 59 API calls 101301->101302 101304 723879 101302->101304 101303->101304 101305 742efd 101304->101305 101306 742f7e 101305->101306 101307 742f09 101305->101307 101686 742f90 60 API calls 3 library calls 101306->101686 101314 742f2e 101307->101314 101684 748b28 58 API calls __getptd_noexit 101307->101684 101309 742f8b 101309->101092 101311 742f15 101685 748db6 9 API calls __wcsnicmp_l 101311->101685 101313 742f20 101313->101092 101314->101092 101316 7292d6 101315->101316 101317 740db6 Mailbox 59 API calls 101316->101317 101318 7292e4 101317->101318 101319 723924 101318->101319 101687 7291fc 59 API calls Mailbox 101318->101687 101321 729050 101319->101321 101688 729160 101321->101688 101323 72905f 101324 740db6 Mailbox 59 API calls 101323->101324 101325 723932 101323->101325 101324->101325 101326 728ee0 101325->101326 101327 75f17c 101326->101327 101329 728ef7 101326->101329 101327->101329 101698 728bdb 59 API calls Mailbox 101327->101698 101330 729040 101329->101330 101331 728ff8 101329->101331 101334 728fff 101329->101334 101697 729d3c 60 API calls Mailbox 101330->101697 101333 740db6 Mailbox 59 API calls 101331->101333 101333->101334 101334->101120 101336 724ee5 85 API calls 101335->101336 101337 7895ca 101336->101337 101699 789734 101337->101699 101340 724f0b 74 API calls 101341 7895f7 101340->101341 101342 724f0b 74 API calls 101341->101342 101343 789607 101342->101343 101344 724f0b 74 API calls 101343->101344 101345 789622 101344->101345 101346 724f0b 74 API calls 101345->101346 101347 78963d 101346->101347 101348 724ee5 85 API calls 101347->101348 101349 789654 101348->101349 101350 74571c __crtGetStringTypeA_stat 58 API calls 101349->101350 101351 78965b 101350->101351 101352 74571c __crtGetStringTypeA_stat 58 API calls 101351->101352 101353 789665 101352->101353 101354 724f0b 74 API calls 101353->101354 101355 789679 101354->101355 101356 789109 GetSystemTimeAsFileTime 101355->101356 101357 78968c 101356->101357 101358 7896a1 101357->101358 101359 7896b6 101357->101359 101360 742d55 _free 58 API calls 101358->101360 101361 78971b 101359->101361 101362 7896bc 101359->101362 101363 7896a7 101360->101363 101365 742d55 _free 58 API calls 101361->101365 101705 788b06 116 API calls __fcloseall 101362->101705 101366 742d55 _free 58 API calls 101363->101366 101368 75d186 101365->101368 101366->101368 101367 789713 101369 742d55 _free 58 API calls 101367->101369 101368->101058 101370 724e4a 101368->101370 101369->101368 101371 724e54 101370->101371 101373 724e5b 101370->101373 101706 7453a6 101371->101706 101374 724e6a 101373->101374 101375 724e7b FreeLibrary 101373->101375 101374->101058 101375->101374 101377 727e4f 59 API calls 101376->101377 101378 7279fd 101377->101378 101378->101259 101380 723f82 101379->101380 101384 723fa4 _memmove 101379->101384 101382 740db6 Mailbox 59 API calls 101380->101382 101381 740db6 Mailbox 59 API calls 101383 723fb8 101381->101383 101382->101384 101383->101267 101384->101381 101434 724c03 101385->101434 101388 724bdc 101390 724bf5 101388->101390 101391 724bec FreeLibrary 101388->101391 101389 724c03 2 API calls 101389->101388 101392 74525b 101390->101392 101391->101390 101438 745270 101392->101438 101394 724dfc 101394->101273 101394->101274 101598 724c36 101395->101598 101398 724b8f 101400 724ba1 FreeLibrary 101398->101400 101401 724baa 101398->101401 101399 724c36 2 API calls 101399->101398 101400->101401 101402 724c70 101401->101402 101403 740db6 Mailbox 59 API calls 101402->101403 101404 724c85 101403->101404 101602 72522e 101404->101602 101406 724c91 _memmove 101407 724ccc 101406->101407 101408 724dc1 101406->101408 101409 724d89 101406->101409 101410 724ec7 69 API calls 101407->101410 101616 78991b 95 API calls 101408->101616 101605 724e89 CreateStreamOnHGlobal 101409->101605 101418 724cd5 101410->101418 101413 724f0b 74 API calls 101413->101418 101414 724d69 101414->101281 101416 75d8a7 101417 724ee5 85 API calls 101416->101417 101419 75d8bb 101417->101419 101418->101413 101418->101414 101418->101416 101611 724ee5 101418->101611 101420 724f0b 74 API calls 101419->101420 101420->101414 101422 75d9cd 101421->101422 101423 724f1d 101421->101423 101640 7455e2 101423->101640 101426 789109 101660 788f5f 101426->101660 101428 78911f 101428->101289 101430 724ed6 101429->101430 101431 75d990 101429->101431 101665 745c60 101430->101665 101433 724ede 101433->101291 101435 724bd0 101434->101435 101436 724c0c LoadLibraryA 101434->101436 101435->101388 101435->101389 101436->101435 101437 724c1d GetProcAddress 101436->101437 101437->101435 101440 74527c __alloc_osfhnd 101438->101440 101439 74528f 101487 748b28 58 API calls __getptd_noexit 101439->101487 101440->101439 101442 7452c0 101440->101442 101457 7504e8 101442->101457 101443 745294 101488 748db6 9 API calls __wcsnicmp_l 101443->101488 101446 7452c5 101447 7452ce 101446->101447 101448 7452db 101446->101448 101489 748b28 58 API calls __getptd_noexit 101447->101489 101450 745305 101448->101450 101451 7452e5 101448->101451 101472 750607 101450->101472 101490 748b28 58 API calls __getptd_noexit 101451->101490 101456 74529f __alloc_osfhnd @_EH4_CallFilterFunc@8 101456->101394 101458 7504f4 __alloc_osfhnd 101457->101458 101459 749c0b __lock 58 API calls 101458->101459 101466 750502 101459->101466 101460 750576 101492 7505fe 101460->101492 101461 75057d 101497 74881d 58 API calls 2 library calls 101461->101497 101464 750584 101464->101460 101498 749e2b InitializeCriticalSectionAndSpinCount 101464->101498 101465 7505f3 __alloc_osfhnd 101465->101446 101466->101460 101466->101461 101468 749c93 __mtinitlocknum 58 API calls 101466->101468 101495 746c50 59 API calls __lock 101466->101495 101496 746cba LeaveCriticalSection LeaveCriticalSection _doexit 101466->101496 101468->101466 101470 7505aa EnterCriticalSection 101470->101460 101473 750627 __wopenfile 101472->101473 101474 750641 101473->101474 101486 7507fc 101473->101486 101505 7437cb 60 API calls __wcsnicmp_l 101473->101505 101503 748b28 58 API calls __getptd_noexit 101474->101503 101476 750646 101504 748db6 9 API calls __wcsnicmp_l 101476->101504 101478 75085f 101500 7585a1 101478->101500 101480 745310 101491 745332 LeaveCriticalSection LeaveCriticalSection _fprintf 101480->101491 101482 7507f5 101482->101486 101506 7437cb 60 API calls __wcsnicmp_l 101482->101506 101484 750814 101484->101486 101507 7437cb 60 API calls __wcsnicmp_l 101484->101507 101486->101474 101486->101478 101487->101443 101488->101456 101489->101456 101490->101456 101491->101456 101499 749d75 LeaveCriticalSection 101492->101499 101494 750605 101494->101465 101495->101466 101496->101466 101497->101464 101498->101470 101499->101494 101508 757d85 101500->101508 101502 7585ba 101502->101480 101503->101476 101504->101480 101505->101482 101506->101484 101507->101486 101510 757d91 __alloc_osfhnd 101508->101510 101509 757da7 101595 748b28 58 API calls __getptd_noexit 101509->101595 101510->101509 101512 757ddd 101510->101512 101519 757e4e 101512->101519 101513 757dac 101596 748db6 9 API calls __wcsnicmp_l 101513->101596 101516 757df9 101597 757e22 LeaveCriticalSection __unlock_fhandle 101516->101597 101518 757db6 __alloc_osfhnd 101518->101502 101520 757e6e 101519->101520 101521 7444ea __wsopen_nolock 58 API calls 101520->101521 101524 757e8a 101521->101524 101522 757fc1 101523 748dc6 __invoke_watson 8 API calls 101522->101523 101525 7585a0 101523->101525 101524->101522 101526 757ec4 101524->101526 101534 757ee7 101524->101534 101527 757d85 __wsopen_helper 103 API calls 101525->101527 101528 748af4 __set_osfhnd 58 API calls 101526->101528 101529 7585ba 101527->101529 101530 757ec9 101528->101530 101529->101516 101531 748b28 __wcsnicmp_l 58 API calls 101530->101531 101532 757ed6 101531->101532 101535 748db6 __wcsnicmp_l 9 API calls 101532->101535 101533 757fa5 101536 748af4 __set_osfhnd 58 API calls 101533->101536 101534->101533 101542 757f83 101534->101542 101537 757ee0 101535->101537 101538 757faa 101536->101538 101537->101516 101539 748b28 __wcsnicmp_l 58 API calls 101538->101539 101540 757fb7 101539->101540 101541 748db6 __wcsnicmp_l 9 API calls 101540->101541 101541->101522 101543 74d294 __alloc_osfhnd 61 API calls 101542->101543 101544 758051 101543->101544 101545 75807e 101544->101545 101546 75805b 101544->101546 101548 757cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101545->101548 101547 748af4 __set_osfhnd 58 API calls 101546->101547 101549 758060 101547->101549 101559 7580a0 101548->101559 101550 748b28 __wcsnicmp_l 58 API calls 101549->101550 101552 75806a 101550->101552 101551 75811e GetFileType 101553 758129 GetLastError 101551->101553 101554 75816b 101551->101554 101557 748b28 __wcsnicmp_l 58 API calls 101552->101557 101558 748b07 __dosmaperr 58 API calls 101553->101558 101564 74d52a __set_osfhnd 59 API calls 101554->101564 101555 7580ec GetLastError 101556 748b07 __dosmaperr 58 API calls 101555->101556 101560 758111 101556->101560 101557->101537 101561 758150 CloseHandle 101558->101561 101559->101551 101559->101555 101562 757cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101559->101562 101566 748b28 __wcsnicmp_l 58 API calls 101560->101566 101561->101560 101565 75815e 101561->101565 101563 7580e1 101562->101563 101563->101551 101563->101555 101570 758189 101564->101570 101567 748b28 __wcsnicmp_l 58 API calls 101565->101567 101566->101522 101568 758163 101567->101568 101568->101560 101569 758344 101569->101522 101572 758517 CloseHandle 101569->101572 101570->101569 101571 7518c1 __lseeki64_nolock 60 API calls 101570->101571 101583 75820a 101570->101583 101573 7581f3 101571->101573 101574 757cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101572->101574 101576 748af4 __set_osfhnd 58 API calls 101573->101576 101578 758212 101573->101578 101575 75853e 101574->101575 101577 758546 GetLastError 101575->101577 101586 7583ce 101575->101586 101576->101583 101579 748b07 __dosmaperr 58 API calls 101577->101579 101581 750e5b 70 API calls __read_nolock 101578->101581 101582 750add __close_nolock 61 API calls 101578->101582 101578->101583 101584 7597a2 __chsize_nolock 82 API calls 101578->101584 101588 7583c1 101578->101588 101590 7583aa 101578->101590 101593 7518c1 60 API calls __lseeki64_nolock 101578->101593 101580 758552 101579->101580 101585 74d43d __free_osfhnd 59 API calls 101580->101585 101581->101578 101582->101578 101583->101569 101583->101578 101587 74d886 __write 78 API calls 101583->101587 101589 7518c1 60 API calls __lseeki64_nolock 101583->101589 101584->101578 101585->101586 101586->101522 101587->101583 101591 750add __close_nolock 61 API calls 101588->101591 101589->101583 101590->101569 101592 7583c8 101591->101592 101594 748b28 __wcsnicmp_l 58 API calls 101592->101594 101593->101578 101594->101586 101595->101513 101596->101518 101597->101518 101599 724b83 101598->101599 101600 724c3f LoadLibraryA 101598->101600 101599->101398 101599->101399 101600->101599 101601 724c50 GetProcAddress 101600->101601 101601->101599 101603 740db6 Mailbox 59 API calls 101602->101603 101604 725240 101603->101604 101604->101406 101606 724ea3 FindResourceExW 101605->101606 101610 724ec0 101605->101610 101607 75d933 LoadResource 101606->101607 101606->101610 101608 75d948 SizeofResource 101607->101608 101607->101610 101609 75d95c LockResource 101608->101609 101608->101610 101609->101610 101610->101407 101612 724ef4 101611->101612 101613 75d9ab 101611->101613 101617 74584d 101612->101617 101615 724f02 101615->101418 101616->101407 101618 745859 __alloc_osfhnd 101617->101618 101619 74586b 101618->101619 101620 745891 101618->101620 101630 748b28 58 API calls __getptd_noexit 101619->101630 101632 746c11 101620->101632 101623 745870 101631 748db6 9 API calls __wcsnicmp_l 101623->101631 101625 745897 101638 7457be 83 API calls 5 library calls 101625->101638 101627 7458a6 101639 7458c8 LeaveCriticalSection LeaveCriticalSection _fprintf 101627->101639 101629 74587b __alloc_osfhnd 101629->101615 101630->101623 101631->101629 101633 746c21 101632->101633 101634 746c43 EnterCriticalSection 101632->101634 101633->101634 101635 746c29 101633->101635 101636 746c39 101634->101636 101637 749c0b __lock 58 API calls 101635->101637 101636->101625 101637->101636 101638->101627 101639->101629 101643 7455fd 101640->101643 101642 724f2e 101642->101426 101644 745609 __alloc_osfhnd 101643->101644 101645 74564c 101644->101645 101646 74561f _memset 101644->101646 101647 745644 __alloc_osfhnd 101644->101647 101648 746c11 __lock_file 59 API calls 101645->101648 101656 748b28 58 API calls __getptd_noexit 101646->101656 101647->101642 101650 745652 101648->101650 101658 74541d 72 API calls 6 library calls 101650->101658 101651 745639 101657 748db6 9 API calls __wcsnicmp_l 101651->101657 101654 745668 101659 745686 LeaveCriticalSection LeaveCriticalSection _fprintf 101654->101659 101656->101651 101657->101647 101658->101654 101659->101647 101663 74520a GetSystemTimeAsFileTime 101660->101663 101662 788f6e 101662->101428 101664 745238 __aulldiv 101663->101664 101664->101662 101666 745c6c __alloc_osfhnd 101665->101666 101667 745c93 101666->101667 101668 745c7e 101666->101668 101669 746c11 __lock_file 59 API calls 101667->101669 101679 748b28 58 API calls __getptd_noexit 101668->101679 101671 745c99 101669->101671 101681 7458d0 67 API calls 6 library calls 101671->101681 101672 745c83 101680 748db6 9 API calls __wcsnicmp_l 101672->101680 101675 745ca4 101682 745cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 101675->101682 101676 745c8e __alloc_osfhnd 101676->101433 101678 745cb6 101678->101676 101679->101672 101680->101676 101681->101675 101682->101678 101683->101298 101684->101311 101685->101313 101686->101309 101687->101319 101689 729169 Mailbox 101688->101689 101690 75f19f 101689->101690 101695 729173 101689->101695 101691 740db6 Mailbox 59 API calls 101690->101691 101692 75f1ab 101691->101692 101693 72917a 101693->101323 101695->101693 101696 729c90 59 API calls Mailbox 101695->101696 101696->101695 101697->101334 101698->101329 101701 789748 __tzset_nolock _wcscmp 101699->101701 101700 789109 GetSystemTimeAsFileTime 101700->101701 101701->101700 101702 724f0b 74 API calls 101701->101702 101703 7895dc 101701->101703 101704 724ee5 85 API calls 101701->101704 101702->101701 101703->101340 101703->101368 101704->101701 101705->101367 101707 7453b2 __alloc_osfhnd 101706->101707 101708 7453c6 101707->101708 101709 7453de 101707->101709 101735 748b28 58 API calls __getptd_noexit 101708->101735 101711 7453d6 __alloc_osfhnd 101709->101711 101712 746c11 __lock_file 59 API calls 101709->101712 101711->101373 101714 7453f0 101712->101714 101713 7453cb 101736 748db6 9 API calls __wcsnicmp_l 101713->101736 101719 74533a 101714->101719 101720 74535d 101719->101720 101721 745349 101719->101721 101723 745359 101720->101723 101738 744a3d 101720->101738 101781 748b28 58 API calls __getptd_noexit 101721->101781 101737 745415 LeaveCriticalSection LeaveCriticalSection _fprintf 101723->101737 101724 74534e 101782 748db6 9 API calls __wcsnicmp_l 101724->101782 101731 745377 101755 750a02 101731->101755 101733 74537d 101733->101723 101734 742d55 _free 58 API calls 101733->101734 101734->101723 101735->101713 101736->101711 101737->101711 101739 744a50 101738->101739 101740 744a74 101738->101740 101739->101740 101741 7446e6 _fprintf 58 API calls 101739->101741 101744 750b77 101740->101744 101742 744a6d 101741->101742 101783 74d886 101742->101783 101745 750b84 101744->101745 101747 745371 101744->101747 101746 742d55 _free 58 API calls 101745->101746 101745->101747 101746->101747 101748 7446e6 101747->101748 101749 744705 101748->101749 101750 7446f0 101748->101750 101749->101731 101918 748b28 58 API calls __getptd_noexit 101750->101918 101752 7446f5 101919 748db6 9 API calls __wcsnicmp_l 101752->101919 101754 744700 101754->101731 101756 750a0e __alloc_osfhnd 101755->101756 101757 750a32 101756->101757 101758 750a1b 101756->101758 101759 750abd 101757->101759 101761 750a42 101757->101761 101935 748af4 58 API calls __getptd_noexit 101758->101935 101940 748af4 58 API calls __getptd_noexit 101759->101940 101764 750a60 101761->101764 101765 750a6a 101761->101765 101763 750a20 101936 748b28 58 API calls __getptd_noexit 101763->101936 101937 748af4 58 API calls __getptd_noexit 101764->101937 101769 74d206 ___lock_fhandle 59 API calls 101765->101769 101766 750a65 101941 748b28 58 API calls __getptd_noexit 101766->101941 101771 750a70 101769->101771 101773 750a83 101771->101773 101774 750a8e 101771->101774 101772 750ac9 101942 748db6 9 API calls __wcsnicmp_l 101772->101942 101920 750add 101773->101920 101938 748b28 58 API calls __getptd_noexit 101774->101938 101777 750a27 __alloc_osfhnd 101777->101733 101779 750a89 101939 750ab5 LeaveCriticalSection __unlock_fhandle 101779->101939 101781->101724 101782->101723 101784 74d892 __alloc_osfhnd 101783->101784 101785 74d8b6 101784->101785 101786 74d89f 101784->101786 101787 74d955 101785->101787 101790 74d8ca 101785->101790 101884 748af4 58 API calls __getptd_noexit 101786->101884 101890 748af4 58 API calls __getptd_noexit 101787->101890 101789 74d8a4 101885 748b28 58 API calls __getptd_noexit 101789->101885 101793 74d8f2 101790->101793 101794 74d8e8 101790->101794 101811 74d206 101793->101811 101886 748af4 58 API calls __getptd_noexit 101794->101886 101795 74d8ed 101891 748b28 58 API calls __getptd_noexit 101795->101891 101798 74d8f8 101800 74d91e 101798->101800 101801 74d90b 101798->101801 101887 748b28 58 API calls __getptd_noexit 101800->101887 101820 74d975 101801->101820 101802 74d961 101892 748db6 9 API calls __wcsnicmp_l 101802->101892 101804 74d8ab __alloc_osfhnd 101804->101740 101807 74d923 101888 748af4 58 API calls __getptd_noexit 101807->101888 101808 74d917 101889 74d94d LeaveCriticalSection __unlock_fhandle 101808->101889 101812 74d212 __alloc_osfhnd 101811->101812 101813 74d261 EnterCriticalSection 101812->101813 101815 749c0b __lock 58 API calls 101812->101815 101814 74d287 __alloc_osfhnd 101813->101814 101814->101798 101816 74d237 101815->101816 101817 74d24f 101816->101817 101893 749e2b InitializeCriticalSectionAndSpinCount 101816->101893 101894 74d28b LeaveCriticalSection _doexit 101817->101894 101821 74d982 __ftell_nolock 101820->101821 101822 74d9e0 101821->101822 101823 74d9c1 101821->101823 101856 74d9b6 101821->101856 101826 74da1c 101822->101826 101827 74da38 101822->101827 101904 748af4 58 API calls __getptd_noexit 101823->101904 101824 74c5f6 __ld12tod 6 API calls 101828 74e1d6 101824->101828 101907 748af4 58 API calls __getptd_noexit 101826->101907 101832 74da51 101827->101832 101910 7518c1 60 API calls 3 library calls 101827->101910 101828->101808 101829 74d9c6 101905 748b28 58 API calls __getptd_noexit 101829->101905 101895 755c6b 101832->101895 101833 74da21 101908 748b28 58 API calls __getptd_noexit 101833->101908 101834 74d9cd 101906 748db6 9 API calls __wcsnicmp_l 101834->101906 101839 74da5f 101841 74ddb8 101839->101841 101911 7499ac 58 API calls 2 library calls 101839->101911 101840 74da28 101909 748db6 9 API calls __wcsnicmp_l 101840->101909 101842 74ddd6 101841->101842 101843 74e14b WriteFile 101841->101843 101846 74defa 101842->101846 101854 74ddec 101842->101854 101847 74ddab GetLastError 101843->101847 101858 74dd78 101843->101858 101850 74df05 101846->101850 101851 74dfef 101846->101851 101847->101858 101848 74da8b GetConsoleMode 101848->101841 101852 74daca 101848->101852 101849 74e184 101849->101856 101916 748b28 58 API calls __getptd_noexit 101849->101916 101850->101849 101866 74df6a WriteFile 101850->101866 101851->101849 101863 74e064 WideCharToMultiByte 101851->101863 101852->101841 101853 74dada GetConsoleCP 101852->101853 101853->101849 101881 74db09 101853->101881 101854->101849 101855 74de5b WriteFile 101854->101855 101855->101847 101864 74de98 101855->101864 101856->101824 101858->101849 101858->101856 101859 74ded8 101858->101859 101861 74dee3 101859->101861 101862 74e17b 101859->101862 101860 74e1b2 101917 748af4 58 API calls __getptd_noexit 101860->101917 101913 748b28 58 API calls __getptd_noexit 101861->101913 101915 748b07 58 API calls 3 library calls 101862->101915 101863->101847 101877 74e0ab 101863->101877 101864->101854 101865 74debc 101864->101865 101865->101858 101866->101847 101870 74dfb9 101866->101870 101870->101850 101870->101858 101870->101865 101871 74dee8 101914 748af4 58 API calls __getptd_noexit 101871->101914 101872 74e0b3 WriteFile 101875 74e106 GetLastError 101872->101875 101872->101877 101875->101877 101876 7562ba 60 API calls __write_nolock 101876->101881 101877->101851 101877->101858 101877->101865 101877->101872 101878 757a5e WriteConsoleW CreateFileW __putwch_nolock 101882 74dc5f 101878->101882 101879 74dbf2 WideCharToMultiByte 101879->101858 101880 74dc2d WriteFile 101879->101880 101880->101847 101880->101882 101881->101858 101881->101876 101881->101879 101881->101882 101912 7435f5 58 API calls __isleadbyte_l 101881->101912 101882->101847 101882->101858 101882->101878 101882->101881 101883 74dc87 WriteFile 101882->101883 101883->101847 101883->101882 101884->101789 101885->101804 101886->101795 101887->101807 101888->101808 101889->101804 101890->101795 101891->101802 101892->101804 101893->101817 101894->101813 101896 755c76 101895->101896 101897 755c83 101895->101897 101898 748b28 __wcsnicmp_l 58 API calls 101896->101898 101900 755c8f 101897->101900 101901 748b28 __wcsnicmp_l 58 API calls 101897->101901 101899 755c7b 101898->101899 101899->101839 101900->101839 101902 755cb0 101901->101902 101903 748db6 __wcsnicmp_l 9 API calls 101902->101903 101903->101899 101904->101829 101905->101834 101906->101856 101907->101833 101908->101840 101909->101856 101910->101832 101911->101848 101912->101881 101913->101871 101914->101856 101915->101856 101916->101860 101917->101856 101918->101752 101919->101754 101943 74d4c3 101920->101943 101922 750aeb 101923 750b41 101922->101923 101927 74d4c3 __lseek_nolock 58 API calls 101922->101927 101934 750b1f 101922->101934 101956 74d43d 59 API calls 2 library calls 101923->101956 101925 74d4c3 __lseek_nolock 58 API calls 101928 750b2b CloseHandle 101925->101928 101926 750b49 101929 750b6b 101926->101929 101957 748b07 58 API calls 3 library calls 101926->101957 101930 750b16 101927->101930 101928->101923 101931 750b37 GetLastError 101928->101931 101929->101779 101933 74d4c3 __lseek_nolock 58 API calls 101930->101933 101931->101923 101933->101934 101934->101923 101934->101925 101935->101763 101936->101777 101937->101766 101938->101779 101939->101777 101940->101766 101941->101772 101942->101777 101944 74d4ce 101943->101944 101948 74d4e3 101943->101948 101958 748af4 58 API calls __getptd_noexit 101944->101958 101947 74d4d3 101959 748b28 58 API calls __getptd_noexit 101947->101959 101951 74d508 101948->101951 101960 748af4 58 API calls __getptd_noexit 101948->101960 101949 74d512 101961 748b28 58 API calls __getptd_noexit 101949->101961 101951->101922 101953 74d4db 101953->101922 101954 74d51a 101962 748db6 9 API calls __wcsnicmp_l 101954->101962 101956->101926 101957->101929 101958->101947 101959->101953 101960->101949 101961->101954 101962->101953 102025 751940 101963->102025 101966 724799 102031 727d8c 101966->102031 101967 72477c 101968 727bcc 59 API calls 101967->101968 101970 724788 101968->101970 102027 727726 101970->102027 101973 740791 101974 74079e __ftell_nolock 101973->101974 101975 74079f GetLongPathNameW 101974->101975 101976 727bcc 59 API calls 101975->101976 101977 7272bd 101976->101977 101978 72700b 101977->101978 101979 727667 59 API calls 101978->101979 101980 72701d 101979->101980 101981 724750 60 API calls 101980->101981 101982 727028 101981->101982 101983 75e885 101982->101983 101984 727033 101982->101984 101988 75e89f 101983->101988 102041 727908 61 API calls 101983->102041 101986 723f74 59 API calls 101984->101986 101987 72703f 101986->101987 102035 7234c2 101987->102035 101990 727052 Mailbox 101990->101136 101992 724ddd 136 API calls 101991->101992 101993 72688f 101992->101993 101994 75e031 101993->101994 101995 724ddd 136 API calls 101993->101995 101996 78955b 122 API calls 101994->101996 101997 7268a3 101995->101997 101998 75e046 101996->101998 101997->101994 101999 7268ab 101997->101999 102000 75e067 101998->102000 102001 75e04a 101998->102001 102003 7268b7 101999->102003 102004 75e052 101999->102004 102002 740db6 Mailbox 59 API calls 102000->102002 102005 724e4a 84 API calls 102001->102005 102021 75e0ac Mailbox 102002->102021 102042 726a8c 102003->102042 102148 7842f8 90 API calls _wprintf 102004->102148 102005->102004 102009 75e060 102009->102000 102010 75e260 102011 742d55 _free 58 API calls 102010->102011 102012 75e268 102011->102012 102013 724e4a 84 API calls 102012->102013 102018 75e271 102013->102018 102017 742d55 _free 58 API calls 102017->102018 102018->102017 102019 724e4a 84 API calls 102018->102019 102152 77f7a1 89 API calls 4 library calls 102018->102152 102019->102018 102021->102010 102021->102018 102022 727de1 59 API calls 102021->102022 102134 72750f 102021->102134 102142 72735d 102021->102142 102149 77f73d 59 API calls 2 library calls 102021->102149 102150 77f65e 61 API calls 2 library calls 102021->102150 102151 78737f 59 API calls Mailbox 102021->102151 102022->102021 102026 72475d GetFullPathNameW 102025->102026 102026->101966 102026->101967 102028 727734 102027->102028 102029 727d2c 59 API calls 102028->102029 102030 724794 102029->102030 102030->101973 102032 727da6 102031->102032 102034 727d99 102031->102034 102033 740db6 Mailbox 59 API calls 102032->102033 102033->102034 102034->101970 102036 7234d4 102035->102036 102040 7234f3 _memmove 102035->102040 102039 740db6 Mailbox 59 API calls 102036->102039 102037 740db6 Mailbox 59 API calls 102038 72350a 102037->102038 102038->101990 102039->102040 102040->102037 102041->101983 102043 726ab5 102042->102043 102044 75e41e 102042->102044 102158 7257a6 60 API calls Mailbox 102043->102158 102225 77f7a1 89 API calls 4 library calls 102044->102225 102047 726ad7 102159 7257f6 67 API calls 102047->102159 102048 75e431 102226 77f7a1 89 API calls 4 library calls 102048->102226 102050 726aec 102050->102048 102051 726af4 102050->102051 102054 727667 59 API calls 102051->102054 102053 75e44d 102056 726b61 102053->102056 102055 726b00 102054->102055 102160 740957 60 API calls __ftell_nolock 102055->102160 102058 75e460 102056->102058 102059 726b6f 102056->102059 102061 725c6f CloseHandle 102058->102061 102062 727667 59 API calls 102059->102062 102060 726b0c 102063 727667 59 API calls 102060->102063 102064 75e46c 102061->102064 102065 726b78 102062->102065 102066 726b18 102063->102066 102068 724ddd 136 API calls 102064->102068 102069 727667 59 API calls 102065->102069 102067 724750 60 API calls 102066->102067 102070 726b26 102067->102070 102071 75e488 102068->102071 102072 726b81 102069->102072 102161 725850 ReadFile SetFilePointerEx 102070->102161 102074 75e4b1 102071->102074 102077 78955b 122 API calls 102071->102077 102163 72459b 102072->102163 102227 77f7a1 89 API calls 4 library calls 102074->102227 102076 726b52 102162 725aee SetFilePointerEx SetFilePointerEx 102076->102162 102081 75e4a4 102077->102081 102078 726b98 102082 727b2e 59 API calls 102078->102082 102083 75e4cd 102081->102083 102084 75e4ac 102081->102084 102085 726ba9 SetCurrentDirectoryW 102082->102085 102086 724e4a 84 API calls 102083->102086 102087 724e4a 84 API calls 102084->102087 102091 726bbc Mailbox 102085->102091 102088 75e4d2 102086->102088 102087->102074 102090 740db6 Mailbox 59 API calls 102088->102090 102089 726d0c Mailbox 102153 7257d4 102089->102153 102092 75e506 102090->102092 102094 740db6 Mailbox 59 API calls 102091->102094 102098 72750f 59 API calls 102092->102098 102096 726bcf 102094->102096 102095 723bbb 102095->100990 102095->100999 102097 72522e 59 API calls 102096->102097 102123 726bda Mailbox __wsetenvp 102097->102123 102131 75e54f Mailbox 102098->102131 102099 726ce7 102221 725c6f 102099->102221 102102 75e740 102232 7872df 59 API calls Mailbox 102102->102232 102103 726cf3 SetCurrentDirectoryW 102103->102089 102106 75e762 102233 79fbce 59 API calls 2 library calls 102106->102233 102109 75e76f 102111 742d55 _free 58 API calls 102109->102111 102110 75e7d9 102236 77f7a1 89 API calls 4 library calls 102110->102236 102111->102089 102114 72750f 59 API calls 102114->102131 102115 75e7f2 102115->102099 102117 75e7d1 102235 77f5f7 59 API calls 4 library calls 102117->102235 102120 727de1 59 API calls 102120->102123 102123->102099 102123->102110 102123->102117 102123->102120 102214 72586d 67 API calls _wcscpy 102123->102214 102215 726f5d GetStringTypeW 102123->102215 102216 726ecc 60 API calls __wcsnicmp 102123->102216 102217 726faa GetStringTypeW __wsetenvp 102123->102217 102218 74363d GetStringTypeW _iswctype 102123->102218 102219 7268dc 165 API calls 3 library calls 102123->102219 102220 727213 59 API calls Mailbox 102123->102220 102124 727de1 59 API calls 102124->102131 102128 75e792 102234 77f7a1 89 API calls 4 library calls 102128->102234 102130 75e7ab 102132 742d55 _free 58 API calls 102130->102132 102131->102102 102131->102114 102131->102124 102131->102128 102228 77f73d 59 API calls 2 library calls 102131->102228 102229 77f65e 61 API calls 2 library calls 102131->102229 102230 78737f 59 API calls Mailbox 102131->102230 102231 727213 59 API calls Mailbox 102131->102231 102133 75e4c8 102132->102133 102133->102089 102135 727522 _memmove 102134->102135 102136 7275af 102134->102136 102137 740db6 Mailbox 59 API calls 102135->102137 102138 740db6 Mailbox 59 API calls 102136->102138 102140 727529 102137->102140 102138->102135 102139 727552 102139->102021 102140->102139 102141 740db6 Mailbox 59 API calls 102140->102141 102141->102139 102143 727370 102142->102143 102146 72741e 102142->102146 102144 740db6 Mailbox 59 API calls 102143->102144 102145 7273a2 102143->102145 102144->102145 102145->102146 102147 740db6 59 API calls Mailbox 102145->102147 102146->102021 102147->102145 102148->102009 102149->102021 102150->102021 102151->102021 102152->102018 102154 725c6f CloseHandle 102153->102154 102155 7257dc Mailbox 102154->102155 102156 725c6f CloseHandle 102155->102156 102157 7257eb 102156->102157 102157->102095 102158->102047 102159->102050 102160->102060 102161->102076 102162->102056 102164 727667 59 API calls 102163->102164 102165 7245b1 102164->102165 102166 727667 59 API calls 102165->102166 102167 7245b9 102166->102167 102168 727667 59 API calls 102167->102168 102169 7245c1 102168->102169 102170 727667 59 API calls 102169->102170 102171 7245c9 102170->102171 102172 75d4d2 102171->102172 102173 7245fd 102171->102173 102174 728047 59 API calls 102172->102174 102175 72784b 59 API calls 102173->102175 102176 75d4db 102174->102176 102177 72460b 102175->102177 102178 727d8c 59 API calls 102176->102178 102179 727d2c 59 API calls 102177->102179 102180 724640 102178->102180 102181 724615 102179->102181 102182 724680 102180->102182 102185 72465f 102180->102185 102194 75d4fb 102180->102194 102181->102180 102183 72784b 59 API calls 102181->102183 102237 72784b 102182->102237 102186 724636 102183->102186 102187 7279f2 59 API calls 102185->102187 102190 727d2c 59 API calls 102186->102190 102192 724669 102187->102192 102188 724691 102193 7246a3 102188->102193 102195 728047 59 API calls 102188->102195 102189 75d5cb 102191 727bcc 59 API calls 102189->102191 102190->102180 102209 75d588 102191->102209 102192->102182 102200 72784b 59 API calls 102192->102200 102196 7246b3 102193->102196 102197 728047 59 API calls 102193->102197 102194->102189 102198 75d5b4 102194->102198 102208 75d532 102194->102208 102195->102193 102199 7246ba 102196->102199 102201 728047 59 API calls 102196->102201 102197->102196 102198->102189 102205 75d59f 102198->102205 102202 728047 59 API calls 102199->102202 102211 7246c1 Mailbox 102199->102211 102200->102182 102201->102199 102202->102211 102203 7279f2 59 API calls 102203->102209 102204 75d590 102206 727bcc 59 API calls 102204->102206 102207 727bcc 59 API calls 102205->102207 102206->102209 102207->102209 102208->102204 102212 75d57b 102208->102212 102209->102182 102209->102203 102250 727924 59 API calls 2 library calls 102209->102250 102211->102078 102213 727bcc 59 API calls 102212->102213 102213->102209 102214->102123 102215->102123 102216->102123 102217->102123 102218->102123 102219->102123 102220->102123 102222 725c88 102221->102222 102223 725c79 102221->102223 102222->102223 102224 725c8d CloseHandle 102222->102224 102223->102103 102224->102223 102225->102048 102226->102053 102227->102133 102228->102131 102229->102131 102230->102131 102231->102131 102232->102106 102233->102109 102234->102130 102235->102110 102236->102115 102238 7278b7 102237->102238 102239 72785a 102237->102239 102240 727d2c 59 API calls 102238->102240 102239->102238 102241 727865 102239->102241 102246 727888 _memmove 102240->102246 102242 727880 102241->102242 102243 75eb09 102241->102243 102251 727f27 59 API calls Mailbox 102242->102251 102245 728029 59 API calls 102243->102245 102247 75eb13 102245->102247 102246->102188 102248 740db6 Mailbox 59 API calls 102247->102248 102249 75eb33 102248->102249 102250->102209 102251->102246 102253 726d95 102252->102253 102258 726ea9 102252->102258 102254 740db6 Mailbox 59 API calls 102253->102254 102253->102258 102256 726dbc 102254->102256 102255 740db6 Mailbox 59 API calls 102262 726e31 102255->102262 102256->102255 102258->101142 102260 72735d 59 API calls 102260->102262 102261 72750f 59 API calls 102261->102262 102262->102258 102262->102260 102262->102261 102265 726240 102262->102265 102290 776553 59 API calls Mailbox 102262->102290 102263->101144 102264->101146 102266 727a16 59 API calls 102265->102266 102283 726265 102266->102283 102267 72646a 102268 72750f 59 API calls 102267->102268 102275 726484 Mailbox 102268->102275 102271 72750f 59 API calls 102271->102283 102272 75dff6 102295 77f8aa 91 API calls 4 library calls 102272->102295 102275->102262 102277 727d8c 59 API calls 102277->102283 102278 75e004 102279 72750f 59 API calls 102278->102279 102280 75e01a 102279->102280 102280->102275 102281 726799 _memmove 102296 77f8aa 91 API calls 4 library calls 102281->102296 102282 75df92 102284 728029 59 API calls 102282->102284 102283->102267 102283->102271 102283->102272 102283->102277 102283->102281 102283->102282 102287 727e4f 59 API calls 102283->102287 102291 725f6c 60 API calls 102283->102291 102292 725d41 59 API calls Mailbox 102283->102292 102293 725e72 60 API calls 102283->102293 102294 727924 59 API calls 2 library calls 102283->102294 102285 75df9d 102284->102285 102289 740db6 Mailbox 59 API calls 102285->102289 102288 72643b CharUpperBuffW 102287->102288 102288->102283 102289->102281 102290->102262 102291->102283 102292->102283 102293->102283 102294->102283 102295->102278 102296->102275 102297->101160 102298->101161 102300 72e6d5 102299->102300 102301 763aa9 102300->102301 102304 72e73f 102300->102304 102313 72e799 102300->102313 102468 729ea0 102301->102468 102303 763abe 102317 72e970 Mailbox 102303->102317 102492 789e4a 89 API calls 4 library calls 102303->102492 102307 727667 59 API calls 102304->102307 102304->102313 102305 727667 59 API calls 102305->102313 102308 763b04 102307->102308 102310 742d40 __cinit 67 API calls 102308->102310 102309 742d40 __cinit 67 API calls 102309->102313 102310->102313 102311 763b26 102311->101239 102312 7284c0 69 API calls 102312->102317 102313->102305 102313->102309 102313->102311 102314 72e95a 102313->102314 102313->102317 102314->102317 102493 789e4a 89 API calls 4 library calls 102314->102493 102316 729ea0 331 API calls 102316->102317 102317->102312 102317->102316 102318 72f195 102317->102318 102323 728d40 59 API calls 102317->102323 102328 789e4a 89 API calls 102317->102328 102329 72ea78 102317->102329 102467 727f77 59 API calls 2 library calls 102317->102467 102494 776e8f 59 API calls 102317->102494 102495 79c5c3 331 API calls 102317->102495 102496 79b53c 331 API calls Mailbox 102317->102496 102498 729c90 59 API calls Mailbox 102317->102498 102499 7993c6 331 API calls Mailbox 102317->102499 102497 789e4a 89 API calls 4 library calls 102318->102497 102323->102317 102327 763e25 102327->101239 102328->102317 102329->101239 102331 72f650 102330->102331 102332 72f4ba 102330->102332 102333 727de1 59 API calls 102331->102333 102334 72f4c6 102332->102334 102335 76441e 102332->102335 102341 72f58c Mailbox 102333->102341 102618 72f290 331 API calls 2 library calls 102334->102618 102620 79bc6b 102335->102620 102338 76442c 102342 72f630 102338->102342 102660 789e4a 89 API calls 4 library calls 102338->102660 102340 72f4fd 102340->102338 102340->102341 102340->102342 102526 78cb7a 102341->102526 102606 783c37 102341->102606 102609 79445a 102341->102609 102342->101239 102344 72f5e3 102344->102342 102619 729c90 59 API calls Mailbox 102344->102619 102348->101239 102826 728180 102349->102826 102351 72fd3d 102352 76472d 102351->102352 102411 7306f6 102351->102411 102831 72f234 102351->102831 102848 789e4a 89 API calls 4 library calls 102352->102848 102356 76488d 102359 764742 102356->102359 102360 72fe4c 102356->102360 102357 72fe3e 102357->102356 102357->102360 102852 7766ec 59 API calls 2 library calls 102357->102852 102358 730517 102361 7647d7 102361->102359 102371 764755 102371->102361 102849 72f6a3 331 API calls 102371->102849 102375 730545 _memmove 102383 740db6 Mailbox 59 API calls 102375->102383 102379 740db6 59 API calls Mailbox 102395 72fdd3 102379->102395 102392 729ea0 331 API calls 102392->102395 102395->102357 102395->102358 102395->102359 102395->102371 102395->102375 102395->102379 102395->102392 102402 76480c 102395->102402 102851 789e4a 89 API calls 4 library calls 102402->102851 102847 789e4a 89 API calls 4 library calls 102411->102847 102429->101239 102430->101169 102431->101174 102432->101239 102433->101177 102434->101177 102435->101177 102436->101239 102437->101239 102438->101239 102440 729851 102439->102440 102449 72984b 102439->102449 102441 729899 102440->102441 102442 75f4da 102440->102442 102444 729857 __itow 102440->102444 102445 75f5d3 __i64tow 102440->102445 102868 743698 83 API calls 3 library calls 102441->102868 102450 740db6 Mailbox 59 API calls 102442->102450 102456 75f552 Mailbox _wcscpy 102442->102456 102447 740db6 Mailbox 59 API calls 102444->102447 102445->102445 102448 729871 102447->102448 102448->102449 102451 727de1 59 API calls 102448->102451 102449->101239 102453 75f51f 102450->102453 102451->102449 102452 740db6 Mailbox 59 API calls 102454 75f545 102452->102454 102453->102452 102455 727de1 59 API calls 102454->102455 102454->102456 102455->102456 102869 743698 83 API calls 3 library calls 102456->102869 102457->101239 102458->101239 102459->101239 102460->101224 102461->101224 102462->101224 102463->101224 102464->101224 102465->101224 102466->101224 102467->102317 102469 729ebf 102468->102469 102487 729eed Mailbox 102468->102487 102470 740db6 Mailbox 59 API calls 102469->102470 102470->102487 102471 72b475 102472 728047 59 API calls 102471->102472 102485 72a057 102472->102485 102473 776e8f 59 API calls 102473->102487 102474 72b47a 102475 760055 102474->102475 102491 7609e5 102474->102491 102517 789e4a 89 API calls 4 library calls 102475->102517 102478 740db6 59 API calls Mailbox 102478->102487 102480 760064 102480->102303 102483 728047 59 API calls 102483->102487 102484 727667 59 API calls 102484->102487 102485->102303 102486 742d40 67 API calls __cinit 102486->102487 102487->102471 102487->102473 102487->102474 102487->102475 102487->102478 102487->102483 102487->102484 102487->102485 102487->102486 102488 7609d6 102487->102488 102490 72a55a 102487->102490 102500 72b900 102487->102500 102516 72c8c0 331 API calls 2 library calls 102487->102516 102519 789e4a 89 API calls 4 library calls 102488->102519 102518 789e4a 89 API calls 4 library calls 102490->102518 102520 789e4a 89 API calls 4 library calls 102491->102520 102492->102317 102493->102317 102494->102317 102495->102317 102496->102317 102497->102327 102498->102317 102499->102317 102501 72b91a 102500->102501 102504 72bac7 102500->102504 102502 72bf81 102501->102502 102501->102504 102505 72b9fc 102501->102505 102512 72baab 102501->102512 102502->102512 102525 7294dc 59 API calls __gmtime64_s 102502->102525 102504->102502 102507 72bb46 102504->102507 102511 72ba8b Mailbox 102504->102511 102504->102512 102505->102507 102510 72ba38 102505->102510 102505->102512 102508 761361 102507->102508 102507->102511 102507->102512 102522 776e8f 59 API calls 102507->102522 102508->102512 102523 743d46 59 API calls __wtof_l 102508->102523 102510->102511 102510->102512 102513 7611b4 102510->102513 102511->102487 102511->102508 102511->102512 102524 728cd4 59 API calls Mailbox 102511->102524 102512->102487 102513->102512 102516->102487 102517->102480 102518->102485 102519->102491 102520->102485 102522->102511 102523->102512 102524->102511 102525->102512 102527 727667 59 API calls 102526->102527 102528 78cbaf 102527->102528 102529 727667 59 API calls 102528->102529 102530 78cbb8 102529->102530 102531 78cbcc 102530->102531 102770 729b3c 59 API calls 102530->102770 102813 78445a GetFileAttributesW 102606->102813 102610 729837 84 API calls 102609->102610 102611 794494 102610->102611 102612 726240 94 API calls 102611->102612 102613 7944a4 102612->102613 102614 7944c9 102613->102614 102615 729ea0 331 API calls 102613->102615 102615->102614 102618->102340 102619->102344 102621 79bcb0 102620->102621 102622 79bc96 102620->102622 102819 79a213 59 API calls Mailbox 102621->102819 102818 789e4a 89 API calls 4 library calls 102622->102818 102625 79bcbb 102626 729ea0 330 API calls 102625->102626 102627 79bd1c 102626->102627 102628 79bdae 102627->102628 102632 79bd5d 102627->102632 102634 79bca8 Mailbox 102627->102634 102634->102338 102660->102342 102770->102531 102814 784475 FindFirstFileW 102813->102814 102816 783c3e 102813->102816 102815 78448a FindClose 102814->102815 102814->102816 102815->102816 102816->102344 102818->102634 102819->102625 102827 72818f 102826->102827 102830 7281aa 102826->102830 102828 727e4f 59 API calls 102827->102828 102829 728197 CharUpperBuffW 102828->102829 102829->102830 102830->102351 102832 72f251 102831->102832 102833 72f272 102832->102833 102866 789e4a 89 API calls 4 library calls 102832->102866 102833->102395 102847->102352 102848->102359 102849->102361 102851->102359 102866->102833 102868->102444 102869->102445 102870 75fe27 102883 73f944 102870->102883 102872 75fe3d 102873 75fe53 102872->102873 102874 75febe 102872->102874 102892 729e5d 60 API calls 102873->102892 102879 72fce0 331 API calls 102874->102879 102876 75fe92 102877 76089c 102876->102877 102878 75fe9a 102876->102878 102894 789e4a 89 API calls 4 library calls 102877->102894 102893 78834f 59 API calls Mailbox 102878->102893 102882 75feb2 Mailbox 102879->102882 102884 73f962 102883->102884 102885 73f950 102883->102885 102886 73f991 102884->102886 102887 73f968 102884->102887 102895 729d3c 60 API calls Mailbox 102885->102895 102896 729d3c 60 API calls Mailbox 102886->102896 102889 740db6 Mailbox 59 API calls 102887->102889 102891 73f95a 102889->102891 102891->102872 102892->102876 102893->102882 102894->102882 102895->102891 102896->102891 102897 721066 102902 72f76f 102897->102902 102899 72106c 102900 742d40 __cinit 67 API calls 102899->102900 102901 721076 102900->102901 102903 72f790 102902->102903 102935 73ff03 102903->102935 102907 72f7d7 102908 727667 59 API calls 102907->102908 102909 72f7e1 102908->102909 102910 727667 59 API calls 102909->102910 102911 72f7eb 102910->102911 102912 727667 59 API calls 102911->102912 102913 72f7f5 102912->102913 102914 727667 59 API calls 102913->102914 102915 72f833 102914->102915 102916 727667 59 API calls 102915->102916 102917 72f8fe 102916->102917 102945 735f87 102917->102945 102921 72f930 102922 727667 59 API calls 102921->102922 102923 72f93a 102922->102923 102973 73fd9e 102923->102973 102925 72f981 102926 72f991 GetStdHandle 102925->102926 102927 7645ab 102926->102927 102928 72f9dd 102926->102928 102927->102928 102930 7645b4 102927->102930 102929 72f9e5 OleInitialize 102928->102929 102929->102899 102980 786b38 64 API calls Mailbox 102930->102980 102932 7645bb 102981 787207 CreateThread 102932->102981 102934 7645c7 CloseHandle 102934->102929 102982 73ffdc 102935->102982 102938 73ffdc 59 API calls 102939 73ff45 102938->102939 102940 727667 59 API calls 102939->102940 102941 73ff51 102940->102941 102942 727bcc 59 API calls 102941->102942 102943 72f796 102942->102943 102944 740162 6 API calls 102943->102944 102944->102907 102946 727667 59 API calls 102945->102946 102947 735f97 102946->102947 102948 727667 59 API calls 102947->102948 102949 735f9f 102948->102949 102989 735a9d 102949->102989 102952 735a9d 59 API calls 102953 735faf 102952->102953 102954 727667 59 API calls 102953->102954 102955 735fba 102954->102955 102956 740db6 Mailbox 59 API calls 102955->102956 102957 72f908 102956->102957 102958 7360f9 102957->102958 102959 736107 102958->102959 102960 727667 59 API calls 102959->102960 102961 736112 102960->102961 102962 727667 59 API calls 102961->102962 102963 73611d 102962->102963 102964 727667 59 API calls 102963->102964 102965 736128 102964->102965 102966 727667 59 API calls 102965->102966 102967 736133 102966->102967 102968 735a9d 59 API calls 102967->102968 102969 73613e 102968->102969 102970 740db6 Mailbox 59 API calls 102969->102970 102971 736145 RegisterWindowMessageW 102970->102971 102971->102921 102974 77576f 102973->102974 102975 73fdae 102973->102975 102992 789ae7 60 API calls 102974->102992 102977 740db6 Mailbox 59 API calls 102975->102977 102979 73fdb6 102977->102979 102978 77577a 102979->102925 102980->102932 102981->102934 102993 7871ed 65 API calls 102981->102993 102983 727667 59 API calls 102982->102983 102984 73ffe7 102983->102984 102985 727667 59 API calls 102984->102985 102986 73ffef 102985->102986 102987 727667 59 API calls 102986->102987 102988 73ff3b 102987->102988 102988->102938 102990 727667 59 API calls 102989->102990 102991 735aa5 102990->102991 102991->102952 102992->102978 102994 721016 102999 724974 102994->102999 102997 742d40 __cinit 67 API calls 102998 721025 102997->102998 103000 740db6 Mailbox 59 API calls 102999->103000 103001 72497c 103000->103001 103002 72101b 103001->103002 103006 724936 103001->103006 103002->102997 103007 724951 103006->103007 103008 72493f 103006->103008 103010 7249a0 103007->103010 103009 742d40 __cinit 67 API calls 103008->103009 103009->103007 103011 727667 59 API calls 103010->103011 103012 7249b8 GetVersionExW 103011->103012 103013 727bcc 59 API calls 103012->103013 103014 7249fb 103013->103014 103015 727d2c 59 API calls 103014->103015 103022 724a28 103014->103022 103016 724a1c 103015->103016 103017 727726 59 API calls 103016->103017 103017->103022 103018 724a93 GetCurrentProcess IsWow64Process 103019 724aac 103018->103019 103020 724ac2 103019->103020 103021 724b2b GetSystemInfo 103019->103021 103034 724b37 103020->103034 103025 724af8 103021->103025 103022->103018 103023 75d864 103022->103023 103025->103002 103027 724ad4 103029 724b37 2 API calls 103027->103029 103028 724b1f GetSystemInfo 103030 724ae9 103028->103030 103031 724adc GetNativeSystemInfo 103029->103031 103030->103025 103032 724aef FreeLibrary 103030->103032 103031->103030 103032->103025 103035 724ad0 103034->103035 103036 724b40 LoadLibraryA 103034->103036 103035->103027 103035->103028 103036->103035 103037 724b51 GetProcAddress 103036->103037 103037->103035 103038 788d0d 103039 788d1a 103038->103039 103040 788d20 103038->103040 103041 742d55 _free 58 API calls 103039->103041 103042 742d55 _free 58 API calls 103040->103042 103044 788d31 103040->103044 103041->103040 103042->103044 103043 742d55 _free 58 API calls 103045 788d43 103043->103045 103044->103043 103044->103045 103046 721055 103051 722649 103046->103051 103049 742d40 __cinit 67 API calls 103050 721064 103049->103050 103052 727667 59 API calls 103051->103052 103053 7226b7 103052->103053 103058 723582 103053->103058 103056 722754 103057 72105a 103056->103057 103061 723416 59 API calls 2 library calls 103056->103061 103057->103049 103062 7235b0 103058->103062 103061->103056 103063 7235a1 103062->103063 103064 7235bd 103062->103064 103063->103056 103064->103063 103065 7235c4 RegOpenKeyExW 103064->103065 103065->103063 103066 7235de RegQueryValueExW 103065->103066 103067 723614 RegCloseKey 103066->103067 103068 7235ff 103066->103068 103067->103063 103068->103067 103069 76416f 103073 775fe6 103069->103073 103071 76417a 103072 775fe6 85 API calls 103071->103072 103072->103071 103075 775ff3 103073->103075 103080 776020 103073->103080 103074 776022 103085 729328 84 API calls Mailbox 103074->103085 103075->103074 103077 776027 103075->103077 103075->103080 103082 77601a 103075->103082 103078 729837 84 API calls 103077->103078 103079 77602e 103078->103079 103081 727b2e 59 API calls 103079->103081 103080->103071 103081->103080 103084 7295a0 59 API calls _wcsstr 103082->103084 103084->103080 103085->103077 103086 75fdfc 103120 72ab30 Mailbox _memmove 103086->103120 103088 77617e Mailbox 59 API calls 103108 72a057 103088->103108 103090 740db6 59 API calls Mailbox 103090->103120 103093 72b525 103191 789e4a 89 API calls 4 library calls 103093->103191 103094 760055 103190 789e4a 89 API calls 4 library calls 103094->103190 103097 72b900 60 API calls 103112 729f37 Mailbox 103097->103112 103098 72b475 103102 728047 59 API calls 103098->103102 103099 760064 103100 740db6 59 API calls Mailbox 103100->103112 103101 728047 59 API calls 103101->103112 103102->103108 103104 72b47a 103104->103094 103115 7609e5 103104->103115 103107 727667 59 API calls 103107->103112 103109 776e8f 59 API calls 103109->103112 103110 727de1 59 API calls 103110->103120 103111 742d40 67 API calls __cinit 103111->103112 103112->103094 103112->103097 103112->103098 103112->103100 103112->103101 103112->103104 103112->103107 103112->103108 103112->103109 103112->103111 103113 7609d6 103112->103113 103116 72a55a 103112->103116 103184 72c8c0 331 API calls 2 library calls 103112->103184 103195 789e4a 89 API calls 4 library calls 103113->103195 103196 789e4a 89 API calls 4 library calls 103115->103196 103194 789e4a 89 API calls 4 library calls 103116->103194 103117 79bc6b 331 API calls 103117->103120 103119 72b2b6 103188 72f6a3 331 API calls 103119->103188 103120->103090 103120->103093 103120->103108 103120->103110 103120->103112 103120->103117 103120->103119 103121 729ea0 331 API calls 103120->103121 103123 76086a 103120->103123 103125 760878 103120->103125 103127 76085c 103120->103127 103128 72b21c 103120->103128 103132 776e8f 59 API calls 103120->103132 103133 79445a 331 API calls 103120->103133 103136 788715 103120->103136 103140 79df23 103120->103140 103143 79c2e0 103120->103143 103175 787956 103120->103175 103181 77617e 103120->103181 103185 729c90 59 API calls Mailbox 103120->103185 103189 79c193 85 API calls 2 library calls 103120->103189 103121->103120 103192 729c90 59 API calls Mailbox 103123->103192 103193 789e4a 89 API calls 4 library calls 103125->103193 103127->103088 103127->103108 103186 729d3c 60 API calls Mailbox 103128->103186 103130 72b22d 103187 729d3c 60 API calls Mailbox 103130->103187 103132->103120 103133->103120 103137 78871e 103136->103137 103138 788723 103136->103138 103197 7877b3 103137->103197 103138->103120 103220 79cadd 103140->103220 103142 79df33 103142->103120 103144 727667 59 API calls 103143->103144 103145 79c2f4 103144->103145 103146 727667 59 API calls 103145->103146 103147 79c2fc 103146->103147 103148 727667 59 API calls 103147->103148 103149 79c304 103148->103149 103150 729837 84 API calls 103149->103150 103164 79c312 103150->103164 103151 727bcc 59 API calls 103151->103164 103152 727924 59 API calls 103152->103164 103153 79c528 Mailbox 103153->103120 103155 79c4e2 103156 727cab 59 API calls 103155->103156 103158 79c4ef 103156->103158 103157 79c4fd 103159 727cab 59 API calls 103157->103159 103162 727b2e 59 API calls 103158->103162 103163 79c50c 103159->103163 103160 728047 59 API calls 103160->103164 103161 727e4f 59 API calls 103165 79c3a9 CharUpperBuffW 103161->103165 103166 79c4fb 103162->103166 103167 727b2e 59 API calls 103163->103167 103164->103151 103164->103152 103164->103153 103164->103155 103164->103157 103164->103160 103164->103161 103164->103166 103168 727e4f 59 API calls 103164->103168 103172 729837 84 API calls 103164->103172 103173 727b2e 59 API calls 103164->103173 103174 727cab 59 API calls 103164->103174 103310 72843a 68 API calls 103165->103310 103166->103153 103312 729a3c 59 API calls Mailbox 103166->103312 103167->103166 103170 79c469 CharUpperBuffW 103168->103170 103311 72c5a7 69 API calls 2 library calls 103170->103311 103172->103164 103173->103164 103174->103164 103176 787962 103175->103176 103177 740db6 Mailbox 59 API calls 103176->103177 103178 787970 103177->103178 103179 78797e 103178->103179 103180 727667 59 API calls 103178->103180 103179->103120 103180->103179 103313 7760c0 103181->103313 103183 77618c 103183->103120 103184->103112 103185->103120 103186->103130 103187->103119 103188->103093 103189->103120 103190->103099 103191->103127 103192->103127 103193->103127 103194->103108 103195->103115 103196->103108 103198 7877ca 103197->103198 103213 7878ea 103197->103213 103199 7877e2 103198->103199 103200 78780a 103198->103200 103202 787821 103198->103202 103199->103200 103203 7877f2 103199->103203 103201 740db6 Mailbox 59 API calls 103200->103201 103217 787800 Mailbox _memmove 103201->103217 103204 740db6 Mailbox 59 API calls 103202->103204 103215 78783e 103202->103215 103211 740db6 Mailbox 59 API calls 103203->103211 103204->103215 103205 787869 103208 740db6 Mailbox 59 API calls 103205->103208 103206 787877 103207 740db6 Mailbox 59 API calls 103206->103207 103209 78787d 103207->103209 103208->103217 103218 78746b 59 API calls Mailbox 103209->103218 103210 740db6 Mailbox 59 API calls 103210->103213 103211->103217 103213->103138 103214 787889 103219 725a15 61 API calls Mailbox 103214->103219 103215->103205 103215->103206 103215->103217 103217->103210 103218->103214 103219->103217 103221 729837 84 API calls 103220->103221 103222 79cb1a 103221->103222 103241 79cb61 Mailbox 103222->103241 103258 79d7a5 103222->103258 103224 79cdb9 103225 79cf2e 103224->103225 103229 79cdc7 103224->103229 103297 79d8c8 92 API calls Mailbox 103225->103297 103228 79cf3d 103228->103229 103230 79cf49 103228->103230 103271 79c96e 103229->103271 103230->103241 103231 729837 84 API calls 103248 79cbb2 Mailbox 103231->103248 103236 79ce00 103286 740c08 103236->103286 103239 79ce1a 103292 789e4a 89 API calls 4 library calls 103239->103292 103240 79ce33 103242 7292ce 59 API calls 103240->103242 103241->103142 103244 79ce3f 103242->103244 103246 729050 59 API calls 103244->103246 103245 79ce25 GetCurrentProcess TerminateProcess 103245->103240 103247 79ce55 103246->103247 103257 79ce7c 103247->103257 103293 728d40 59 API calls Mailbox 103247->103293 103248->103224 103248->103231 103248->103241 103290 79fbce 59 API calls 2 library calls 103248->103290 103291 79cfdf 61 API calls 2 library calls 103248->103291 103250 79cfa4 103250->103241 103254 79cfb8 FreeLibrary 103250->103254 103251 79ce6b 103294 79d649 107 API calls _free 103251->103294 103254->103241 103257->103250 103295 728d40 59 API calls Mailbox 103257->103295 103296 729d3c 60 API calls Mailbox 103257->103296 103298 79d649 107 API calls _free 103257->103298 103259 727e4f 59 API calls 103258->103259 103260 79d7c0 CharLowerBuffW 103259->103260 103299 77f167 103260->103299 103264 727667 59 API calls 103265 79d7f9 103264->103265 103266 72784b 59 API calls 103265->103266 103267 79d810 103266->103267 103268 727d2c 59 API calls 103267->103268 103269 79d81c Mailbox 103268->103269 103270 79d858 Mailbox 103269->103270 103306 79cfdf 61 API calls 2 library calls 103269->103306 103270->103248 103272 79c989 103271->103272 103276 79c9de 103271->103276 103273 740db6 Mailbox 59 API calls 103272->103273 103275 79c9ab 103273->103275 103274 740db6 Mailbox 59 API calls 103274->103275 103275->103274 103275->103276 103277 79da50 103276->103277 103278 79dc79 Mailbox 103277->103278 103285 79da73 _strcat _wcscpy __wsetenvp 103277->103285 103278->103236 103279 729be6 59 API calls 103279->103285 103280 729b3c 59 API calls 103280->103285 103281 729b98 59 API calls 103281->103285 103282 729837 84 API calls 103282->103285 103283 74571c 58 API calls __crtGetStringTypeA_stat 103283->103285 103285->103278 103285->103279 103285->103280 103285->103281 103285->103282 103285->103283 103309 785887 61 API calls 2 library calls 103285->103309 103287 740c1d 103286->103287 103288 740cb5 VirtualAlloc 103287->103288 103289 740c83 103287->103289 103288->103289 103289->103239 103289->103240 103290->103248 103291->103248 103292->103245 103293->103251 103294->103257 103295->103257 103296->103257 103297->103228 103298->103257 103300 77f192 __wsetenvp 103299->103300 103301 77f1d1 103300->103301 103304 77f1c7 103300->103304 103305 77f278 103300->103305 103301->103264 103301->103269 103304->103301 103307 7278c4 61 API calls 103304->103307 103305->103301 103308 7278c4 61 API calls 103305->103308 103306->103270 103307->103304 103308->103305 103309->103285 103310->103164 103311->103164 103312->103153 103314 7760cb 103313->103314 103315 7760e8 103313->103315 103314->103315 103317 7760ab 59 API calls Mailbox 103314->103317 103315->103183 103317->103314 103318 72be19 103319 72be22 103318->103319 103322 72c36a 103318->103322 103320 729837 84 API calls 103319->103320 103319->103322 103321 72be4d 103320->103321 103321->103322 103323 72be5d 103321->103323 103328 72ba8b Mailbox 103322->103328 103333 777bdb 59 API calls _memmove 103322->103333 103325 727a51 59 API calls 103323->103325 103325->103328 103326 761085 103327 728047 59 API calls 103326->103327 103327->103328 103330 761361 103328->103330 103332 72baab 103328->103332 103335 728cd4 59 API calls Mailbox 103328->103335 103330->103332 103334 743d46 59 API calls __wtof_l 103330->103334 103333->103326 103334->103332 103335->103328 103336 72107d 103341 72708b 103336->103341 103338 72108c 103339 742d40 __cinit 67 API calls 103338->103339 103340 721096 103339->103340 103342 72709b __ftell_nolock 103341->103342 103343 727667 59 API calls 103342->103343 103344 727151 103343->103344 103345 724706 61 API calls 103344->103345 103346 72715a 103345->103346 103372 74050b 103346->103372 103349 727cab 59 API calls 103350 727173 103349->103350 103351 723f74 59 API calls 103350->103351 103352 727182 103351->103352 103353 727667 59 API calls 103352->103353 103354 72718b 103353->103354 103355 727d8c 59 API calls 103354->103355 103356 727194 RegOpenKeyExW 103355->103356 103357 75e8b1 RegQueryValueExW 103356->103357 103358 7271b6 Mailbox 103356->103358 103359 75e943 RegCloseKey 103357->103359 103360 75e8ce 103357->103360 103358->103338 103359->103358 103371 75e955 _wcscat Mailbox __wsetenvp 103359->103371 103361 740db6 Mailbox 59 API calls 103360->103361 103362 75e8e7 103361->103362 103363 72522e 59 API calls 103362->103363 103364 75e8f2 RegQueryValueExW 103363->103364 103365 75e90f 103364->103365 103368 75e929 103364->103368 103366 727bcc 59 API calls 103365->103366 103366->103368 103367 7279f2 59 API calls 103367->103371 103368->103359 103369 727de1 59 API calls 103369->103371 103370 723f74 59 API calls 103370->103371 103371->103358 103371->103367 103371->103369 103371->103370 103373 751940 __ftell_nolock 103372->103373 103374 740518 GetFullPathNameW 103373->103374 103375 74053a 103374->103375 103376 727bcc 59 API calls 103375->103376 103377 727165 103376->103377 103377->103349 103378 6f12a0 103384 6f12b6 103378->103384 103379 6f1a53 CreateProcessW 103382 6f1a62 103379->103382 103379->103384 103380 6f1adc Wow64GetThreadContext 103381 6f1afd ReadProcessMemory 103380->103381 103380->103382 103381->103382 103381->103384 103383 6f1d88 Wow64SetThreadContext 103383->103382 103383->103384 103384->103379 103384->103380 103384->103382 103384->103383

              Executed Functions

              Function 00723B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00723B68
              • IsDebuggerPresent.KERNEL32 ref: 00723B7A
              • GetFullPathNameW.KERNEL32(00007FFF,?,?,007E52F8,007E52E0,?,?), ref: 00723BEB
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
                • Part of subcall function 0073092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00723C14,007E52F8,?,?,?), ref: 0073096E
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00723C6F
              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007D7770,00000010), ref: 0075D281
              • SetCurrentDirectoryW.KERNEL32(?,007E52F8,?,?,?), ref: 0075D2B9
              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007D4260,007E52F8,?,?,?), ref: 0075D33F
              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0075D346
                • Part of subcall function 00723A46: GetSysColorBrush.USER32(0000000F), ref: 00723A50
                • Part of subcall function 00723A46: LoadCursorW.USER32(00000000,00007F00), ref: 00723A5F
                • Part of subcall function 00723A46: LoadIconW.USER32(00000063), ref: 00723A76
                • Part of subcall function 00723A46: LoadIconW.USER32(000000A4), ref: 00723A88
                • Part of subcall function 00723A46: LoadIconW.USER32(000000A2), ref: 00723A9A
                • Part of subcall function 00723A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00723AC0
                • Part of subcall function 00723A46: RegisterClassExW.USER32(?), ref: 00723B16
                • Part of subcall function 007239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00723A03
                • Part of subcall function 007239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00723A24
                • Part of subcall function 007239D5: ShowWindow.USER32(00000000,?,?), ref: 00723A38
                • Part of subcall function 007239D5: ShowWindow.USER32(00000000,?,?), ref: 00723A41
                • Part of subcall function 0072434A: _memset.LIBCMT ref: 00724370
                • Part of subcall function 0072434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00724415
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
              • String ID: This is a third-party compiled AutoIt script.$runas$%{
              • API String ID: 529118366-1872128065
              • Opcode ID: cf9516382bcdb52598b18289481b6d0e0309d3a7e8b187f80b5d0128591cb2e2
              • Instruction ID: 3b8270cbb40f97214918419e2b3e54db905e6d0fed3c90668dae75bed2331b77
              • Opcode Fuzzy Hash: cf9516382bcdb52598b18289481b6d0e0309d3a7e8b187f80b5d0128591cb2e2
              • Instruction Fuzzy Hash: 3A5123B0D0919CEACF15EBB4EC49AED7B7CBB49304F008069F511AA1A2DA7C5A45CB24
              Function 007249A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 985 7249a0-724a00 call 727667 GetVersionExW call 727bcc 990 724a06 985->990 991 724b0b-724b0d 985->991 992 724a09-724a0e 990->992 993 75d767-75d773 991->993 995 724b12-724b13 992->995 996 724a14 992->996 994 75d774-75d778 993->994 997 75d77b-75d787 994->997 998 75d77a 994->998 999 724a15-724a4c call 727d2c call 727726 995->999 996->999 997->994 1000 75d789-75d78e 997->1000 998->997 1008 724a52-724a53 999->1008 1009 75d864-75d867 999->1009 1000->992 1002 75d794-75d79b 1000->1002 1002->993 1004 75d79d 1002->1004 1007 75d7a2-75d7a5 1004->1007 1010 724a93-724aaa GetCurrentProcess IsWow64Process 1007->1010 1011 75d7ab-75d7c9 1007->1011 1008->1007 1012 724a59-724a64 1008->1012 1013 75d880-75d884 1009->1013 1014 75d869 1009->1014 1021 724aaf-724ac0 1010->1021 1022 724aac 1010->1022 1011->1010 1015 75d7cf-75d7d5 1011->1015 1016 724a6a-724a6c 1012->1016 1017 75d7ea-75d7f0 1012->1017 1019 75d886-75d88f 1013->1019 1020 75d86f-75d878 1013->1020 1018 75d86c 1014->1018 1025 75d7d7-75d7da 1015->1025 1026 75d7df-75d7e5 1015->1026 1027 75d805-75d811 1016->1027 1028 724a72-724a75 1016->1028 1029 75d7f2-75d7f5 1017->1029 1030 75d7fa-75d800 1017->1030 1018->1020 1019->1018 1031 75d891-75d894 1019->1031 1020->1013 1023 724ac2-724ad2 call 724b37 1021->1023 1024 724b2b-724b35 GetSystemInfo 1021->1024 1022->1021 1042 724ad4-724ae1 call 724b37 1023->1042 1043 724b1f-724b29 GetSystemInfo 1023->1043 1037 724af8-724b08 1024->1037 1025->1010 1026->1010 1032 75d813-75d816 1027->1032 1033 75d81b-75d821 1027->1033 1035 75d831-75d834 1028->1035 1036 724a7b-724a8a 1028->1036 1029->1010 1030->1010 1031->1020 1032->1010 1033->1010 1035->1010 1039 75d83a-75d84f 1035->1039 1040 724a90 1036->1040 1041 75d826-75d82c 1036->1041 1044 75d851-75d854 1039->1044 1045 75d859-75d85f 1039->1045 1040->1010 1041->1010 1050 724ae3-724ae7 GetNativeSystemInfo 1042->1050 1051 724b18-724b1d 1042->1051 1047 724ae9-724aed 1043->1047 1044->1010 1045->1010 1047->1037 1049 724aef-724af2 FreeLibrary 1047->1049 1049->1037 1050->1047 1051->1050
              APIs
              • GetVersionExW.KERNEL32(?), ref: 007249CD
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              • GetCurrentProcess.KERNEL32(?,007AFAEC,00000000,00000000,?), ref: 00724A9A
              • IsWow64Process.KERNEL32(00000000), ref: 00724AA1
              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00724AE7
              • FreeLibrary.KERNEL32(00000000), ref: 00724AF2
              • GetSystemInfo.KERNEL32(00000000), ref: 00724B23
              • GetSystemInfo.KERNEL32(00000000), ref: 00724B2F
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
              • String ID:
              • API String ID: 1986165174-0
              • Opcode ID: 9cd2123e35244b6c3c40011b71bfe8d85f0df982b5ecd84166f02a0cb5b86c6a
              • Instruction ID: 81ec18d21dc61774274221fd3356f877e97795039c2d7c00619342e6a17d2e76
              • Opcode Fuzzy Hash: 9cd2123e35244b6c3c40011b71bfe8d85f0df982b5ecd84166f02a0cb5b86c6a
              • Instruction Fuzzy Hash: 6991C3319897D0DEC731CB7899501AABFF5AF2A301B448DAED0CB93A41D268B90CC75D
              Function 00724E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1052 724e89-724ea1 CreateStreamOnHGlobal 1053 724ea3-724eba FindResourceExW 1052->1053 1054 724ec1-724ec6 1052->1054 1055 724ec0 1053->1055 1056 75d933-75d942 LoadResource 1053->1056 1055->1054 1056->1055 1057 75d948-75d956 SizeofResource 1056->1057 1057->1055 1058 75d95c-75d967 LockResource 1057->1058 1058->1055 1059 75d96d-75d98b 1058->1059 1059->1055
              APIs
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00724D8E,?,?,00000000,00000000), ref: 00724E99
              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00724D8E,?,?,00000000,00000000), ref: 00724EB0
              • LoadResource.KERNEL32(?,00000000,?,?,00724D8E,?,?,00000000,00000000,?,?,?,?,?,?,00724E2F), ref: 0075D937
              • SizeofResource.KERNEL32(?,00000000,?,?,00724D8E,?,?,00000000,00000000,?,?,?,?,?,?,00724E2F), ref: 0075D94C
              • LockResource.KERNEL32(00724D8E,?,?,00724D8E,?,?,00000000,00000000,?,?,?,?,?,?,00724E2F,00000000), ref: 0075D95F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
              • String ID: SCRIPT
              • API String ID: 3051347437-3967369404
              • Opcode ID: de71a33e8c1634b3a33f40619980224692aac90ab0cb993d0da395685227b88d
              • Instruction ID: 3863c95184892e18c733abffd6c6401f735c11e07670f8d33ae73945a7cf2990
              • Opcode Fuzzy Hash: de71a33e8c1634b3a33f40619980224692aac90ab0cb993d0da395685227b88d
              • Instruction Fuzzy Hash: 01115E75640700BFE7318BA5EC48F677BBAFBC6B11F108268F405C6290DB65EC008A60
              Function 0072FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: pb~$%{
              • API String ID: 3964851224-2839119673
              • Opcode ID: 0e2a32891f8259333b934bb551d5fb40981c1f70574c748f677e400a1c33a70a
              • Instruction ID: 60c3a209c7f7ddfa7ff53f1be9efa22dca687d4bec6983be9eef04793576e8f5
              • Opcode Fuzzy Hash: 0e2a32891f8259333b934bb551d5fb40981c1f70574c748f677e400a1c33a70a
              • Instruction Fuzzy Hash: 4E928C70A08351DFE724DF24C494B2AB7E1BF85304F14896DE98A8B362D779EC45CB92
              Function 0072E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: Dd~$Dd~$Dd~$Dd~$Variable must be of type 'Object'.
              • API String ID: 0-4039284102
              • Opcode ID: 995838f73005727c10747f3ede02193e09f8fe5ccad3c78a3d867598b805826f
              • Instruction ID: b28f584376fc6b065953d1a1a1c0b37c38555728ee90c09cb9441b7ea3c115fb
              • Opcode Fuzzy Hash: 995838f73005727c10747f3ede02193e09f8fe5ccad3c78a3d867598b805826f
              • Instruction Fuzzy Hash: 01A29075A00225CFCF24CF54E484AAEB7B2FF59310F648069E946AB351D739ED82CB91
              Function 007247D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • IsThemeActive.UXTHEME ref: 00724834
                • Part of subcall function 0074336C: __lock.LIBCMT ref: 00743372
                • Part of subcall function 0074336C: DecodePointer.KERNEL32(00000001,?,00724849,00777C74), ref: 0074337E
                • Part of subcall function 0074336C: EncodePointer.KERNEL32(?,?,00724849,00777C74), ref: 00743389
                • Part of subcall function 007248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00724915
                • Part of subcall function 007248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0072492A
                • Part of subcall function 00723B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00723B68
                • Part of subcall function 00723B3A: IsDebuggerPresent.KERNEL32 ref: 00723B7A
                • Part of subcall function 00723B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,007E52F8,007E52E0,?,?), ref: 00723BEB
                • Part of subcall function 00723B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00723C6F
              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00724874
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
              • String ID: d
              • API String ID: 1438897964-2872634890
              • Opcode ID: 2b9e19fa0fed0fe132b4467bb5cea228551171227109499bb55d6fe1f3a320f3
              • Instruction ID: be8548b3c9fa14e3d026dc3807c4fefe9586d74ec4acde3dfed034c1254ccf7f
              • Opcode Fuzzy Hash: 2b9e19fa0fed0fe132b4467bb5cea228551171227109499bb55d6fe1f3a320f3
              • Instruction Fuzzy Hash: E111CDB1809395DBC700EF68EC8980ABBE8FF99750F10851EF1448B2B1DB789604CB96
              Function 0078445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,0075E398), ref: 0078446A
              • FindFirstFileW.KERNELBASE(?,?), ref: 0078447B
              • FindClose.KERNEL32(00000000), ref: 0078448B
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FileFind$AttributesCloseFirst
              • String ID:
              • API String ID: 48322524-0
              • Opcode ID: 220ac3b1b88d8e86f35318d358b0b37582d175fae68993b37e001d84f9bb503b
              • Instruction ID: 3a7a88063e024cdf1b8facde731bc3257ece976205129b0125b6c7690aed0d1a
              • Opcode Fuzzy Hash: 220ac3b1b88d8e86f35318d358b0b37582d175fae68993b37e001d84f9bb503b
              • Instruction Fuzzy Hash: 7FE0D8324105416742107B78EC0D9ED7B9CAE46335F104715F839C10E0E7FC5D009699
              Function 007309D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00730A5B
              • timeGetTime.WINMM ref: 00730D16
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00730E53
              • Sleep.KERNEL32(0000000A), ref: 00730E61
              • LockWindowUpdate.USER32(00000000,?,?), ref: 00730EFA
              • DestroyWindow.USER32 ref: 00730F06
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00730F20
              • Sleep.KERNEL32(0000000A,?,?), ref: 00764E83
              • TranslateMessage.USER32(?), ref: 00765C60
              • DispatchMessageW.USER32(?), ref: 00765C6E
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00765C82
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb~$pb~$pb~$pb~
              • API String ID: 4212290369-878677322
              • Opcode ID: 593c490d2fe947764a3ea5c8e5786d429fdcb743c16efb7c63ded51ee7156a3a
              • Instruction ID: 9cf2049ce99887793043cccaf6549189d32593f85c389f7652746634db4723cf
              • Opcode Fuzzy Hash: 593c490d2fe947764a3ea5c8e5786d429fdcb743c16efb7c63ded51ee7156a3a
              • Instruction Fuzzy Hash: CAB2E870608741DFD724DF24C898BAAB7E4BF85304F14891DF98A97292CB7DE844DB92
              Function 00789155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00788F5F: __time64.LIBCMT ref: 00788F69
                • Part of subcall function 00724EE5: _fseek.LIBCMT ref: 00724EFD
              • __wsplitpath.LIBCMT ref: 00789234
                • Part of subcall function 007440FB: __wsplitpath_helper.LIBCMT ref: 0074413B
              • _wcscpy.LIBCMT ref: 00789247
              • _wcscat.LIBCMT ref: 0078925A
              • __wsplitpath.LIBCMT ref: 0078927F
              • _wcscat.LIBCMT ref: 00789295
              • _wcscat.LIBCMT ref: 007892A8
                • Part of subcall function 00788FA5: _memmove.LIBCMT ref: 00788FDE
                • Part of subcall function 00788FA5: _memmove.LIBCMT ref: 00788FED
              • _wcscmp.LIBCMT ref: 007891EF
                • Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789824
                • Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789837
              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00789452
              • _wcsncpy.LIBCMT ref: 007894C5
              • DeleteFileW.KERNEL32(?,?), ref: 007894FB
              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00789511
              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00789522
              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00789534
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
              • String ID:
              • API String ID: 1500180987-0
              • Opcode ID: dda93e91e6fa962985e4ad54b2173dc75b7ec74559ea27af85ad28a5f32716a9
              • Instruction ID: 5e5046983d81d8edc89a42ddf57622ba22b7eb8b1558eb64bb22d3cc84bbf90b
              • Opcode Fuzzy Hash: dda93e91e6fa962985e4ad54b2173dc75b7ec74559ea27af85ad28a5f32716a9
              • Instruction Fuzzy Hash: 91C15DB1D40129AADF21EF95CC85AEEB7BCEF85310F0440A6F609E6141EB349A448F65
              Function 0072301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00723074
              • RegisterClassExW.USER32(00000030), ref: 0072309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007230AF
              • InitCommonControlsEx.COMCTL32(?), ref: 007230CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007230DC
              • LoadIconW.USER32(000000A9), ref: 007230F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00723101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 150654a7ede0b153be26da6f2ae6f5da8f45e3d0951073121f08a06c05403d81
              • Instruction ID: e1f74feeb0c73d1e0031be90233c1b92c527f0564f8d1489484de32817bd4d0c
              • Opcode Fuzzy Hash: 150654a7ede0b153be26da6f2ae6f5da8f45e3d0951073121f08a06c05403d81
              • Instruction Fuzzy Hash: FC3118B1901359EFDB508FE4EC89ADABBF4FB09314F14812AE540EA2A1D3B90541CF95
              Function 00723A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00723A50
              • LoadCursorW.USER32(00000000,00007F00), ref: 00723A5F
              • LoadIconW.USER32(00000063), ref: 00723A76
              • LoadIconW.USER32(000000A4), ref: 00723A88
              • LoadIconW.USER32(000000A2), ref: 00723A9A
              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00723AC0
              • RegisterClassExW.USER32(?), ref: 00723B16
                • Part of subcall function 00723041: GetSysColorBrush.USER32(0000000F), ref: 00723074
                • Part of subcall function 00723041: RegisterClassExW.USER32(00000030), ref: 0072309E
                • Part of subcall function 00723041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007230AF
                • Part of subcall function 00723041: InitCommonControlsEx.COMCTL32(?), ref: 007230CC
                • Part of subcall function 00723041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007230DC
                • Part of subcall function 00723041: LoadIconW.USER32(000000A9), ref: 007230F2
                • Part of subcall function 00723041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00723101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
              • String ID: #$0$AutoIt v3$d
              • API String ID: 423443420-2400601453
              • Opcode ID: a9002fae4f16c112ef4c64a6f23d2ff44461e31f2e37a98427a8e3ebe1e5ef7a
              • Instruction ID: 87d3ae534d90c24e719f6d109ef698557f93f4c0f461ce9a8b7fc4b3ca1d673c
              • Opcode Fuzzy Hash: a9002fae4f16c112ef4c64a6f23d2ff44461e31f2e37a98427a8e3ebe1e5ef7a
              • Instruction Fuzzy Hash: 97214FB1D01358AFEB10DFA4EC89B9D7BB9FB4C715F008129F604AA2A1D3BD55408F98
              Function 00723041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetSysColorBrush.USER32(0000000F), ref: 00723074
              • RegisterClassExW.USER32(00000030), ref: 0072309E
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007230AF
              • InitCommonControlsEx.COMCTL32(?), ref: 007230CC
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007230DC
              • LoadIconW.USER32(000000A9), ref: 007230F2
              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00723101
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
              • API String ID: 2914291525-1005189915
              • Opcode ID: 769dd41365096c8f1beb0a0b8ce8c6510ee6bc2fbc46f1564a6ca1d2fa2e7162
              • Instruction ID: 1f566a5d593e0d86c2ccd7818439e1a261aec4ba69f3836fdc003c1b77da40f6
              • Opcode Fuzzy Hash: 769dd41365096c8f1beb0a0b8ce8c6510ee6bc2fbc46f1564a6ca1d2fa2e7162
              • Instruction Fuzzy Hash: 0821C8B1901658AFDB10DFD4EC89B9EBBF4FB0D704F00812AF610AA2A0D7B945448F99
              Function 0072708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00724706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E52F8,?,007237AE,?), ref: 00724724
                • Part of subcall function 0074050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00727165), ref: 0074052D
              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007271A8
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0075E8C8
              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0075E909
              • RegCloseKey.ADVAPI32(?), ref: 0075E947
              • _wcscat.LIBCMT ref: 0075E9A0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
              • API String ID: 2673923337-2727554177
              • Opcode ID: 4cabf1fe85cbd57065dad95ba272d417fb4cbd2d419ad2be4dddc7805e228522
              • Instruction ID: 66896688bbfd22b3f6bbc8a83f005ca6d84e02ecae42917a619adccd6cec2163
              • Opcode Fuzzy Hash: 4cabf1fe85cbd57065dad95ba272d417fb4cbd2d419ad2be4dddc7805e228522
              • Instruction Fuzzy Hash: 8A71CF71509351DEC304EF25EC859ABBBECFF99350B40852EF544CB1A0EB78A948CB96
              Function 00723633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 769 723633-723681 771 723683-723686 769->771 772 7236e1-7236e3 769->772 773 7236e7 771->773 774 723688-72368f 771->774 772->771 775 7236e5 772->775 776 75d0cc-75d0fa call 731070 call 731093 773->776 777 7236ed-7236f0 773->777 778 723695-72369a 774->778 779 72374b-723753 PostQuitMessage 774->779 780 7236ca-7236d2 DefWindowProcW 775->780 816 75d0ff-75d106 776->816 781 7236f2-7236f3 777->781 782 723715-72373c SetTimer RegisterWindowMessageW 777->782 784 75d154-75d168 call 782527 778->784 785 7236a0-7236a2 778->785 786 723711-723713 779->786 787 7236d8-7236de 780->787 788 75d06f-75d072 781->788 789 7236f9-72370c KillTimer call 72443a call 723114 781->789 782->786 791 72373e-723749 CreatePopupMenu 782->791 784->786 808 75d16e 784->808 792 723755-723764 call 7244a0 785->792 793 7236a8-7236ad 785->793 786->787 801 75d074-75d076 788->801 802 75d0a8-75d0c7 MoveWindow 788->802 789->786 791->786 792->786 797 7236b3-7236b8 793->797 798 75d139-75d140 793->798 806 75d124-75d134 call 782d36 797->806 807 7236be-7236c4 797->807 798->780 804 75d146-75d14f call 777c36 798->804 810 75d097-75d0a3 SetFocus 801->810 811 75d078-75d07b 801->811 802->786 804->780 806->786 807->780 807->816 808->780 810->786 811->807 812 75d081-75d092 call 731070 811->812 812->786 816->780 820 75d10c-75d11f call 72443a call 72434a 816->820 820->780
              APIs
              • DefWindowProcW.USER32(?,?,?,?), ref: 007236D2
              • KillTimer.USER32(?,00000001), ref: 007236FC
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0072371F
              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0072372A
              • CreatePopupMenu.USER32 ref: 0072373E
              • PostQuitMessage.USER32(00000000), ref: 0072374D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
              • String ID: TaskbarCreated$%{
              • API String ID: 129472671-2414581122
              • Opcode ID: 7542c2a235c453c1ae6655165242a47f64299c1a706fb150bcd949db7ad2629e
              • Instruction ID: d39549d78c7d860aecdd890be41879acf28634995c9c045241433cc3fdb37856
              • Opcode Fuzzy Hash: 7542c2a235c453c1ae6655165242a47f64299c1a706fb150bcd949db7ad2629e
              • Instruction Fuzzy Hash: 86419AB120059DFBDF246F68FC8DBB9375CEB09300F504125FA06CA2A2CA6D9E058329
              Function 00723766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R~
              • API String ID: 1825951767-576807863
              • Opcode ID: 9e88ef77f9e82cc8ca9535b496b923d535504affe4f8efd4a23d90b535696db4
              • Instruction ID: 1284636bfcb05e1f6ca53fbc0171f84fd20e014d369ce64183d941d11fa16f8b
              • Opcode Fuzzy Hash: 9e88ef77f9e82cc8ca9535b496b923d535504affe4f8efd4a23d90b535696db4
              • Instruction Fuzzy Hash: ACA14B72D0026DEACB14EBA0EC99AEEB778BF15304F440529F515B7191DF7C6A08CB60
              Function 0072F76F Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168comCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00740162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00740193
                • Part of subcall function 00740162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0074019B
                • Part of subcall function 00740162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007401A6
                • Part of subcall function 00740162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007401B1
                • Part of subcall function 00740162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007401B9
                • Part of subcall function 00740162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007401C1
                • Part of subcall function 007360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0072F930), ref: 00736154
              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0072F9CD
              • OleInitialize.OLE32(00000000), ref: 0072FA4A
              • CloseHandle.KERNEL32(00000000), ref: 007645C8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
              • String ID: <W~$H$`$%{$S~
              • API String ID: 1986988660-443527826
              • Opcode ID: df1cbfc1a2c54bb6099d384cd72c6de0a0907d24f7859313ab2a300c3837a207
              • Instruction ID: 9d5b57dbfbe4c4759b0b7ad166d5c321bad612a180be381d6fd31bf93cdac5a7
              • Opcode Fuzzy Hash: df1cbfc1a2c54bb6099d384cd72c6de0a0907d24f7859313ab2a300c3837a207
              • Instruction Fuzzy Hash: F98190B0903AC9CEC384DF69A984A597BE5AB4E30E750C13AD119CF2A2E77C4494CF19
              Function 007239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1062 7239d5-723a45 CreateWindowExW * 2 ShowWindow * 2
              APIs
              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00723A03
              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00723A24
              • ShowWindow.USER32(00000000,?,?), ref: 00723A38
              • ShowWindow.USER32(00000000,?,?), ref: 00723A41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$CreateShow
              • String ID: AutoIt v3$edit
              • API String ID: 1584632944-3779509399
              • Opcode ID: 40fd014b47f25c876dd1a030e2ae780d4c36d07d88804c6b548d296911c72df9
              • Instruction ID: 88ebba3a5f6bab4ef9a729d7890f607c133220f176454f146e27a3089afcb376
              • Opcode Fuzzy Hash: 40fd014b47f25c876dd1a030e2ae780d4c36d07d88804c6b548d296911c72df9
              • Instruction Fuzzy Hash: A0F030B05026D47EEA3057536C88E773E7DE7CBF64B008129FB00A6171C1691840CA78
              Function 0072407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1415 72407c-724092 1416 724098-7240ad call 727a16 1415->1416 1417 72416f-724173 1415->1417 1420 7240b3-7240d3 call 727bcc 1416->1420 1421 75d3c8-75d3d7 LoadStringW 1416->1421 1424 75d3e2-75d3fa call 727b2e call 726fe3 1420->1424 1425 7240d9-7240dd 1420->1425 1421->1424 1434 7240ed-72416a call 742de0 call 72454e call 742dbc Shell_NotifyIconW call 725904 1424->1434 1437 75d400-75d41e call 727cab call 726fe3 call 727cab 1424->1437 1427 7240e3-7240e8 call 727b2e 1425->1427 1428 724174-72417d call 728047 1425->1428 1427->1434 1428->1434 1434->1417 1437->1434
              APIs
              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0075D3D7
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              • _memset.LIBCMT ref: 007240FC
              • _wcscpy.LIBCMT ref: 00724150
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00724160
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
              • String ID: Line:
              • API String ID: 3942752672-1585850449
              • Opcode ID: df4e698a5b55bb6376cb228a97a625928a53ff2c36fad027ae6373bc5c7b27fd
              • Instruction ID: 593434560fbc666c89ce5a0d8fe4920081ffc6386421f4bb516e7f79822ac748
              • Opcode Fuzzy Hash: df4e698a5b55bb6376cb228a97a625928a53ff2c36fad027ae6373bc5c7b27fd
              • Instruction Fuzzy Hash: 4531D2B1009358ABD734EB60EC4AFDB77DCAF44304F10891EF685860A1DB7CA648C796
              Function 0072686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2249 72686a-726891 call 724ddd 2252 75e031-75e041 call 78955b 2249->2252 2253 726897-7268a5 call 724ddd 2249->2253 2257 75e046-75e048 2252->2257 2253->2252 2258 7268ab-7268b1 2253->2258 2259 75e067-75e0af call 740db6 2257->2259 2260 75e04a-75e04d call 724e4a 2257->2260 2262 7268b7-7268d9 call 726a8c 2258->2262 2263 75e052-75e061 call 7842f8 2258->2263 2268 75e0d4 2259->2268 2269 75e0b1-75e0bb 2259->2269 2260->2263 2263->2259 2273 75e0d6-75e0e9 2268->2273 2272 75e0cf-75e0d0 2269->2272 2274 75e0d2 2272->2274 2275 75e0bd-75e0cc 2272->2275 2276 75e260-75e263 call 742d55 2273->2276 2277 75e0ef 2273->2277 2274->2273 2275->2272 2280 75e268-75e271 call 724e4a 2276->2280 2279 75e0f6-75e0f9 call 727480 2277->2279 2283 75e0fe-75e120 call 725db2 call 7873e9 2279->2283 2286 75e273-75e283 call 727616 call 725d9b 2280->2286 2292 75e134-75e13e call 7873d3 2283->2292 2293 75e122-75e12f 2283->2293 2300 75e288-75e2b8 call 77f7a1 call 740e2c call 742d55 call 724e4a 2286->2300 2302 75e140-75e153 2292->2302 2303 75e158-75e162 call 7873bd 2292->2303 2295 75e227-75e237 call 72750f 2293->2295 2295->2283 2305 75e23d-75e247 call 72735d 2295->2305 2300->2286 2302->2295 2312 75e164-75e171 2303->2312 2313 75e176-75e180 call 725e2a 2303->2313 2311 75e24c-75e25a 2305->2311 2311->2276 2311->2279 2312->2295 2313->2295 2319 75e186-75e19e call 77f73d 2313->2319 2324 75e1c1-75e1c4 2319->2324 2325 75e1a0-75e1bf call 727de1 call 725904 2319->2325 2327 75e1c6-75e1e1 call 727de1 call 726839 call 725904 2324->2327 2328 75e1f2-75e1f5 2324->2328 2348 75e1e2-75e1f0 call 725db2 2325->2348 2327->2348 2330 75e215-75e218 call 78737f 2328->2330 2331 75e1f7-75e200 call 77f65e 2328->2331 2338 75e21d-75e226 call 740e2c 2330->2338 2331->2300 2341 75e206-75e210 call 740e2c 2331->2341 2338->2295 2341->2283 2348->2338
              APIs
                • Part of subcall function 00724DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724E0F
              • _free.LIBCMT ref: 0075E263
              • _free.LIBCMT ref: 0075E2AA
                • Part of subcall function 00726A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00726BAD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _free$CurrentDirectoryLibraryLoad
              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
              • API String ID: 2861923089-1757145024
              • Opcode ID: 5775b7d0942c0223b6d80198667cf20cad01c031a828d70836034ea272c08e18
              • Instruction ID: 751b784b568cc8db3629cda566bae38c741bc02b3223d3b7b34282b057d93ca7
              • Opcode Fuzzy Hash: 5775b7d0942c0223b6d80198667cf20cad01c031a828d70836034ea272c08e18
              • Instruction Fuzzy Hash: C3918271900229EFCF08EFA4DC859EDB7B4FF05311F10442AF815AB2A1DBB8AA55CB50
              Function 007235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2353 7235b0-7235bb 2354 72362f-723631 2353->2354 2355 7235bd-7235c2 2353->2355 2357 723620-723625 2354->2357 2355->2354 2356 7235c4-7235dc RegOpenKeyExW 2355->2356 2356->2354 2358 7235de-7235fd RegQueryValueExW 2356->2358 2359 723614-72361f RegCloseKey 2358->2359 2360 7235ff-72360a 2358->2360 2359->2357 2361 723626-72362d 2360->2361 2362 72360c-72360e 2360->2362 2363 723612 2361->2363 2362->2363 2363->2359
              APIs
              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007235A1,SwapMouseButtons,00000004,?), ref: 007235D4
              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007235A1,SwapMouseButtons,00000004,?,?,?,?,00722754), ref: 007235F5
              • RegCloseKey.KERNELBASE(00000000,?,?,007235A1,SwapMouseButtons,00000004,?,?,?,?,00722754), ref: 00723617
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID: Control Panel\Mouse
              • API String ID: 3677997916-824357125
              • Opcode ID: 0639672ab7716e77ea82fdbe614eeb8a7d2512d2448094a50f7f40b7d6a50c33
              • Instruction ID: 063cf89c087ce0d4142daec0136543b53aae46fc506ce0df90e7d426a95571d7
              • Opcode Fuzzy Hash: 0639672ab7716e77ea82fdbe614eeb8a7d2512d2448094a50f7f40b7d6a50c33
              • Instruction Fuzzy Hash: B8115771610228BFDB208FA4EC80EAFBBBCEF45740F019469F805D7210E2799F409BA4
              Function 006F12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
              Download Yara Rule
              APIs
              • CreateProcessW.KERNELBASE(?,00000000), ref: 006F1A5B
              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 006F1AF1
              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 006F1B13
              Memory Dump Source
              • Source File: 00000000.00000002.1374810188.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6f0000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process$ContextCreateMemoryReadThreadWow64
              • String ID:
              • API String ID: 2438371351-0
              • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
              • Instruction ID: a2cca301ea59329974683e281f6e2c8a6b304909388f45a5182922847f296931
              • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
              • Instruction Fuzzy Hash: 8B621C30A14258DBEB24CFA4C851BEEB372EF59300F1091A9D60DEB394E7759E81CB59
              Function 0078955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00724EE5: _fseek.LIBCMT ref: 00724EFD
                • Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789824
                • Part of subcall function 00789734: _wcscmp.LIBCMT ref: 00789837
              • _free.LIBCMT ref: 007896A2
              • _free.LIBCMT ref: 007896A9
              • _free.LIBCMT ref: 00789714
                • Part of subcall function 00742D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00749A24), ref: 00742D69
                • Part of subcall function 00742D55: GetLastError.KERNEL32(00000000,?,00749A24), ref: 00742D7B
              • _free.LIBCMT ref: 0078971C
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
              • String ID:
              • API String ID: 1552873950-0
              • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
              • Instruction ID: 535139af71ab394b71e17d03dfc64c6fab09587e937e9a458ae008e27d733c9e
              • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
              • Instruction Fuzzy Hash: E85160B1E04258EFDF259F64DC85AAEBB79EF48300F14049EF209A3241DB755A91CF58
              Function 0074470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
              • String ID:
              • API String ID: 2782032738-0
              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
              • Instruction ID: 7cdae8fd26cdfe7cce9a9810afe97b253cd47cc0e7788747fef50976615ac312
              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
              • Instruction Fuzzy Hash: 8441D374B00746EFDB19CF69C884AAE77A9EF42360B24813DE815C7640EB78DD42AB40
              Function 00724C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove
              • String ID: AU3!P/{$EA06
              • API String ID: 4104443479-1001243050
              • Opcode ID: 4901804f5ca37af24688f7e69c9d25f0145db5d9da132401c4d9ffc44655cc57
              • Instruction ID: 20a79b4337c7cd824d7f07bac6685b942785be9c8a3b58a8d0f5c0538edc6460
              • Opcode Fuzzy Hash: 4901804f5ca37af24688f7e69c9d25f0145db5d9da132401c4d9ffc44655cc57
              • Instruction Fuzzy Hash: 00417C31B04178ABDF229B64FC557BE7FA2DB45300F684464EE82DB287D63C9D8483A1
              Function 00727285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0075EA39
              • GetOpenFileNameW.COMDLG32(?), ref: 0075EA83
                • Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770
                • Part of subcall function 00740791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007407B0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Name$Path$FileFullLongOpen_memset
              • String ID: X
              • API String ID: 3777226403-3081909835
              • Opcode ID: 69ecf77bc62dfa2de3a7a36565443ceaa17c224e93930b0a6067dc0c8c55c872
              • Instruction ID: 69c9f1e60116d2b202c5eaef527cb4993c2804b27fab458de2d274ebc39ae620
              • Opcode Fuzzy Hash: 69ecf77bc62dfa2de3a7a36565443ceaa17c224e93930b0a6067dc0c8c55c872
              • Instruction Fuzzy Hash: E021C671A00258DBCB459F94DC49BEE7BF8AF49315F00801AE908AB341DBFC5989CF91
              Function 007898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000104,?), ref: 007898F8
              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0078990F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Temp$FileNamePath
              • String ID: aut
              • API String ID: 3285503233-3010740371
              • Opcode ID: 2af48e45bab6930c001aa8f26aad93d27e7216c1c885e42a67894da0cae330c6
              • Instruction ID: 0c7e96f6213f52adb908d69c3cce80802c3c4684fa24937fd516658556938db1
              • Opcode Fuzzy Hash: 2af48e45bab6930c001aa8f26aad93d27e7216c1c885e42a67894da0cae330c6
              • Instruction Fuzzy Hash: 07D05E7954030DABDB50ABE0DC0EFDA773CE744701F0042B1FA94911E1EAB895988B95
              Function 0079CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5adcb0f354c6965c33a8c652d2e7f903002fdb0d1fc521810eb4768cbb9137d4
              • Instruction ID: 4635ebe730a25b00aba89d3418f0a61d3fcaf9e2cf2716177b05b574d4989af0
              • Opcode Fuzzy Hash: 5adcb0f354c6965c33a8c652d2e7f903002fdb0d1fc521810eb4768cbb9137d4
              • Instruction Fuzzy Hash: EAF14571608300DFCB14DF28D484A6ABBE5FF89314F54892EF8999B252D738E945CF82
              Function 0072434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00724370
              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00724415
              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00724432
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: IconNotifyShell_$_memset
              • String ID:
              • API String ID: 1505330794-0
              • Opcode ID: 0fe72163af047f1a79aba3995dc4de9d0d2ac1e6dbd40c50d540a761f4abf5a0
              • Instruction ID: 418d6177a9dc08fab8eb280e321410682912c3da8dd3d8e74c1237c3ae89e11f
              • Opcode Fuzzy Hash: 0fe72163af047f1a79aba3995dc4de9d0d2ac1e6dbd40c50d540a761f4abf5a0
              • Instruction Fuzzy Hash: 7131D2B0505751CFD720EF74E88469BBBF8FB48308F00492EF68AD6251E778A944CB56
              Function 0074571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • __FF_MSGBANNER.LIBCMT ref: 00745733
                • Part of subcall function 0074A16B: __NMSG_WRITE.LIBCMT ref: 0074A192
                • Part of subcall function 0074A16B: __NMSG_WRITE.LIBCMT ref: 0074A19C
              • __NMSG_WRITE.LIBCMT ref: 0074573A
                • Part of subcall function 0074A1C8: GetModuleFileNameW.KERNEL32(00000000,007E33BA,00000104,?,00000001,00000000), ref: 0074A25A
                • Part of subcall function 0074A1C8: ___crtMessageBoxW.LIBCMT ref: 0074A308
                • Part of subcall function 0074309F: ___crtCorExitProcess.LIBCMT ref: 007430A5
                • Part of subcall function 0074309F: ExitProcess.KERNEL32 ref: 007430AE
                • Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28
              • RtlAllocateHeap.NTDLL(00E10000,00000000,00000001,00000000,?,?,?,00740DD3,?), ref: 0074575F
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
              • String ID:
              • API String ID: 1372826849-0
              • Opcode ID: d1ad99e5fb682687c0457a0717e121d4d71f7d8d360505ee35191a4d7c9ef502
              • Instruction ID: 77e7f41c4d17dc7db7699e6f763af0e5a6fd393d12f752a3018db36554bc979a
              • Opcode Fuzzy Hash: d1ad99e5fb682687c0457a0717e121d4d71f7d8d360505ee35191a4d7c9ef502
              • Instruction Fuzzy Hash: EE01F171240B49EFE6123B38EC8AA2E7398DF82361F110535F5199B183DF7C9C008A65
              Function 007898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00789548,?,?,?,?,?,00000004), ref: 007898BB
              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00789548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007898D1
              • CloseHandle.KERNEL32(00000000,?,00789548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007898D8
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: File$CloseCreateHandleTime
              • String ID:
              • API String ID: 3397143404-0
              • Opcode ID: 8bf241d5cca40605a6d809ad31956c140faf8a399d6e59e8b6bd2a752fdac086
              • Instruction ID: d4e8c3a26ff167a47067f16311411bbe94b1896c636033d9956a92440441e987
              • Opcode Fuzzy Hash: 8bf241d5cca40605a6d809ad31956c140faf8a399d6e59e8b6bd2a752fdac086
              • Instruction Fuzzy Hash: 77E08632281218BBDB312B94EC09FDA7F19AB47760F148121FB54690E087B51511979C
              Function 00788D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00788D1B
                • Part of subcall function 00742D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00749A24), ref: 00742D69
                • Part of subcall function 00742D55: GetLastError.KERNEL32(00000000,?,00749A24), ref: 00742D7B
              • _free.LIBCMT ref: 00788D2C
              • _free.LIBCMT ref: 00788D3E
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
              • Instruction ID: 45e6f448b51346fc5cf7e22f98bea526ea068230bb5f8e75ada5ed39abe16005
              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
              • Instruction Fuzzy Hash: DAE012A1B4160186CB64B578A944A9313DC4F5C392F95091DB40DD7187DF6CF8938634
              Function 0072A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: CALL
              • API String ID: 0-4196123274
              • Opcode ID: 8e4545e9b64e47fa9dc58c540c249dc0e94a4aeb02b9cfddcc1b946f32f0752e
              • Instruction ID: 1897c06298688fe2a3ae73adaee43a246412561dafb895704278561072b3edf7
              • Opcode Fuzzy Hash: 8e4545e9b64e47fa9dc58c540c249dc0e94a4aeb02b9cfddcc1b946f32f0752e
              • Instruction Fuzzy Hash: 10225A70508361DFCB24DF24D494A6AB7E1BF45300F18896DE98A8B262D779ED85CB82
              Function 007877B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 857d92e37e29975e0765b5e530285e868dcd49a3ea61a829c7966df3539e7955
              • Instruction ID: 4b350b95436cad9f96f169d7860b299531fcea4a84608d19aece2fbe5fdb55d7
              • Opcode Fuzzy Hash: 857d92e37e29975e0765b5e530285e868dcd49a3ea61a829c7966df3539e7955
              • Instruction Fuzzy Hash: A341C571948205DBCB14FFA8D8899BAB7B8EF49310F384459E28697242DF7DDC05DBA0
              Function 00727A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
              • Instruction ID: 53ba06e04f364fa404f5548704246d533454f57d6c0877590503e4b526a36b97
              • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
              • Instruction Fuzzy Hash: 0631A4B1604616AFC708DF68D9D1D69B3A9FF48320715C629E519CB391EB38E920CB90
              Function 00740DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 0074571C: __FF_MSGBANNER.LIBCMT ref: 00745733
                • Part of subcall function 0074571C: __NMSG_WRITE.LIBCMT ref: 0074573A
                • Part of subcall function 0074571C: RtlAllocateHeap.NTDLL(00E10000,00000000,00000001,00000000,?,?,?,00740DD3,?), ref: 0074575F
              • std::exception::exception.LIBCMT ref: 00740DEC
              • __CxxThrowException@8.LIBCMT ref: 00740E01
                • Part of subcall function 0074859B: RaiseException.KERNEL32(?,?,?,007D9E78,00000000,?,?,?,?,00740E06,?,007D9E78,?,00000001), ref: 007485F0
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
              • String ID:
              • API String ID: 3902256705-0
              • Opcode ID: 95cbbaa997cab6a4fe1a82a630baa67e0df82807999739d33d54d3e12c521efe
              • Instruction ID: f837f4a3511a1f558b8b28c6f1bd94617eddd93ed46d0d6f764999424a825c33
              • Opcode Fuzzy Hash: 95cbbaa997cab6a4fe1a82a630baa67e0df82807999739d33d54d3e12c521efe
              • Instruction Fuzzy Hash: 96F0CD31A0031DA6CB10BEA8EC05ADF77AC9F01311F100429FE1496252DF789A55C5D1
              Function 007453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28
              • __lock_file.LIBCMT ref: 007453EB
                • Part of subcall function 00746C11: __lock.LIBCMT ref: 00746C34
              • __fclose_nolock.LIBCMT ref: 007453F6
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
              • String ID:
              • API String ID: 2800547568-0
              • Opcode ID: 70f2aad26e907a7ecb3f71cf630794507c0cad8b856ee165dda1104d77ee65b5
              • Instruction ID: 79b9c7d13b11a848eb2f3342d7f7c7aa838f6daf03e2234c9a29778fc75a5638
              • Opcode Fuzzy Hash: 70f2aad26e907a7ecb3f71cf630794507c0cad8b856ee165dda1104d77ee65b5
              • Instruction Fuzzy Hash: 73F09071901A08EBDB50AF65980A7AD66A06F41378F248209A464AB1C2DBBC9945AF62
              Function 0072750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: f7e2fd9dc63d4305cbfa272c9752891b5bbd0a2c922b30b3a1f7383ea5cc6e6f
              • Instruction ID: e92074300a7fdb8f7bc5cb0dead43bff2f4bd9adeee1dfdf66b0cf909e4ae623
              • Opcode Fuzzy Hash: f7e2fd9dc63d4305cbfa272c9752891b5bbd0a2c922b30b3a1f7383ea5cc6e6f
              • Instruction Fuzzy Hash: 8331B475608A22EFC718DF1AE540932F7A0FF09310714C56DE98A8B791E734ECA1CB84
              Function 0075FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 9e9f58a0f1c75a3b22a3f018a4a6cabf9ab0fea204df1f8dd646d289da5fa8f6
              • Instruction ID: 4df28604962f07c11fd208f66f00ecff66d7fd294663e3d056e0e0e156d620ee
              • Opcode Fuzzy Hash: 9e9f58a0f1c75a3b22a3f018a4a6cabf9ab0fea204df1f8dd646d289da5fa8f6
              • Instruction Fuzzy Hash: 0B411574604351DFDB24DF24C458B1ABBE0BF49314F0988ACE9998B362C339EC45CB92
              Function 00727B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 057bddec07efb507a28daa88c92c3313f2925b9af512fa109acf68f6f8bf505c
              • Instruction ID: 6073cc52273b277f6e3f5c390b5e63ca96ef583040dc37ab4a97705b49309586
              • Opcode Fuzzy Hash: 057bddec07efb507a28daa88c92c3313f2925b9af512fa109acf68f6f8bf505c
              • Instruction Fuzzy Hash: 682148B2A04A19EBDB188F25F8417A97BB4FF14352F20C42EE886C5090EB78C6D4D755
              Function 00724DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00724BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00724BEF
                • Part of subcall function 0074525B: __wfsopen.LIBCMT ref: 00745266
              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724E0F
                • Part of subcall function 00724B6A: FreeLibrary.KERNEL32(00000000), ref: 00724BA4
                • Part of subcall function 00724C70: _memmove.LIBCMT ref: 00724CBA
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Library$Free$Load__wfsopen_memmove
              • String ID:
              • API String ID: 1396898556-0
              • Opcode ID: 17ba975727d94ccba7890cd8758434ee37ad5f1bb5405b4d8663d0d280ed24e0
              • Instruction ID: 01bd306e2899855c9fcc3b2297cdd9f8d8af023bb7fcf834da84541f8bca0005
              • Opcode Fuzzy Hash: 17ba975727d94ccba7890cd8758434ee37ad5f1bb5405b4d8663d0d280ed24e0
              • Instruction Fuzzy Hash: 7A11E731A00215EBDF20BF70DC1AFAD77A8AF84710F10842DF941A7181DBB999059B50
              Function 0075FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID:
              • API String ID: 1473721057-0
              • Opcode ID: 35005851845d001ee65e4175331334a311457f619348229986816b87b060e60f
              • Instruction ID: 87f1e74644def41dd94df4a45ed08c2adeacbda5eb0498ca091a69e62c61f273
              • Opcode Fuzzy Hash: 35005851845d001ee65e4175331334a311457f619348229986816b87b060e60f
              • Instruction Fuzzy Hash: 082155B4608351DFCB14DF64D444B1ABBE0BF88314F04896CF98A47722D739E819CBA2
              Function 0074072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48490cc749f089fccd437f18e97576b4738c0f8357ed3fcc7e238cb7430c94f3
              • Instruction ID: 4caf96c0569b1523586905ac52a911a406f7418865e11fd536cdecf240e63927
              • Opcode Fuzzy Hash: 48490cc749f089fccd437f18e97576b4738c0f8357ed3fcc7e238cb7430c94f3
              • Instruction Fuzzy Hash: 9301FE365401505FEB33AA64BC41AFDF3D8EFC0761B18846EED4492854D7786C44CBD6
              Function 00744863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
              Download Yara Rule
              APIs
              • __lock_file.LIBCMT ref: 007448A6
                • Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __getptd_noexit__lock_file
              • String ID:
              • API String ID: 2597487223-0
              • Opcode ID: 6dafacd068ed9d70579a6d235c22d071613570da06ecd7c578244cdbbd3cb1d9
              • Instruction ID: 971183d1371e71fe397cc4d6d0bc540be02ce8f5f84b09f0dca3ad62aa3997f2
              • Opcode Fuzzy Hash: 6dafacd068ed9d70579a6d235c22d071613570da06ecd7c578244cdbbd3cb1d9
              • Instruction Fuzzy Hash: E8F0CD71901649EBDF51AFB48C0E7EE36A4EF02325F158414F424AA292CBBC9A51EF52
              Function 00724E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • FreeLibrary.KERNEL32(?,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724E7E
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FreeLibrary
              • String ID:
              • API String ID: 3664257935-0
              • Opcode ID: 4ce499c41b806fc7d0288b8af1235d218b2244fd2d472a141229ac79f8c911c1
              • Instruction ID: b58b608795ae723cb0b4c77c348d5881117360109fa07e24db9bef7800e3c05e
              • Opcode Fuzzy Hash: 4ce499c41b806fc7d0288b8af1235d218b2244fd2d472a141229ac79f8c911c1
              • Instruction Fuzzy Hash: 25F03971901721DFEB349F64E494812BBE1BF543293218A3EE2D682620C73A9880DF40
              Function 00740791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007407B0
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LongNamePath_memmove
              • String ID:
              • API String ID: 2514874351-0
              • Opcode ID: d996296bcc95d46d488729269a4093839d06bb9761a5830b55619a407c540892
              • Instruction ID: 00e6c2819ecb5377d022596d898b45a1c63caab4c2ce78e30fd29075f95fddc6
              • Opcode Fuzzy Hash: d996296bcc95d46d488729269a4093839d06bb9761a5830b55619a407c540892
              • Instruction Fuzzy Hash: 37E0CD769051285BC720D6989C09FEA77DDEFC97A1F0441B5FC0CD7254D9A4AC8086D0
              Function 0074525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: c281e31fa6468f0370b3be672687effa3ab77d10d2f18ad829591410af1d8b9b
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 93B092B644020CB7CE012A82EC02A493B19AB41764F408021FB0C18162A6B7A6649A89
              Function 00740C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction ID: aa2bf1930eddcf8655d7b0ab54bfaa3fcf9cbce96e1b3f524a715343ac081de0
              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
              • Instruction Fuzzy Hash: CA31A070A00105DBC718DF58D4C4AA9F7B6FB99300B6486A5E90ACB355DB35EDC1EBE0

              Non-executed Functions

              Function 007ACABC Relevance: 77.6, APIs: 40, Strings: 4, Instructions: 632windowkeyboardCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007ACB37
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007ACB95
              • GetWindowLongW.USER32(?,000000F0), ref: 007ACBD6
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007ACC00
              • SendMessageW.USER32 ref: 007ACC29
              • _wcsncpy.LIBCMT ref: 007ACC95
              • GetKeyState.USER32(00000011), ref: 007ACCB6
              • GetKeyState.USER32(00000009), ref: 007ACCC3
              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007ACCD9
              • GetKeyState.USER32(00000010), ref: 007ACCE3
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007ACD0C
              • SendMessageW.USER32 ref: 007ACD33
              • SendMessageW.USER32(?,00001030,?,007AB348), ref: 007ACE37
              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007ACE4D
              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007ACE60
              • SetCapture.USER32(?), ref: 007ACE69
              • ClientToScreen.USER32(?,?), ref: 007ACECE
              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007ACEDB
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007ACEF5
              • ReleaseCapture.USER32 ref: 007ACF00
              • GetCursorPos.USER32(?), ref: 007ACF3A
              • ScreenToClient.USER32(?,?), ref: 007ACF47
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 007ACFA3
              • SendMessageW.USER32 ref: 007ACFD1
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 007AD00E
              • SendMessageW.USER32 ref: 007AD03D
              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007AD05E
              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007AD06D
              • GetCursorPos.USER32(?), ref: 007AD08D
              • ScreenToClient.USER32(?,?), ref: 007AD09A
              • GetParent.USER32(?), ref: 007AD0BA
              • SendMessageW.USER32(?,00001012,00000000,?), ref: 007AD123
              • SendMessageW.USER32 ref: 007AD154
              • ClientToScreen.USER32(?,?), ref: 007AD1B2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007AD1E2
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 007AD20C
              • SendMessageW.USER32 ref: 007AD22F
              • ClientToScreen.USER32(?,?), ref: 007AD281
              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007AD2B5
                • Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC
              • GetWindowLongW.USER32(?,000000F0), ref: 007AD351
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
              • String ID: @GUI_DRAGID$F$P`$pb~
              • API String ID: 3977979337-4198633725
              • Opcode ID: 34b0f2391d07aa0a7e20c60964faf453f7907629eb4039e9245d2ddd630d804b
              • Instruction ID: 27d4e3264d7631bafbd3d2af3f68685176f3919dca27e96e7f196150b0a83997
              • Opcode Fuzzy Hash: 34b0f2391d07aa0a7e20c60964faf453f7907629eb4039e9245d2ddd630d804b
              • Instruction Fuzzy Hash: AB42AF74204280EFDB25CF64C888BAABBE5FF8A314F144619F565872B1C739DC50DBA6
              Function 00736F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove$_memset
              • String ID: ]}$3cs$DEFINE$P\}$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_s
              • API String ID: 1357608183-3017454739
              • Opcode ID: 26654ad50f92ec171f00547bfbe0190eefbf17b89ed6d8dacd836f2106cd21f9
              • Instruction ID: c13fc5d2a6ecb38c989e7592e2bde09b97ee6765bbccf3ce95f2538be185b038
              • Opcode Fuzzy Hash: 26654ad50f92ec171f00547bfbe0190eefbf17b89ed6d8dacd836f2106cd21f9
              • Instruction Fuzzy Hash: 0893B471A00219DFDF28CF58C881BADB7B1FF48350F25C16AE959AB281E7789D81DB50
              Function 007248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(00000000,?), ref: 007248DF
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075D665
              • IsIconic.USER32(?), ref: 0075D66E
              • ShowWindow.USER32(?,00000009), ref: 0075D67B
              • SetForegroundWindow.USER32(?), ref: 0075D685
              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0075D69B
              • GetCurrentThreadId.KERNEL32 ref: 0075D6A2
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0075D6AE
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0075D6BF
              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0075D6C7
              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0075D6CF
              • SetForegroundWindow.USER32(?), ref: 0075D6D2
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D6E7
              • keybd_event.USER32(00000012,00000000), ref: 0075D6F2
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D6FC
              • keybd_event.USER32(00000012,00000000), ref: 0075D701
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D70A
              • keybd_event.USER32(00000012,00000000), ref: 0075D70F
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0075D719
              • keybd_event.USER32(00000012,00000000), ref: 0075D71E
              • SetForegroundWindow.USER32(?), ref: 0075D721
              • AttachThreadInput.USER32(?,?,00000000), ref: 0075D748
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
              • String ID: Shell_TrayWnd
              • API String ID: 4125248594-2988720461
              • Opcode ID: a2b4c779d43fb32e16446bf8b31607af77205523ebc4c9efbc9b8f7732e6cce8
              • Instruction ID: 5a865aa862253fd5f67b470102d558b2db5b270bc985474e439bdd18780fe76c
              • Opcode Fuzzy Hash: a2b4c779d43fb32e16446bf8b31607af77205523ebc4c9efbc9b8f7732e6cce8
              • Instruction Fuzzy Hash: A1319571A40318BBEB305FA19C49FBF3E6CEB85B51F104025FA04EA1D1C6B45D11ABA5
              Function 00778310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077882B
                • Part of subcall function 007787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00778858
                • Part of subcall function 007787E1: GetLastError.KERNEL32 ref: 00778865
              • _memset.LIBCMT ref: 00778353
              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007783A5
              • CloseHandle.KERNEL32(?), ref: 007783B6
              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007783CD
              • GetProcessWindowStation.USER32 ref: 007783E6
              • SetProcessWindowStation.USER32(00000000), ref: 007783F0
              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0077840A
                • Part of subcall function 007781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00778309), ref: 007781E0
                • Part of subcall function 007781CB: CloseHandle.KERNEL32(?,?,00778309), ref: 007781F2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
              • String ID: $default$winsta0
              • API String ID: 2063423040-1027155976
              • Opcode ID: b37d9db67e1b46f5fc5998d2584d9cc6daf08b1f5f27e81e7aad934eb7b21271
              • Instruction ID: b7daf255628435ca3333831cc587c24f26d83c05904095ee47e019514bd2c122
              • Opcode Fuzzy Hash: b37d9db67e1b46f5fc5998d2584d9cc6daf08b1f5f27e81e7aad934eb7b21271
              • Instruction Fuzzy Hash: 1F818D71940209EFDF51DFA4CC49AEE7B79FF04384F248169F918A2261DB398E24DB21
              Function 0078C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0078C78D
              • FindClose.KERNEL32(00000000), ref: 0078C7E1
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078C806
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078C81D
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0078C844
              • __swprintf.LIBCMT ref: 0078C890
              • __swprintf.LIBCMT ref: 0078C8D3
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
              • __swprintf.LIBCMT ref: 0078C927
                • Part of subcall function 00743698: __woutput_l.LIBCMT ref: 007436F1
              • __swprintf.LIBCMT ref: 0078C975
                • Part of subcall function 00743698: __flsbuf.LIBCMT ref: 00743713
                • Part of subcall function 00743698: __flsbuf.LIBCMT ref: 0074372B
              • __swprintf.LIBCMT ref: 0078C9C4
              • __swprintf.LIBCMT ref: 0078CA13
              • __swprintf.LIBCMT ref: 0078CA62
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
              • API String ID: 3953360268-2428617273
              • Opcode ID: 1ae4501f25c7ac80931181d6d4fd67d7e5bc40f8533f4482e61f951e620856e9
              • Instruction ID: ba3f7cc1c2fe3f0cd2b6bf35acbf8028d78e7e13312dfd07120fc3c507618d4a
              • Opcode Fuzzy Hash: 1ae4501f25c7ac80931181d6d4fd67d7e5bc40f8533f4482e61f951e620856e9
              • Instruction Fuzzy Hash: B3A13BB1508355EBC744EBA4D889DAFB7ECFF85700F44491AF585C6191EA38EA08CB62
              Function 0078EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76128FB0,?,00000000), ref: 0078EFB6
              • _wcscmp.LIBCMT ref: 0078EFCB
              • _wcscmp.LIBCMT ref: 0078EFE2
              • GetFileAttributesW.KERNEL32(?), ref: 0078EFF4
              • SetFileAttributesW.KERNEL32(?,?), ref: 0078F00E
              • FindNextFileW.KERNEL32(00000000,?), ref: 0078F026
              • FindClose.KERNEL32(00000000), ref: 0078F031
              • FindFirstFileW.KERNEL32(*.*,?), ref: 0078F04D
              • _wcscmp.LIBCMT ref: 0078F074
              • _wcscmp.LIBCMT ref: 0078F08B
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0078F09D
              • SetCurrentDirectoryW.KERNEL32(007D8920), ref: 0078F0BB
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0078F0C5
              • FindClose.KERNEL32(00000000), ref: 0078F0D2
              • FindClose.KERNEL32(00000000), ref: 0078F0E4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
              • String ID: *.*
              • API String ID: 1803514871-438819550
              • Opcode ID: 4d55ce47bf625e282e4e82e4110080dd4728dba26eb8981032b37da6921e34ff
              • Instruction ID: 7349fc3bd5f4ad95788c5113dd8f8068514cc64a27d92c12ca38b53c990fade9
              • Opcode Fuzzy Hash: 4d55ce47bf625e282e4e82e4110080dd4728dba26eb8981032b37da6921e34ff
              • Instruction Fuzzy Hash: 6431D532541218AEDB14EFF4DC48BEEB7ACAF89360F104276E844E2191DB78DE44CB65
              Function 007A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
              Download Yara Rule
              APIs
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A0953
              • RegCreateKeyExW.ADVAPI32(?,?,00000000,007AF910,00000000,?,00000000,?,?), ref: 007A09C1
              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007A0A09
              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007A0A92
              • RegCloseKey.ADVAPI32(?), ref: 007A0DB2
              • RegCloseKey.ADVAPI32(00000000), ref: 007A0DBF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Close$ConnectCreateRegistryValue
              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
              • API String ID: 536824911-966354055
              • Opcode ID: 62f4728737e2b0314c353535b9ad08e91fd7a8d78fb236d92e76f08855711f05
              • Instruction ID: 6497ae85d410480ccb5470f5a356b5ecc1cf75452cddf73a65d12165ed212309
              • Opcode Fuzzy Hash: 62f4728737e2b0314c353535b9ad08e91fd7a8d78fb236d92e76f08855711f05
              • Instruction Fuzzy Hash: B2023975600611DFCB14EF24D859E2AB7E5EF8A310F08895DF9899B362DB38EC41CB85
              Function 007366E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: 0D|$0E|$0F|$3cs$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG|$_s
              • API String ID: 0-3244020149
              • Opcode ID: 24a8c839b99452c70a4f86b7242eca7867018927754966b49cb8775799ae5b2b
              • Instruction ID: abc8e0bb9b6b57f854f9bbf6022517075a25cb87edadb4fb801b502b587c407e
              • Opcode Fuzzy Hash: 24a8c839b99452c70a4f86b7242eca7867018927754966b49cb8775799ae5b2b
              • Instruction Fuzzy Hash: 407260B5E00219DBDF14CF58C8807ADB7B5FF44750F64C16AE949EB291EB389A41CB90
              Function 0078F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,76128FB0,?,00000000), ref: 0078F113
              • _wcscmp.LIBCMT ref: 0078F128
              • _wcscmp.LIBCMT ref: 0078F13F
                • Part of subcall function 00784385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007843A0
              • FindNextFileW.KERNEL32(00000000,?), ref: 0078F16E
              • FindClose.KERNEL32(00000000), ref: 0078F179
              • FindFirstFileW.KERNEL32(*.*,?), ref: 0078F195
              • _wcscmp.LIBCMT ref: 0078F1BC
              • _wcscmp.LIBCMT ref: 0078F1D3
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0078F1E5
              • SetCurrentDirectoryW.KERNEL32(007D8920), ref: 0078F203
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0078F20D
              • FindClose.KERNEL32(00000000), ref: 0078F21A
              • FindClose.KERNEL32(00000000), ref: 0078F22C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
              • String ID: *.*
              • API String ID: 1824444939-438819550
              • Opcode ID: 84e2f6fad7901cac6bac4f6e40d5fa8f3df25de4abbb5516a72b4db08ee961f7
              • Instruction ID: bea906ef70414d45c20191ad1476cb6c4e5b5bd9fc89906769471fce26214130
              • Opcode Fuzzy Hash: 84e2f6fad7901cac6bac4f6e40d5fa8f3df25de4abbb5516a72b4db08ee961f7
              • Instruction Fuzzy Hash: 3231E73654021DAADF10BBB4EC59BEEB7BCAF85360F104175E804E21A0DB38DE45CB68
              Function 0078A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0078A20F
              • __swprintf.LIBCMT ref: 0078A231
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0078A26E
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0078A293
              • _memset.LIBCMT ref: 0078A2B2
              • _wcsncpy.LIBCMT ref: 0078A2EE
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0078A323
              • CloseHandle.KERNEL32(00000000), ref: 0078A32E
              • RemoveDirectoryW.KERNEL32(?), ref: 0078A337
              • CloseHandle.KERNEL32(00000000), ref: 0078A341
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
              • String ID: :$\$\??\%s
              • API String ID: 2733774712-3457252023
              • Opcode ID: c45c89612674d4525d0e1fb60e92f5a02694ce870c6723320975fe8ad8d7a8ad
              • Instruction ID: 06c2fa453dcab1567c918baffbf8e7522404d899263e46953d0b794eb1f34b64
              • Opcode Fuzzy Hash: c45c89612674d4525d0e1fb60e92f5a02694ce870c6723320975fe8ad8d7a8ad
              • Instruction Fuzzy Hash: 3D318EB1940109BBDB219FA0DC49FEB37BCEF89740F1041B6F508D2160EB7896448B25
              Function 0078001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?), ref: 00780097
              • SetKeyboardState.USER32(?), ref: 00780102
              • GetAsyncKeyState.USER32(000000A0), ref: 00780122
              • GetKeyState.USER32(000000A0), ref: 00780139
              • GetAsyncKeyState.USER32(000000A1), ref: 00780168
              • GetKeyState.USER32(000000A1), ref: 00780179
              • GetAsyncKeyState.USER32(00000011), ref: 007801A5
              • GetKeyState.USER32(00000011), ref: 007801B3
              • GetAsyncKeyState.USER32(00000012), ref: 007801DC
              • GetKeyState.USER32(00000012), ref: 007801EA
              • GetAsyncKeyState.USER32(0000005B), ref: 00780213
              • GetKeyState.USER32(0000005B), ref: 00780221
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: State$Async$Keyboard
              • String ID:
              • API String ID: 541375521-0
              • Opcode ID: e1dabb61a64b83f86965786d5fc5ee6b758623e382b190c2e18e9ab34b5c76a3
              • Instruction ID: 4b84743c4657321d4e392361706be645e58354150cdb9df2a6664a15d724eb3c
              • Opcode Fuzzy Hash: e1dabb61a64b83f86965786d5fc5ee6b758623e382b190c2e18e9ab34b5c76a3
              • Instruction Fuzzy Hash: F451DB209447886DFB75FBA088597EABFB49F01380F084599D5C2565C3DAAC9B8CC7E1
              Function 007A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A04AC
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007A054B
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007A05E3
              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007A0822
              • RegCloseKey.ADVAPI32(00000000), ref: 007A082F
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
              • String ID:
              • API String ID: 1240663315-0
              • Opcode ID: 53fdc817969d784f6137202f5f46c7dbfea197f96dfb145eff68820e380fa200
              • Instruction ID: f11164dc557c2e0801f42ff14b2b4f36eea2a26700114f74ef0b0bea8f3460f9
              • Opcode Fuzzy Hash: 53fdc817969d784f6137202f5f46c7dbfea197f96dfb145eff68820e380fa200
              • Instruction Fuzzy Hash: 55E13D71604214EFCB14DF24C895E2ABBE5FF8A314F04896DF94ADB261DA38ED05CB91
              Function 007983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • CoInitialize.OLE32 ref: 00798403
              • CoUninitialize.OLE32 ref: 0079840E
              • CoCreateInstance.OLE32(?,00000000,00000017,007B2BEC,?), ref: 0079846E
              • IIDFromString.OLE32(?,?), ref: 007984E1
              • VariantInit.OLEAUT32(?), ref: 0079857B
              • VariantClear.OLEAUT32(?), ref: 007985DC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
              • API String ID: 834269672-1287834457
              • Opcode ID: aee06a36967ba8c740d04e4aad6bfc3ab0186d1895775aefa1dcb25588f85ab9
              • Instruction ID: 3252d0c50f525aa63932d34359b997eda0aa04081c2ae151d59518767d9833eb
              • Opcode Fuzzy Hash: aee06a36967ba8c740d04e4aad6bfc3ab0186d1895775aefa1dcb25588f85ab9
              • Instruction Fuzzy Hash: 3361C070608312DFCB50DF64E848F6AB7E4AF4A754F044419F9859B2A1CB78ED48CB93
              Function 00794164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
              • String ID:
              • API String ID: 1737998785-0
              • Opcode ID: 8ddfa60449ab414f350ed1aabde932e4b84777f4f7a842408dec4e5b34b211c9
              • Instruction ID: 20798b5da3f28cabfaabef2b59eb4424234b1de4e586663e7188da384cb5c03c
              • Opcode Fuzzy Hash: 8ddfa60449ab414f350ed1aabde932e4b84777f4f7a842408dec4e5b34b211c9
              • Instruction Fuzzy Hash: 2221AD35201614DFDB10AF60EC09F6D7BA8FF45310F04C02AFA46DB2A1CB38A802CB48
              Function 007837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770
                • Part of subcall function 00784A31: GetFileAttributesW.KERNEL32(?,0078370B), ref: 00784A32
              • FindFirstFileW.KERNEL32(?,?), ref: 007838A3
              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0078394B
              • MoveFileW.KERNEL32(?,?), ref: 0078395E
              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0078397B
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0078399D
              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007839B9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
              • String ID: \*.*
              • API String ID: 4002782344-1173974218
              • Opcode ID: 0beb8d4c92bfbd090482224784b8513e6f305a06659fdd0d8a327abbabcf6867
              • Instruction ID: 7ec83d60b68094c37d8255f53031fba433ecb97e843d578e258c22d6bf170032
              • Opcode Fuzzy Hash: 0beb8d4c92bfbd090482224784b8513e6f305a06659fdd0d8a327abbabcf6867
              • Instruction Fuzzy Hash: 5651CD3184115DEACF05FBA4EA969EDB778AF11300F604069E846B7192EF396F09CB61
              Function 0078F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0078F440
              • Sleep.KERNEL32(0000000A), ref: 0078F470
              • _wcscmp.LIBCMT ref: 0078F484
              • _wcscmp.LIBCMT ref: 0078F49F
              • FindNextFileW.KERNEL32(?,?), ref: 0078F53D
              • FindClose.KERNEL32(00000000), ref: 0078F553
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
              • String ID: *.*
              • API String ID: 713712311-438819550
              • Opcode ID: a20395d07e9896f8e3847f7d29f4a0bdd6fcfc79f5f9204753a6843974a829a4
              • Instruction ID: 674d563e8852d1a4206446eddce663dcc8d9a85745021dc4b3e4c15d0d4b7568
              • Opcode Fuzzy Hash: a20395d07e9896f8e3847f7d29f4a0bdd6fcfc79f5f9204753a6843974a829a4
              • Instruction Fuzzy Hash: EC415E71940219DFCF14EFA4DC49AEEBBB4FF05310F14456AE819A2191DB389E95CF60
              Function 00733030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __itow__swprintf
              • String ID: 3cs$_s
              • API String ID: 674341424-944816363
              • Opcode ID: 244b6b610868cd047ae30acfc3c3db29635bac460e2bf66e1d1248b9983f7698
              • Instruction ID: 20a7a1662b433708eaba50c82d4a2d046a010718ce83f44440a25d81ccfe3a6d
              • Opcode Fuzzy Hash: 244b6b610868cd047ae30acfc3c3db29635bac460e2bf66e1d1248b9983f7698
              • Instruction Fuzzy Hash: 7222BB71608350DFE724DF24C885B6EB7E4BF84310F44492CF99A97292DB39EA04CB92
              Function 00735760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove
              • String ID:
              • API String ID: 4104443479-0
              • Opcode ID: 7e041303c628e7c40e0e6af927542ae3a0aec0518746cdc42919b4cf2726adfa
              • Instruction ID: 0396e9e6a6d4b9a36e719e12783e09c46e4170faaff2252e5ae480b6d1efea36
              • Opcode Fuzzy Hash: 7e041303c628e7c40e0e6af927542ae3a0aec0518746cdc42919b4cf2726adfa
              • Instruction Fuzzy Hash: CB129D70A00619DFDF14DFA5D985AEEB7F5FF48300F108529E44AE7251EB3AA920CB91
              Function 00783B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770
                • Part of subcall function 00784A31: GetFileAttributesW.KERNEL32(?,0078370B), ref: 00784A32
              • FindFirstFileW.KERNEL32(?,?), ref: 00783B89
              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00783BD9
              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00783BEA
              • FindClose.KERNEL32(00000000), ref: 00783C01
              • FindClose.KERNEL32(00000000), ref: 00783C0A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
              • String ID: \*.*
              • API String ID: 2649000838-1173974218
              • Opcode ID: fbf009fdcc989ef85b8a887277d680e30b34657596cf8b3e0c750df005c6cb4d
              • Instruction ID: 36d15142befff67dfc8f4aab176e34f529e07b1d2cd31329eefe6e74488047d8
              • Opcode Fuzzy Hash: fbf009fdcc989ef85b8a887277d680e30b34657596cf8b3e0c750df005c6cb4d
              • Instruction Fuzzy Hash: F431A171048395DBC304FF68D9959AFBBE8BE92310F404E2DF4D592191EB29DA08C767
              Function 007851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077882B
                • Part of subcall function 007787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00778858
                • Part of subcall function 007787E1: GetLastError.KERNEL32 ref: 00778865
              • ExitWindowsEx.USER32(?,00000000), ref: 007851F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
              • String ID: $@$SeShutdownPrivilege
              • API String ID: 2234035333-194228
              • Opcode ID: e1d2531754014bfb0d9390c098686e525308ee5eb2861e9ed433946641705fff
              • Instruction ID: 5af88e3cae4c2c9e248fc31f6b36b4fa8b3c790e141739f8a2741f02cad7088d
              • Opcode Fuzzy Hash: e1d2531754014bfb0d9390c098686e525308ee5eb2861e9ed433946641705fff
              • Instruction Fuzzy Hash: CE012BB17D16156BFB2872B89C8EFBB7258FB05781F204425F957E20D2DD5D1C008794
              Function 00796283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007962DC
              • WSAGetLastError.WSOCK32(00000000), ref: 007962EB
              • bind.WSOCK32(00000000,?,00000010), ref: 00796307
              • listen.WSOCK32(00000000,00000005), ref: 00796316
              • WSAGetLastError.WSOCK32(00000000), ref: 00796330
              • closesocket.WSOCK32(00000000,00000000), ref: 00796344
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketlistensocket
              • String ID:
              • API String ID: 1279440585-0
              • Opcode ID: 594a71168f5b94487acda9a8448a8b69efdacb5ccfacffe2cd63598469509e14
              • Instruction ID: a4e1f6f3438f40aa4fd5632519324e6a139cf0df4bfad5f31e7e10e93ce9d390
              • Opcode Fuzzy Hash: 594a71168f5b94487acda9a8448a8b69efdacb5ccfacffe2cd63598469509e14
              • Instruction Fuzzy Hash: B021D071600210DFCF10EF64EC89A6EB7E9EF89720F188259E956A7391C778AC01CB51
              Function 00735520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
                • Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01
              • _memmove.LIBCMT ref: 00770258
              • _memmove.LIBCMT ref: 0077036D
              • _memmove.LIBCMT ref: 00770414
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throwstd::exception::exception
              • String ID:
              • API String ID: 1300846289-0
              • Opcode ID: 05b56ad9d69ee0ce2f759dd00f49abec44ddeb99e6484df8faa2b07b401085d0
              • Instruction ID: 33182b41ee9f9334049d03416311ced95f6401e911533f4faf1dd9ed80ba5128
              • Opcode Fuzzy Hash: 05b56ad9d69ee0ce2f759dd00f49abec44ddeb99e6484df8faa2b07b401085d0
              • Instruction Fuzzy Hash: 9202DFB0A00219DBDF04DF64D985AAEBBB5FF44340F54C069E80ADB256EB39E950CB91
              Function 00721287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • DefDlgProcW.USER32(?,?,?,?,?), ref: 007219FA
              • GetSysColor.USER32(0000000F), ref: 00721A4E
              • SetBkColor.GDI32(?,00000000), ref: 00721A61
                • Part of subcall function 00721290: DefDlgProcW.USER32(?,00000020,?), ref: 007212D8
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ColorProc$LongWindow
              • String ID:
              • API String ID: 3744519093-0
              • Opcode ID: 776bd04ac6e0c8d79575c65a459e501c22f88f71fc7fc8dca46f0ef23863aab5
              • Instruction ID: 97de91a2b1be3d1063012bbb41ddef3dea72ab47848ecacee6e906504a25e3bc
              • Opcode Fuzzy Hash: 776bd04ac6e0c8d79575c65a459e501c22f88f71fc7fc8dca46f0ef23863aab5
              • Instruction Fuzzy Hash: FBA190711025B4FED7389B387C49EBF366CFFA6342B948219F402D5192CB6EAD0192B5
              Function 00796747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00797D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00797DB6
              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0079679E
              • WSAGetLastError.WSOCK32(00000000), ref: 007967C7
              • bind.WSOCK32(00000000,?,00000010), ref: 00796800
              • WSAGetLastError.WSOCK32(00000000), ref: 0079680D
              • closesocket.WSOCK32(00000000,00000000), ref: 00796821
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorLast$bindclosesocketinet_addrsocket
              • String ID:
              • API String ID: 99427753-0
              • Opcode ID: fe4ba35db9a66d674c438e384297ba33da544cb8b1f487e4c4fca8e0ace07e69
              • Instruction ID: 2220765c44567bfdcdcf08e1e20aa1d696d1a3c5d6a4893260f774a3afae79d0
              • Opcode Fuzzy Hash: fe4ba35db9a66d674c438e384297ba33da544cb8b1f487e4c4fca8e0ace07e69
              • Instruction Fuzzy Hash: 6A41D475B00220EFDF50AF64AC8AF6E77E8DF49714F488558FA15AB3C2DA789D008791
              Function 007A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$EnabledForegroundIconicVisibleZoomed
              • String ID:
              • API String ID: 292994002-0
              • Opcode ID: 8484deec13fa3b03a01f52541be0e28e135e56e525702c221f36b6005b90320e
              • Instruction ID: d1ab1b6e1330d8cc364bf5242eca3b23d47eb4c9b744fe52799181e1aa3ee96d
              • Opcode Fuzzy Hash: 8484deec13fa3b03a01f52541be0e28e135e56e525702c221f36b6005b90320e
              • Instruction Fuzzy Hash: 60112732700921AFDF206F26DC48A2E7B98FFC67A1B448139F845D3241CB7CDC0186A4
              Function 007780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007780C0
              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007780CA
              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007780D9
              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007780E0
              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007780F6
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 215c521719b0e54ec499a8f95445cd64ac0ff5cd1501fbb05f62d5a2d04cfc9c
              • Instruction ID: f9183a42d6b262c30ae0af789edaa38e2e4fb04d50386ae5fc47c9d64f8556cf
              • Opcode Fuzzy Hash: 215c521719b0e54ec499a8f95445cd64ac0ff5cd1501fbb05f62d5a2d04cfc9c
              • Instruction Fuzzy Hash: 72F06231240208AFEB501FA5EC8DE673BACEF8A795B508029F949C6150CB699C41DE61
              Function 00724B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00724AD0), ref: 00724B45
              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00724B57
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetNativeSystemInfo$kernel32.dll
              • API String ID: 2574300362-192647395
              • Opcode ID: 210920dd322e45696f2d522e8693b5790142d2138ff71546207e8f68f9c58e14
              • Instruction ID: fdebff7618a886da0f7c5beaace4f073252719e8e01a4d9e1cec3e9ca5c3d953
              • Opcode Fuzzy Hash: 210920dd322e45696f2d522e8693b5790142d2138ff71546207e8f68f9c58e14
              • Instruction Fuzzy Hash: 37D012B4A10727DFD7209FB1E858B4676E5AF86351B11C83DD486D6150D678D480CA68
              Function 0079EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
              Download Yara Rule
              APIs
              • CreateToolhelp32Snapshot.KERNEL32 ref: 0079EE3D
              • Process32FirstW.KERNEL32(00000000,?), ref: 0079EE4B
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
              • Process32NextW.KERNEL32(00000000,?), ref: 0079EF0B
              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0079EF1A
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
              • String ID:
              • API String ID: 2576544623-0
              • Opcode ID: a8b84010582c5ebbb464a8df5438052a05beff2927bce30768eb7abb7863ce69
              • Instruction ID: e499aa6056e043193cc519290dd12d29b1cea989eee7adacc63ddbf646fbe63f
              • Opcode Fuzzy Hash: a8b84010582c5ebbb464a8df5438052a05beff2927bce30768eb7abb7863ce69
              • Instruction Fuzzy Hash: 4551AE71104311EFD710EF20EC89E6BB7E8EF88710F44482DF595972A1EB34A908CB92
              Function 0077E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0077E628
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: lstrlen
              • String ID: ($|
              • API String ID: 1659193697-1631851259
              • Opcode ID: 7985705368f115387f2a461caf0157ca8efdcec5928a5c956b7979c9d44aceac
              • Instruction ID: 0d26a543d8f376d87f57a916804d547c573874eb05c905f696fb6285bdda5772
              • Opcode Fuzzy Hash: 7985705368f115387f2a461caf0157ca8efdcec5928a5c956b7979c9d44aceac
              • Instruction Fuzzy Hash: 82322475A00705DFDB28CF29C48196AB7F1FF48360B15C4AEE99ADB3A1E774A941CB40
              Function 007922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
              Download Yara Rule
              APIs
              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0079180A,00000000), ref: 007923E1
              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00792418
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Internet$AvailableDataFileQueryRead
              • String ID:
              • API String ID: 599397726-0
              • Opcode ID: 009ee524328a39296fe5b5b9887576702f0f065ada7b093edb13831b6afd1856
              • Instruction ID: 83c7b19465c50409081fab440a7911a0dac6ad034d8685f565e34db269be7993
              • Opcode Fuzzy Hash: 009ee524328a39296fe5b5b9887576702f0f065ada7b093edb13831b6afd1856
              • Instruction Fuzzy Hash: C741C471A04209FFEF10FE95EC85EBB77BCEB40314F10406AF641A6152DB7D9E429A60
              Function 0078B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0078B343
              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0078B39D
              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0078B3EA
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorMode$DiskFreeSpace
              • String ID:
              • API String ID: 1682464887-0
              • Opcode ID: c282a892a244934e2dd9703c7dcda450ce3933c5b5f0a5da2abdb8b79446c41c
              • Instruction ID: f36ab24514001a7b2a1a5dd1093287fc4c8d286d572f36df38aebe8ad0e8b428
              • Opcode Fuzzy Hash: c282a892a244934e2dd9703c7dcda450ce3933c5b5f0a5da2abdb8b79446c41c
              • Instruction Fuzzy Hash: ED217135A00518EFCB00EFA5D885EEDBBB8FF49310F1480A9E905AB351CB35A915CB54
              Function 007787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
                • Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077882B
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00778858
              • GetLastError.KERNEL32 ref: 00778865
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
              • String ID:
              • API String ID: 1922334811-0
              • Opcode ID: 325ef876a82c82b9f08e1db842ff29940b9ec0f2c71f0928ac5d7601b1460aa5
              • Instruction ID: a002d1e0214ea5b09d025f7128a6e4726f8ddd61c3ca361453e33f04228b619d
              • Opcode Fuzzy Hash: 325ef876a82c82b9f08e1db842ff29940b9ec0f2c71f0928ac5d7601b1460aa5
              • Instruction Fuzzy Hash: 21118FB2914204AFEB18EFA4DC89D6BB7F8EB45751B20C52EF45997241EB34BC408B61
              Function 0077874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
              Download Yara Rule
              APIs
              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00778774
              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0077878B
              • FreeSid.ADVAPI32(?), ref: 0077879B
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AllocateCheckFreeInitializeMembershipToken
              • String ID:
              • API String ID: 3429775523-0
              • Opcode ID: 8caffd8d4944e3c91bd8ba158f9e8d68e0caa8b7187c1b0b0be84df6b5f1ebeb
              • Instruction ID: b67954a33d3d483a1aa3d161236fd2808eaf0dfae189e0d9c6428fd2c506157c
              • Opcode Fuzzy Hash: 8caffd8d4944e3c91bd8ba158f9e8d68e0caa8b7187c1b0b0be84df6b5f1ebeb
              • Instruction Fuzzy Hash: 6DF04975A5130CBFDF04DFF4DC89AAEBBBCEF08201F1084A9E902E2181E6756A048B55
              Function 00788889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • __time64.LIBCMT ref: 0078889B
                • Part of subcall function 0074520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00788F6E,00000000,?,?,?,?,0078911F,00000000,?), ref: 00745213
                • Part of subcall function 0074520A: __aulldiv.LIBCMT ref: 00745233
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Time$FileSystem__aulldiv__time64
              • String ID: 0e~
              • API String ID: 2893107130-1948122971
              • Opcode ID: 44b904176e9ef959f6b2c6b77509e6d5d3f2782d1a63a38ded67bf39b6fef629
              • Instruction ID: bd90dbade1a72e18e5a906b0d7f5f1f0a96c7b2c33e9fe042a7782059a38229e
              • Opcode Fuzzy Hash: 44b904176e9ef959f6b2c6b77509e6d5d3f2782d1a63a38ded67bf39b6fef629
              • Instruction Fuzzy Hash: A9217272635650CBC729CF29D881A52B3E1EBA9311B688E6CD1F5CF2D0CA78A905CB54
              Function 00784C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
              Download Yara Rule
              APIs
              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00784CB3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: mouse_event
              • String ID: DOWN
              • API String ID: 2434400541-711622031
              • Opcode ID: bb5545c38a869c10ddd4caadca8d6b4a51e45cdc3e228bf67be6ef1ddda26c5d
              • Instruction ID: c482846326346538874e04d54929a8dd6ed7d987ee07ac57f38acb81000a469c
              • Opcode Fuzzy Hash: bb5545c38a869c10ddd4caadca8d6b4a51e45cdc3e228bf67be6ef1ddda26c5d
              • Instruction Fuzzy Hash: 62E08CB21DD7223DB9083919FD0BEB7078C8B12331B910207F810E51C2EE9CAC8226B8
              Function 0078C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?), ref: 0078C6FB
              • FindClose.KERNEL32(00000000), ref: 0078C72B
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 9cb3cd2a464be57a6a7e7229e872ece88ffd9090d89db24f73d254d74f5be701
              • Instruction ID: 558658c2a1e71e8b3d1921a55def9a4137c0a9b73fda490c2c4ddd14c81c20ae
              • Opcode Fuzzy Hash: 9cb3cd2a464be57a6a7e7229e872ece88ffd9090d89db24f73d254d74f5be701
              • Instruction Fuzzy Hash: C5118E726006009FDB10EF29D849A2AF7E9FF85320F04C51DF9A9C7290DB34AC01CB91
              Function 0078A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00799468,?,007AFB84,?), ref: 0078A097
              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00799468,?,007AFB84,?), ref: 0078A0A9
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: c9ce98651c67fc5823fcb1c5a697c0894d752ee0202770b56fb910e8c1e384de
              • Instruction ID: b8294d7fd2299a040ef1f1059f55263646ed82fef4e0b8617c62acdd0700a34b
              • Opcode Fuzzy Hash: c9ce98651c67fc5823fcb1c5a697c0894d752ee0202770b56fb910e8c1e384de
              • Instruction Fuzzy Hash: 39F0E23514422DBBDB20AFA4CC48FEA736CBF09362F008166F808D2180D674A900CBA1
              Function 007781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00778309), ref: 007781E0
              • CloseHandle.KERNEL32(?,?,00778309), ref: 007781F2
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AdjustCloseHandlePrivilegesToken
              • String ID:
              • API String ID: 81990902-0
              • Opcode ID: e4642bcd5650422a71a271a9ee568eacf056a3e7384849a24d442d4fc6c75b87
              • Instruction ID: 4a8599f6fb42a78301b4c1a8310392ed91ef57fa0ae656de93664fb92cf51b7f
              • Opcode Fuzzy Hash: e4642bcd5650422a71a271a9ee568eacf056a3e7384849a24d442d4fc6c75b87
              • Instruction Fuzzy Hash: 46E08C32010620EFEB252B71EC08D737BEAEF00310710C82DF9A680430CB36ACA0DB50
              Function 0074A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00748D57,?,?,?,00000001), ref: 0074A15A
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0074A163
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 83ee6bf695d2a4d141ad9ad08b2e7a8fd47a7dc416b5b618753c88bbe5bbc851
              • Instruction ID: ce746cdf00047cbf11f8ba14f18c71714335436056a6976f1aad7c7dcd13e32f
              • Opcode Fuzzy Hash: 83ee6bf695d2a4d141ad9ad08b2e7a8fd47a7dc416b5b618753c88bbe5bbc851
              • Instruction Fuzzy Hash: BDB09231054208ABCF002BD1EC59B883F68EB86AA2F408020F60D84060CBA654508A99
              Function 0074F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e60e5ce3fbf530fcbf04d0f38f7994cd80c72306568a40076ad6077a05c84ef5
              • Instruction ID: 18fe2f8c556a4ef02a09f2ac28b438585bd23e444cfbdd014af1882301656300
              • Opcode Fuzzy Hash: e60e5ce3fbf530fcbf04d0f38f7994cd80c72306568a40076ad6077a05c84ef5
              • Instruction Fuzzy Hash: EE320362D29F414DDB279634D872336A289AFB73C4F15D737E819B5EA6EB2CC4834104
              Function 0075242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fecb75795701aeba4b2d621d27f6bef595470dad3f0f453fd2d2a14c7f6e6ee
              • Instruction ID: 88b687670ee2e6f29ad9c703b94666e2cbffd84f71dd8024d45ef2c03883f8ad
              • Opcode Fuzzy Hash: 5fecb75795701aeba4b2d621d27f6bef595470dad3f0f453fd2d2a14c7f6e6ee
              • Instruction Fuzzy Hash: 27B10120E2AF415DD723A6398831336BB9CAFBB2C5F52D71BFC2670D22EB2585834145
              Function 007787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00778389), ref: 007787D1
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LogonUser
              • String ID:
              • API String ID: 1244722697-0
              • Opcode ID: cc09d91c90cedf6dd0ccb50dcb20711daf7a26d86f7f96f682e018f6112c0c8d
              • Instruction ID: 10429a34d2b81c898435fa8fe0c988d42e4798a185ce70af6166a8e0baa99aff
              • Opcode Fuzzy Hash: cc09d91c90cedf6dd0ccb50dcb20711daf7a26d86f7f96f682e018f6112c0c8d
              • Instruction Fuzzy Hash: 06D05E322A050EABEF018EA4DC01EAF3B69EB04B01F40C111FE15C50A1C775D835AB60
              Function 0074A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0074A12A
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 3c3843e3f333c6b9f73fcd431c6c9f7278c73bd0eba47fadfe1d7e1c2f8fca62
              • Instruction ID: 2f31d8c3d7eee0a3ddab3ab245cf43c62dc35f10a735338e1466d5056bec0d23
              • Opcode Fuzzy Hash: 3c3843e3f333c6b9f73fcd431c6c9f7278c73bd0eba47fadfe1d7e1c2f8fca62
              • Instruction Fuzzy Hash: 0BA0113000020CAB8F002B82EC08888BFACEA822A0B008020F80C800228B32A8208A88
              Function 00738808 Relevance: .6, Instructions: 590COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 213a49db3b7601736c0b597c79cd6f0537893a7b43b29aca2d51417f0252ad64
              • Instruction ID: 16e0b3f6c83c8454193998feedd2d62653c6ce76bed0dde7e2c4afc765dc493b
              • Opcode Fuzzy Hash: 213a49db3b7601736c0b597c79cd6f0537893a7b43b29aca2d51417f0252ad64
              • Instruction Fuzzy Hash: D122173060474ACBEF688B24C494B7C77B1BB41384F68C46BF55A8B593DBBCAD91C642
              Function 007421C5 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 1a01f32eb7bde2dbf9c357015c88af719b4d9445eca493f0584b0d6ff00dc3b3
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: A1C1A7722050930ADF2D5639C43413EFBA15EA27B139A076DE8B3CB5D5EF28C976D620
              Function 007425FA Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 59068c087e45201d1d7f5b5ca09c4944d077e8dd371a959fb98790163fabaf7a
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: BCC1B5722051930ADF2D563AC43403EFAA15EA27F139A076DE4B3DB4D5EF28C976D620
              Function 00741978 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: ae344f97028eb6fa777aa952cbefb6adf4105dbeea1fedd1c97c8957d00f793c
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 67C1C37234519309DF2D6639C47413EBBA15EA27B139A076DD4B3CB5C4FF28C9A5CA20
              Function 00797806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 0079785B
              • DeleteObject.GDI32(00000000), ref: 0079786D
              • DestroyWindow.USER32 ref: 0079787B
              • GetDesktopWindow.USER32 ref: 00797895
              • GetWindowRect.USER32(00000000), ref: 0079789C
              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007979DD
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007979ED
              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797A35
              • GetClientRect.USER32(00000000,?), ref: 00797A41
              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00797A7B
              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797A9D
              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797AB0
              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797ABB
              • GlobalLock.KERNEL32(00000000), ref: 00797AC4
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797AD3
              • GlobalUnlock.KERNEL32(00000000), ref: 00797ADC
              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797AE3
              • GlobalFree.KERNEL32(00000000), ref: 00797AEE
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797B00
              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007B2CAC,00000000), ref: 00797B16
              • GlobalFree.KERNEL32(00000000), ref: 00797B26
              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00797B4C
              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00797B6B
              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797B8D
              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00797D7A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
              • String ID: $AutoIt v3$DISPLAY$static
              • API String ID: 2211948467-2373415609
              • Opcode ID: a5e8ceed19fe3cba0e729b2d4182dfbd57ed04321088d3fa120218b538c4fef5
              • Instruction ID: b212dfe76cb710a8dc01c1b0f437651ed1a8181d1fd7fe652d7a14a9cba409a7
              • Opcode Fuzzy Hash: a5e8ceed19fe3cba0e729b2d4182dfbd57ed04321088d3fa120218b538c4fef5
              • Instruction Fuzzy Hash: 03025971A10119EFDF14DFA4EC89EAE7BB9FB49310F148158F915AB2A1C738AD01CB64
              Function 007A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,007AF910), ref: 007A3627
              • IsWindowVisible.USER32(?), ref: 007A364B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharUpperVisibleWindow
              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
              • API String ID: 4105515805-45149045
              • Opcode ID: f10c1b5f5c3b8deccaa92c71412e480b50bd0cfcf5ea80aff9e3ae5e50f35283
              • Instruction ID: 3f2683d20b9925dda363d1692b9c2f2e35708b6b0e5703996003418f1ff9617b
              • Opcode Fuzzy Hash: f10c1b5f5c3b8deccaa92c71412e480b50bd0cfcf5ea80aff9e3ae5e50f35283
              • Instruction Fuzzy Hash: 1DD1B730204311DFCB04EF10C459A6E77A1AFD6394F188569F98A5B3A2DB3DEE09CB91
              Function 007AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
              Download Yara Rule
              APIs
              • SetTextColor.GDI32(?,00000000), ref: 007AA630
              • GetSysColorBrush.USER32(0000000F), ref: 007AA661
              • GetSysColor.USER32(0000000F), ref: 007AA66D
              • SetBkColor.GDI32(?,000000FF), ref: 007AA687
              • SelectObject.GDI32(?,00000000), ref: 007AA696
              • InflateRect.USER32(?,000000FF,000000FF), ref: 007AA6C1
              • GetSysColor.USER32(00000010), ref: 007AA6C9
              • CreateSolidBrush.GDI32(00000000), ref: 007AA6D0
              • FrameRect.USER32(?,?,00000000), ref: 007AA6DF
              • DeleteObject.GDI32(00000000), ref: 007AA6E6
              • InflateRect.USER32(?,000000FE,000000FE), ref: 007AA731
              • FillRect.USER32(?,?,00000000), ref: 007AA763
              • GetWindowLongW.USER32(?,000000F0), ref: 007AA78E
                • Part of subcall function 007AA8CA: GetSysColor.USER32(00000012), ref: 007AA903
                • Part of subcall function 007AA8CA: SetTextColor.GDI32(?,?), ref: 007AA907
                • Part of subcall function 007AA8CA: GetSysColorBrush.USER32(0000000F), ref: 007AA91D
                • Part of subcall function 007AA8CA: GetSysColor.USER32(0000000F), ref: 007AA928
                • Part of subcall function 007AA8CA: GetSysColor.USER32(00000011), ref: 007AA945
                • Part of subcall function 007AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007AA953
                • Part of subcall function 007AA8CA: SelectObject.GDI32(?,00000000), ref: 007AA964
                • Part of subcall function 007AA8CA: SetBkColor.GDI32(?,00000000), ref: 007AA96D
                • Part of subcall function 007AA8CA: SelectObject.GDI32(?,?), ref: 007AA97A
                • Part of subcall function 007AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 007AA999
                • Part of subcall function 007AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007AA9B0
                • Part of subcall function 007AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 007AA9C5
                • Part of subcall function 007AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007AA9ED
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
              • String ID:
              • API String ID: 3521893082-0
              • Opcode ID: d8348fa6eb058316e611cafa70059b33872affc905acef9f1601909e9fe9015d
              • Instruction ID: cbce1ed302d04d365f4d348dff7d3be3ef4dc7c7a327bf85d4b1e2e052d57c0c
              • Opcode Fuzzy Hash: d8348fa6eb058316e611cafa70059b33872affc905acef9f1601909e9fe9015d
              • Instruction Fuzzy Hash: 75918D72408305FFC7119FA4DC08A5B7BA9FFCA321F108B29F9A2961A0D739D944CB56
              Function 00722C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?), ref: 00722CA2
              • DeleteObject.GDI32(00000000), ref: 00722CE8
              • DeleteObject.GDI32(00000000), ref: 00722CF3
              • DestroyIcon.USER32(00000000,?,?,?), ref: 00722CFE
              • DestroyWindow.USER32(00000000,?,?,?), ref: 00722D09
              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0075C43B
              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0075C474
              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0075C89D
                • Part of subcall function 00721B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00722036,?,00000000,?,?,?,?,007216CB,00000000,?), ref: 00721B9A
              • SendMessageW.USER32(?,00001053), ref: 0075C8DA
              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0075C8F1
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0075C907
              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0075C912
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
              • String ID: 0
              • API String ID: 464785882-4108050209
              • Opcode ID: 8d90e78aced8dc0d107e01169e92fe59978af9a156e42ad61859f1ffe03f3aa2
              • Instruction ID: b3b45da35c2642a7833abe7104d6ca3b2f7770f6a06733c4ecc06e131eb43f07
              • Opcode Fuzzy Hash: 8d90e78aced8dc0d107e01169e92fe59978af9a156e42ad61859f1ffe03f3aa2
              • Instruction Fuzzy Hash: D512B030604211EFDB16CF24C888BA9B7E1FF49311F548569F895CB262C779EC96CBA1
              Function 007974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(00000000), ref: 007974DE
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0079759D
              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007975DB
              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007975ED
              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00797633
              • GetClientRect.USER32(00000000,?), ref: 0079763F
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00797683
              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00797692
              • GetStockObject.GDI32(00000011), ref: 007976A2
              • SelectObject.GDI32(00000000,00000000), ref: 007976A6
              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007976B6
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007976BF
              • DeleteDC.GDI32(00000000), ref: 007976C8
              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007976F4
              • SendMessageW.USER32(00000030,00000000,00000001), ref: 0079770B
              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00797746
              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0079775A
              • SendMessageW.USER32(00000404,00000001,00000000), ref: 0079776B
              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0079779B
              • GetStockObject.GDI32(00000011), ref: 007977A6
              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007977B1
              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007977BB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
              • API String ID: 2910397461-517079104
              • Opcode ID: 8a6cc6bd63c5715694add47cfec262b2568b9eff86550fb7986a6eb58cc7bc96
              • Instruction ID: 46804a8f5228c2821e6d9505aababacf556bf06c56fa99c54c4491f93231520f
              • Opcode Fuzzy Hash: 8a6cc6bd63c5715694add47cfec262b2568b9eff86550fb7986a6eb58cc7bc96
              • Instruction Fuzzy Hash: 6EA185B1A00619BFEB14DFA4DC4AFAE7779EB49714F048114FA14AB2E0D778AD00CB64
              Function 0078AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0078AD1E
              • GetDriveTypeW.KERNEL32(?,007AFAC0,?,\\.\,007AF910), ref: 0078ADFB
              • SetErrorMode.KERNEL32(00000000,007AFAC0,?,\\.\,007AF910), ref: 0078AF59
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorMode$DriveType
              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
              • API String ID: 2907320926-4222207086
              • Opcode ID: b1c27400e0bc270b99aa1046b1adda680e612c0fc1629edeac096b54d89ce657
              • Instruction ID: 392a452d84a919244cb15c6703156b750101c724564c44310baa423d4028738c
              • Opcode Fuzzy Hash: b1c27400e0bc270b99aa1046b1adda680e612c0fc1629edeac096b54d89ce657
              • Instruction Fuzzy Hash: 66519DF0688205FB9B50FB54C986CBD73B1EB49700B248457E606AB391DABCDD41DB53
              Function 007A9A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007A9AD2
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007A9B8B
              • SendMessageW.USER32(?,00001102,00000002,?), ref: 007A9BA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: 0$P`
              • API String ID: 2326795674-3728011039
              • Opcode ID: bdc295a2645f39a91f62a8695a58f75dccc4b48dd746fdf34a160f2d24d9cd85
              • Instruction ID: 4f74127706ee1762d9aecfc0323e32fa981cf1e45c3230a8c9c5c46378ccd2a5
              • Opcode Fuzzy Hash: bdc295a2645f39a91f62a8695a58f75dccc4b48dd746fdf34a160f2d24d9cd85
              • Instruction Fuzzy Hash: 9802C031109241AFDB25CF24C848BAABBE5FFCA314F04862DF695D62A1D73CD964CB52
              Function 007268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
              • API String ID: 1038674560-86951937
              • Opcode ID: 7d399035040a1fa863bc33e761180eac12e3e2d04606122253bb2a4502ac1c3e
              • Instruction ID: 6aa037dc51e6253abf1f4d1c8ed4884e741ce4d6d07f4ef5a7ba687136cf7946
              • Opcode Fuzzy Hash: 7d399035040a1fa863bc33e761180eac12e3e2d04606122253bb2a4502ac1c3e
              • Instruction Fuzzy Hash: 2B811AB1600225EACB15AB60EC86FEF3768EF05710F04402AFD496A196EB7DDE45C2A1
              Function 007A89D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007A8AC1
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A8AD2
              • CharNextW.USER32(0000014E), ref: 007A8B01
              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007A8B42
              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007A8B58
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A8B69
              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007A8B86
              • SetWindowTextW.USER32(?,0000014E), ref: 007A8BD8
              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007A8BEE
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 007A8C1F
              • _memset.LIBCMT ref: 007A8C44
              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007A8C8D
              • _memset.LIBCMT ref: 007A8CEC
              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007A8D16
              • SendMessageW.USER32(?,00001074,?,00000001), ref: 007A8D6E
              • SendMessageW.USER32(?,0000133D,?,?), ref: 007A8E1B
              • InvalidateRect.USER32(?,00000000,00000001), ref: 007A8E3D
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A8E87
              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A8EB4
              • DrawMenuBar.USER32(?), ref: 007A8EC3
              • SetWindowTextW.USER32(?,0000014E), ref: 007A8EEB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
              • String ID: 0$P`
              • API String ID: 1073566785-3728011039
              • Opcode ID: 1f0bf3b2c9a4019342f2285336df8ee0895f52689d78e195e8a337db5cd18caf
              • Instruction ID: bcd1ba777392a7a121c88f6397142ac269b59a205aa67db381292e86429452d4
              • Opcode Fuzzy Hash: 1f0bf3b2c9a4019342f2285336df8ee0895f52689d78e195e8a337db5cd18caf
              • Instruction Fuzzy Hash: EAE18270901219EFDF60DF60CC88EEE7B79EF8A710F148256F915AA191DB788980DF61
              Function 007AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000012), ref: 007AA903
              • SetTextColor.GDI32(?,?), ref: 007AA907
              • GetSysColorBrush.USER32(0000000F), ref: 007AA91D
              • GetSysColor.USER32(0000000F), ref: 007AA928
              • CreateSolidBrush.GDI32(?), ref: 007AA92D
              • GetSysColor.USER32(00000011), ref: 007AA945
              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007AA953
              • SelectObject.GDI32(?,00000000), ref: 007AA964
              • SetBkColor.GDI32(?,00000000), ref: 007AA96D
              • SelectObject.GDI32(?,?), ref: 007AA97A
              • InflateRect.USER32(?,000000FF,000000FF), ref: 007AA999
              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007AA9B0
              • GetWindowLongW.USER32(00000000,000000F0), ref: 007AA9C5
              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007AA9ED
              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007AAA14
              • InflateRect.USER32(?,000000FD,000000FD), ref: 007AAA32
              • DrawFocusRect.USER32(?,?), ref: 007AAA3D
              • GetSysColor.USER32(00000011), ref: 007AAA4B
              • SetTextColor.GDI32(?,00000000), ref: 007AAA53
              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007AAA67
              • SelectObject.GDI32(?,007AA5FA), ref: 007AAA7E
              • DeleteObject.GDI32(?), ref: 007AAA89
              • SelectObject.GDI32(?,?), ref: 007AAA8F
              • DeleteObject.GDI32(?), ref: 007AAA94
              • SetTextColor.GDI32(?,?), ref: 007AAA9A
              • SetBkColor.GDI32(?,?), ref: 007AAAA4
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
              • String ID:
              • API String ID: 1996641542-0
              • Opcode ID: 2a3bd8fec7277fc59b7d5fee4b669dd3580da27cda6222d35cc2b3262c568be8
              • Instruction ID: 530bd69b1ab7f61e702373c3601f7be1bf1db1e9b7be71e8931e33ac1b796024
              • Opcode Fuzzy Hash: 2a3bd8fec7277fc59b7d5fee4b669dd3580da27cda6222d35cc2b3262c568be8
              • Instruction Fuzzy Hash: C8512F71900208FFDF119FA4DC48EAE7BB9EF89320F118625F911AB2A1D7799940DF94
              Function 007A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 007A49CA
              • GetDesktopWindow.USER32 ref: 007A49DF
              • GetWindowRect.USER32(00000000), ref: 007A49E6
              • GetWindowLongW.USER32(?,000000F0), ref: 007A4A48
              • DestroyWindow.USER32(?), ref: 007A4A74
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007A4A9D
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A4ABB
              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007A4AE1
              • SendMessageW.USER32(?,00000421,?,?), ref: 007A4AF6
              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007A4B09
              • IsWindowVisible.USER32(?), ref: 007A4B29
              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007A4B44
              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007A4B58
              • GetWindowRect.USER32(?,?), ref: 007A4B70
              • MonitorFromPoint.USER32(?,?,00000002), ref: 007A4B96
              • GetMonitorInfoW.USER32(00000000,?), ref: 007A4BB0
              • CopyRect.USER32(?,?), ref: 007A4BC7
              • SendMessageW.USER32(?,00000412,00000000), ref: 007A4C32
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
              • String ID: ($0$tooltips_class32
              • API String ID: 698492251-4156429822
              • Opcode ID: 6164319d05cfe4d9901b62531ebab18066e42c3b069ab620e9bc26171c2be098
              • Instruction ID: d3e7a1351c6a460ee97267a1bf8d4dd2346d64751e685b63e1e887bd40934e51
              • Opcode Fuzzy Hash: 6164319d05cfe4d9901b62531ebab18066e42c3b069ab620e9bc26171c2be098
              • Instruction Fuzzy Hash: 4BB18B71604350EFDB04DF64D848B6ABBE4BFC5310F048A1CF5999B2A1D7B9E805CB95
              Function 0078449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
              Download Yara Rule
              APIs
              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 007844AC
              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007844D2
              • _wcscpy.LIBCMT ref: 00784500
              • _wcscmp.LIBCMT ref: 0078450B
              • _wcscat.LIBCMT ref: 00784521
              • _wcsstr.LIBCMT ref: 0078452C
              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00784548
              • _wcscat.LIBCMT ref: 00784591
              • _wcscat.LIBCMT ref: 00784598
              • _wcsncpy.LIBCMT ref: 007845C3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
              • API String ID: 699586101-1459072770
              • Opcode ID: 287037749468361d624dd6542f25ea756b41ed225cfd7c7a46d2de0d87f4ccb0
              • Instruction ID: 1f6c9ff60e29eba177f6d430b5379a97fd4b1ba658027cc93a6a880c4f164db9
              • Opcode Fuzzy Hash: 287037749468361d624dd6542f25ea756b41ed225cfd7c7a46d2de0d87f4ccb0
              • Instruction Fuzzy Hash: 2041F871A40211BBDB10BAB58C0BEBF777CDF42710F44416AF905E6183EB7C9A1197A9
              Function 007227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007228BC
              • GetSystemMetrics.USER32(00000007), ref: 007228C4
              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007228EF
              • GetSystemMetrics.USER32(00000008), ref: 007228F7
              • GetSystemMetrics.USER32(00000004), ref: 0072291C
              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00722939
              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00722949
              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0072297C
              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00722990
              • GetClientRect.USER32(00000000,000000FF), ref: 007229AE
              • GetStockObject.GDI32(00000011), ref: 007229CA
              • SendMessageW.USER32(00000000,00000030,00000000), ref: 007229D5
                • Part of subcall function 00722344: GetCursorPos.USER32(?), ref: 00722357
                • Part of subcall function 00722344: ScreenToClient.USER32(007E57B0,?), ref: 00722374
                • Part of subcall function 00722344: GetAsyncKeyState.USER32(00000001), ref: 00722399
                • Part of subcall function 00722344: GetAsyncKeyState.USER32(00000002), ref: 007223A7
              • SetTimer.USER32(00000000,00000000,00000028,00721256), ref: 007229FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
              • String ID: AutoIt v3 GUI
              • API String ID: 1458621304-248962490
              • Opcode ID: cd684950f4e8d83b9cb98618cd704257f9b12fc8490aa5ea7f2559997bc403ef
              • Instruction ID: 97ec613145e5399fb6dfdc99fef6b9e892daabda7e9d78c28f7fde32b349f175
              • Opcode Fuzzy Hash: cd684950f4e8d83b9cb98618cd704257f9b12fc8490aa5ea7f2559997bc403ef
              • Instruction Fuzzy Hash: F2B18F71A0021AEFDB14DFA8DC85BED7BB4FB48315F108229FA15A7290DB78D851CB54
              Function 007AC5FE Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 181windowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • DragQueryPoint.SHELL32(?,?), ref: 007AC627
                • Part of subcall function 007AAB37: ClientToScreen.USER32(?,?), ref: 007AAB60
                • Part of subcall function 007AAB37: GetWindowRect.USER32(?,?), ref: 007AABD6
                • Part of subcall function 007AAB37: PtInRect.USER32(?,?,007AC014), ref: 007AABE6
              • SendMessageW.USER32(?,000000B0,?,?), ref: 007AC690
              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007AC69B
              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007AC6BE
              • _wcscat.LIBCMT ref: 007AC6EE
              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007AC705
              • SendMessageW.USER32(?,000000B0,?,?), ref: 007AC71E
              • SendMessageW.USER32(?,000000B1,?,?), ref: 007AC735
              • SendMessageW.USER32(?,000000B1,?,?), ref: 007AC757
              • DragFinish.SHELL32(?), ref: 007AC75E
              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007AC851
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$P`$pb~
              • API String ID: 169749273-4279893529
              • Opcode ID: 239bcfec1ce9d5f81bec01e903672fa85d53661fc33fa230ded142c56a115617
              • Instruction ID: 12a800ec60491e177c4dde03144e0ca816f1aae6c88fe66ddd75b4f77abeb087
              • Opcode Fuzzy Hash: 239bcfec1ce9d5f81bec01e903672fa85d53661fc33fa230ded142c56a115617
              • Instruction Fuzzy Hash: 9F617C71108340EFC705EF64DC89D9BBBE8EFC9310F04492EF595962A1DB38A949CB92
              Function 0077A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(?,?,00000100), ref: 0077A47A
              • __swprintf.LIBCMT ref: 0077A51B
              • _wcscmp.LIBCMT ref: 0077A52E
              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0077A583
              • _wcscmp.LIBCMT ref: 0077A5BF
              • GetClassNameW.USER32(?,?,00000400), ref: 0077A5F6
              • GetDlgCtrlID.USER32(?), ref: 0077A648
              • GetWindowRect.USER32(?,?), ref: 0077A67E
              • GetParent.USER32(?), ref: 0077A69C
              • ScreenToClient.USER32(00000000), ref: 0077A6A3
              • GetClassNameW.USER32(?,?,00000100), ref: 0077A71D
              • _wcscmp.LIBCMT ref: 0077A731
              • GetWindowTextW.USER32(?,?,00000400), ref: 0077A757
              • _wcscmp.LIBCMT ref: 0077A76B
                • Part of subcall function 0074362C: _iswctype.LIBCMT ref: 00743634
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
              • String ID: %s%u
              • API String ID: 3744389584-679674701
              • Opcode ID: 8fe0e2c477081240c8ba75f5a7a2503335bad37083fc867206eb5e59e62b1939
              • Instruction ID: bf0e046655a89b500ca31740edb1ebf43c32f5010329ca794f1346a64bf73a68
              • Opcode Fuzzy Hash: 8fe0e2c477081240c8ba75f5a7a2503335bad37083fc867206eb5e59e62b1939
              • Instruction Fuzzy Hash: 3CA19071204206FBEB18DF64C888BAEB7A8FF84395F108529F99DD2150D738E955CB92
              Function 0077AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
              Download Yara Rule
              APIs
              • GetClassNameW.USER32(00000008,?,00000400), ref: 0077AF18
              • _wcscmp.LIBCMT ref: 0077AF29
              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0077AF51
              • CharUpperBuffW.USER32(?,00000000), ref: 0077AF6E
              • _wcscmp.LIBCMT ref: 0077AF8C
              • _wcsstr.LIBCMT ref: 0077AF9D
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0077AFD5
              • _wcscmp.LIBCMT ref: 0077AFE5
              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0077B00C
              • GetClassNameW.USER32(00000018,?,00000400), ref: 0077B055
              • _wcscmp.LIBCMT ref: 0077B065
              • GetClassNameW.USER32(00000010,?,00000400), ref: 0077B08D
              • GetWindowRect.USER32(00000004,?), ref: 0077B0F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
              • String ID: @$ThumbnailClass
              • API String ID: 1788623398-1539354611
              • Opcode ID: cc63a811ef549baf7cc280d4e470a31cca0960740a6e7626a6e5dc2e18e0563e
              • Instruction ID: 4c45aa07f57c4c3e3536cc16b413316d7501074e7c2f2d16622f1db7c8b3b463
              • Opcode Fuzzy Hash: cc63a811ef549baf7cc280d4e470a31cca0960740a6e7626a6e5dc2e18e0563e
              • Instruction Fuzzy Hash: 72819171108309ABEF05DF14C885FAA77E8EF84394F14C56AFD898A096DB38DD45CB61
              Function 007AA1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 007AA259
              • DestroyWindow.USER32(?,?), ref: 007AA2D3
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007AA34D
              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007AA36F
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007AA382
              • DestroyWindow.USER32(00000000), ref: 007AA3A4
              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00720000,00000000), ref: 007AA3DB
              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007AA3F4
              • GetDesktopWindow.USER32 ref: 007AA40D
              • GetWindowRect.USER32(00000000), ref: 007AA414
              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007AA42C
              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007AA444
                • Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
              • String ID: 0$P`$tooltips_class32
              • API String ID: 1297703922-420969989
              • Opcode ID: 84acfac6053991f4b3ed73949503ca7e389ee0654ab07f837b751eb8339a5267
              • Instruction ID: f2bbf96142c8f081a5e2ce28c892ef66ac4110136d245bd515f45d90b27b12c4
              • Opcode Fuzzy Hash: 84acfac6053991f4b3ed73949503ca7e389ee0654ab07f837b751eb8339a5267
              • Instruction Fuzzy Hash: DC719A71140245AFDB25DF28CC49F6A7BE5FBCA304F04862DF9858B2A0D778E902CB56
              Function 0077ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
              • API String ID: 1038674560-1810252412
              • Opcode ID: f5b7d1056fe1083900e2374b1a0932d5a092eb3bcfb598a7031fcc74aa38810d
              • Instruction ID: b92be729e7568a3faa2096c577bd914e903ac62e77e7f83003f11ec8353c630d
              • Opcode Fuzzy Hash: f5b7d1056fe1083900e2374b1a0932d5a092eb3bcfb598a7031fcc74aa38810d
              • Instruction Fuzzy Hash: 163124B0648215FAEA19EA64EE0BEAE73749F50750F60802AF449711D1FF2D6F04C662
              Function 00794FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • LoadCursorW.USER32(00000000,00007F8A), ref: 00795013
              • LoadCursorW.USER32(00000000,00007F00), ref: 0079501E
              • LoadCursorW.USER32(00000000,00007F03), ref: 00795029
              • LoadCursorW.USER32(00000000,00007F8B), ref: 00795034
              • LoadCursorW.USER32(00000000,00007F01), ref: 0079503F
              • LoadCursorW.USER32(00000000,00007F81), ref: 0079504A
              • LoadCursorW.USER32(00000000,00007F88), ref: 00795055
              • LoadCursorW.USER32(00000000,00007F80), ref: 00795060
              • LoadCursorW.USER32(00000000,00007F86), ref: 0079506B
              • LoadCursorW.USER32(00000000,00007F83), ref: 00795076
              • LoadCursorW.USER32(00000000,00007F85), ref: 00795081
              • LoadCursorW.USER32(00000000,00007F82), ref: 0079508C
              • LoadCursorW.USER32(00000000,00007F84), ref: 00795097
              • LoadCursorW.USER32(00000000,00007F04), ref: 007950A2
              • LoadCursorW.USER32(00000000,00007F02), ref: 007950AD
              • LoadCursorW.USER32(00000000,00007F89), ref: 007950B8
              • GetCursorInfo.USER32(?), ref: 007950C8
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Cursor$Load$Info
              • String ID:
              • API String ID: 2577412497-0
              • Opcode ID: 999fca663521458fcdbdc8a1ba42c65d5223fc9e15ed2088b3a8c09bb0254ba1
              • Instruction ID: fb5f152190acb833a520054f73b61f310704b89b77a445dec4cb24f1e7eaa232
              • Opcode Fuzzy Hash: 999fca663521458fcdbdc8a1ba42c65d5223fc9e15ed2088b3a8c09bb0254ba1
              • Instruction Fuzzy Hash: 7631F2B1D4832DAADF109FB69C8996EBFE8FF04750F50452AE50DE7280DA7CA5008F91
              Function 007221A5 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 132COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC
              • GetSysColor.USER32(0000000F), ref: 007221D3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ColorLongWindow
              • String ID: q0v$P`
              • API String ID: 259745315-2856427375
              • Opcode ID: fccdc59ec68c8e8b53f44bfda747c53017511692efc28f9cf2eb8fe0379673ee
              • Instruction ID: 25fc309e644f3f72ced77b23ae96a61d6585d415a0196fedccfe26b087ed8b1b
              • Opcode Fuzzy Hash: fccdc59ec68c8e8b53f44bfda747c53017511692efc28f9cf2eb8fe0379673ee
              • Instruction Fuzzy Hash: 6B41B131000154EBDB255F68EC88BB93BA5FB46331F298365FD659A1E2C73A8C43DB25
              Function 007A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 007A4424
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A446F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharMessageSendUpper
              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
              • API String ID: 3974292440-4258414348
              • Opcode ID: 4ad848130150c92541aee4006fc47df3c9ba4b71986a5a58819875216a06a5e1
              • Instruction ID: ceaaccd0184ec4596d79c726674019bb71a94e198d5a02f3f6c37f7d7e56ff55
              • Opcode Fuzzy Hash: 4ad848130150c92541aee4006fc47df3c9ba4b71986a5a58819875216a06a5e1
              • Instruction Fuzzy Hash: CF916B71204711DFCB04EF20C855A6EB7E1AFD6350F088969F9965B3A2CB79ED09CB81
              Function 007AC1AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 229windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007AC1FC
              • GetFocus.USER32 ref: 007AC20C
              • GetDlgCtrlID.USER32(00000000), ref: 007AC217
              • _memset.LIBCMT ref: 007AC342
              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007AC36D
              • GetMenuItemCount.USER32(?), ref: 007AC38D
              • GetMenuItemID.USER32(?,00000000), ref: 007AC3A0
              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007AC3D4
              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007AC41C
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007AC454
              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007AC489
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
              • String ID: 0$P`
              • API String ID: 1296962147-3728011039
              • Opcode ID: dad0e0803e0ec283b6f11b2755bcb2645cf6e9499fc1e93f88ddc245ba591e07
              • Instruction ID: be811b56e01ac00ac9336dcc4bd1de58ad1980d2cef483aeb34da96a32ee7e74
              • Opcode Fuzzy Hash: dad0e0803e0ec283b6f11b2755bcb2645cf6e9499fc1e93f88ddc245ba591e07
              • Instruction Fuzzy Hash: 0281A070608341EFDB11CF64C894A6BBBE8FBCA314F004A2EF99597291C738D905CB96
              Function 007AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007AB8B4
              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007A91C2), ref: 007AB910
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007AB949
              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007AB98C
              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007AB9C3
              • FreeLibrary.KERNEL32(?), ref: 007AB9CF
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007AB9DF
              • DestroyIcon.USER32(?,?,?,?,?,007A91C2), ref: 007AB9EE
              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007ABA0B
              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007ABA17
                • Part of subcall function 00742EFD: __wcsicmp_l.LIBCMT ref: 00742F86
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
              • String ID: .dll$.exe$.icl
              • API String ID: 1212759294-1154884017
              • Opcode ID: 7351cc054d8301d72bd156ef0290f44b2dd66b5c7725a86647c5a538ecdb5a07
              • Instruction ID: 99cef1117b87f92754f52bc78ad3084ee3d246dbe47a81d99f27e1c006944acc
              • Opcode Fuzzy Hash: 7351cc054d8301d72bd156ef0290f44b2dd66b5c7725a86647c5a538ecdb5a07
              • Instruction Fuzzy Hash: 8161EFB1500219FAEB14DFA4CC45FBE77A8EF4A711F108216FA15D61C2DB7CA990DBA0
              Function 0072201B Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00721B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00722036,?,00000000,?,?,?,?,007216CB,00000000,?), ref: 00721B9A
              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007220D3
              • KillTimer.USER32(-00000001,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0072216E
              • DestroyAcceleratorTable.USER32(00000000), ref: 0075BCA6
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0075BCD7
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0075BCEE
              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007216CB,00000000,?,?,00721AE2,?,?), ref: 0075BD0A
              • DeleteObject.GDI32(00000000), ref: 0075BD1C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
              • String ID: P`
              • API String ID: 641708696-2971936014
              • Opcode ID: d8bce821dfe1c3479c015b8cc7cadfc47ac63a37d6e441a949938b4e756c6dc8
              • Instruction ID: 3c50ca46597c59ce806e9efeb8d505550acf82708197e1b1fc45f38dfb2b2aad
              • Opcode Fuzzy Hash: d8bce821dfe1c3479c015b8cc7cadfc47ac63a37d6e441a949938b4e756c6dc8
              • Instruction Fuzzy Hash: F461BE31101B64EFCB359F14E988B36B7F2FB45306F508528E9824A571C7BCE892DB94
              Function 0078A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • CharLowerBuffW.USER32(?,?), ref: 0078A3CB
              • GetDriveTypeW.KERNEL32 ref: 0078A418
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078A460
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078A497
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078A4C5
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
              • API String ID: 2698844021-4113822522
              • Opcode ID: a41cbb5a2483a8b57811566658ba086ceb21ddafa4c44a18757340877536eed0
              • Instruction ID: 6b7816f33bb5c61ea197f1e7428c05c5aaf8f8c679bf99e3eaf3a00581175f15
              • Opcode Fuzzy Hash: a41cbb5a2483a8b57811566658ba086ceb21ddafa4c44a18757340877536eed0
              • Instruction Fuzzy Hash: ED518C71104315EFC704EF24D99596AB3F4EF88718F14886EF88A57261DB39ED0ACB92
              Function 0077F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0075E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0077F8DF
              • LoadStringW.USER32(00000000,?,0075E029,00000001), ref: 0077F8E8
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0075E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0077F90A
              • LoadStringW.USER32(00000000,?,0075E029,00000001), ref: 0077F90D
              • __swprintf.LIBCMT ref: 0077F95D
              • __swprintf.LIBCMT ref: 0077F96E
              • _wprintf.LIBCMT ref: 0077FA17
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0077FA2E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
              • API String ID: 984253442-2268648507
              • Opcode ID: 9e15ec3fc52e519b523fbce308ff33c655ec9ed749aaaa6c45c0a5fb6d4ffea3
              • Instruction ID: bc4deef65f8ccdcad6c015434f79d8c69538e120cf1bb50fae4dac4d41849746
              • Opcode Fuzzy Hash: 9e15ec3fc52e519b523fbce308ff33c655ec9ed749aaaa6c45c0a5fb6d4ffea3
              • Instruction Fuzzy Hash: 15413F72904119EACF08FFE0DE8ADEE7778AF15340F104465F509B6091EA396F49CB61
              Function 007ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007A9207,?,?), ref: 007ABA56
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA6D
              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA78
              • CloseHandle.KERNEL32(00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA85
              • GlobalLock.KERNEL32(00000000), ref: 007ABA8E
              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABA9D
              • GlobalUnlock.KERNEL32(00000000), ref: 007ABAA6
              • CloseHandle.KERNEL32(00000000,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABAAD
              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007A9207,?,?,00000000,?), ref: 007ABABE
              • OleLoadPicture.OLEAUT32(?,00000000,00000000,007B2CAC,?), ref: 007ABAD7
              • GlobalFree.KERNEL32(00000000), ref: 007ABAE7
              • GetObjectW.GDI32(00000000,00000018,?), ref: 007ABB0B
              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007ABB36
              • DeleteObject.GDI32(00000000), ref: 007ABB5E
              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007ABB74
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
              • String ID:
              • API String ID: 3840717409-0
              • Opcode ID: 7c1e29eb0d6546526f7bf02749a02c08615e0055e01556d9d4458958f3186005
              • Instruction ID: 465013ed7bae675e5e74a5040b112dab941d29cc845c875624b20bd9940be291
              • Opcode Fuzzy Hash: 7c1e29eb0d6546526f7bf02749a02c08615e0055e01556d9d4458958f3186005
              • Instruction Fuzzy Hash: 8F412775600208EFDB219FA5DC88EAABBB8FBCA711F108168F905D7261D7389D01CB64
              Function 0078D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
              Download Yara Rule
              APIs
              • __wsplitpath.LIBCMT ref: 0078DA10
              • _wcscat.LIBCMT ref: 0078DA28
              • _wcscat.LIBCMT ref: 0078DA3A
              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0078DA4F
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0078DA63
              • GetFileAttributesW.KERNEL32(?), ref: 0078DA7B
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0078DA95
              • SetCurrentDirectoryW.KERNEL32(?), ref: 0078DAA7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
              • String ID: *.*
              • API String ID: 34673085-438819550
              • Opcode ID: 7e31e10e0e28ec110c258593d961ae541e49b8acf935b82153b4563e574997e4
              • Instruction ID: 9daf3756c528316e3d7c384060b286c621b78e744bf66f6f6ddce9beb9575431
              • Opcode Fuzzy Hash: 7e31e10e0e28ec110c258593d961ae541e49b8acf935b82153b4563e574997e4
              • Instruction Fuzzy Hash: D08162715442419FCB34EF65C844AAAB7E9FF89310F18882EF889C7291E638ED45CB52
              Function 007A6F23 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007A6FA5
              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007A6FA8
              • GetWindowLongW.USER32(?,000000F0), ref: 007A6FCC
              • _memset.LIBCMT ref: 007A6FDD
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A6FEF
              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007A7067
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$LongWindow_memset
              • String ID: P`
              • API String ID: 830647256-2971936014
              • Opcode ID: 53e28c3b2cc032fb90a5ee31ef75d4a65d8b547b6d031babfa5d737a71de0f04
              • Instruction ID: c0f8bf71b2bc9b48bae6b4428c872147e3d5b77fc98e5187fbf683f048503790
              • Opcode Fuzzy Hash: 53e28c3b2cc032fb90a5ee31ef75d4a65d8b547b6d031babfa5d737a71de0f04
              • Instruction Fuzzy Hash: 2E618C75900248EFDB10DFA4CC85EEE77F8EB49714F144269FA14AB2A1C779AD41CBA0
              Function 0079731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 0079738F
              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0079739B
              • CreateCompatibleDC.GDI32(?), ref: 007973A7
              • SelectObject.GDI32(00000000,?), ref: 007973B4
              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00797408
              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00797444
              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00797468
              • SelectObject.GDI32(00000006,?), ref: 00797470
              • DeleteObject.GDI32(?), ref: 00797479
              • DeleteDC.GDI32(00000006), ref: 00797480
              • ReleaseDC.USER32(00000000,?), ref: 0079748B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
              • String ID: (
              • API String ID: 2598888154-3887548279
              • Opcode ID: adc36d5c91b6931ef1235e0e52502661794550ebaf4e65c6da37af4fd9850b5f
              • Instruction ID: 36e56f9208b27b2ad99aeb6a806b463af0ef9e95d2d253409d4b6e15571d05db
              • Opcode Fuzzy Hash: adc36d5c91b6931ef1235e0e52502661794550ebaf4e65c6da37af4fd9850b5f
              • Instruction Fuzzy Hash: 97514875904249EFCB14CFA8DC85EAFBBB9EF89310F14842DF99997211C735A940CB54
              Function 007A0E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$d
              • API String ID: 3964851224-3191434846
              • Opcode ID: eaa015e6107bd3b03ba7b8c8eedc193d0f4263eab3ef83ac85fd9d535fee38cc
              • Instruction ID: f4b45369f04b57d4fcd3270f9769855f35783ea942977c23b88b42d22a0613de
              • Opcode Fuzzy Hash: eaa015e6107bd3b03ba7b8c8eedc193d0f4263eab3ef83ac85fd9d535fee38cc
              • Instruction Fuzzy Hash: BC414C3124028ACFCF10EF10D869AEF3760AF52340F144965FD552B292DB3CA91ACBE0
              Function 00726A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00740957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00726B0C,?,00008000), ref: 00740973
                • Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770
              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00726BAD
              • SetCurrentDirectoryW.KERNEL32(?), ref: 00726CFA
                • Part of subcall function 0072586D: _wcscpy.LIBCMT ref: 007258A5
                • Part of subcall function 0074363D: _iswctype.LIBCMT ref: 00743645
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
              • API String ID: 537147316-1018226102
              • Opcode ID: d902da6bf8e9d4c5a8372ccc14bdd0104ee4cd847738da5ec7c3443afeed730b
              • Instruction ID: 37759e4a9139c6e32655dd26e8cc09c7c5553b115d435b00a8c1d6cfd6affb1a
              • Opcode Fuzzy Hash: d902da6bf8e9d4c5a8372ccc14bdd0104ee4cd847738da5ec7c3443afeed730b
              • Instruction Fuzzy Hash: 5202BE70108350DFCB18EF24D8859AFBBE5EF99354F10481EF489972A1DB78DA49CB52
              Function 00782D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00782D50
              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00782DDD
              • GetMenuItemCount.USER32(007E5890), ref: 00782E66
              • DeleteMenu.USER32(007E5890,00000005,00000000,000000F5,?,?), ref: 00782EF6
              • DeleteMenu.USER32(007E5890,00000004,00000000), ref: 00782EFE
              • DeleteMenu.USER32(007E5890,00000006,00000000), ref: 00782F06
              • DeleteMenu.USER32(007E5890,00000003,00000000), ref: 00782F0E
              • GetMenuItemCount.USER32(007E5890), ref: 00782F16
              • SetMenuItemInfoW.USER32(007E5890,00000004,00000000,00000030), ref: 00782F4C
              • GetCursorPos.USER32(?), ref: 00782F56
              • SetForegroundWindow.USER32(00000000), ref: 00782F5F
              • TrackPopupMenuEx.USER32(007E5890,00000000,?,00000000,00000000,00000000), ref: 00782F72
              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00782F7E
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
              • String ID:
              • API String ID: 3993528054-0
              • Opcode ID: 8de26374f67fcbb644d3b232cee4be8eab03d8bcc0d70dcc7821b7576a38bdd2
              • Instruction ID: 3ce425b9daeea2d3090d7809d3f4911d1409c5b6fe820ede69e8d4580f1785d5
              • Opcode Fuzzy Hash: 8de26374f67fcbb644d3b232cee4be8eab03d8bcc0d70dcc7821b7576a38bdd2
              • Instruction Fuzzy Hash: 6D714C70780205BFEB21AF54DC89FAABF64FF05315F104216F615AA1E2C7B95C21C754
              Function 007988AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 007988D7
              • CoInitialize.OLE32(00000000), ref: 00798904
              • CoUninitialize.OLE32 ref: 0079890E
              • GetRunningObjectTable.OLE32(00000000,?), ref: 00798A0E
              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00798B3B
              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007B2C0C), ref: 00798B6F
              • CoGetObject.OLE32(?,00000000,007B2C0C,?), ref: 00798B92
              • SetErrorMode.KERNEL32(00000000), ref: 00798BA5
              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00798C25
              • VariantClear.OLEAUT32(?), ref: 00798C35
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
              • String ID: ,,{
              • API String ID: 2395222682-821077388
              • Opcode ID: ea298fb912ff99d564f6e7c0c7edb7d2d7ac391288668a31145b6c335d5f55e3
              • Instruction ID: 31c1f23d8f2d7d3eb8acc21e59240ff74c8fe9d77b610ae1a937d81227c7ae63
              • Opcode Fuzzy Hash: ea298fb912ff99d564f6e7c0c7edb7d2d7ac391288668a31145b6c335d5f55e3
              • Instruction Fuzzy Hash: 42C135B1208305AFCB40DF64D88492BB7E9FF8A348F04495DF98A9B251DB79ED05CB52
              Function 007777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              • _memset.LIBCMT ref: 0077786B
              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007778A0
              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007778BC
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007778D8
              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00777902
              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0077792A
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00777935
              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0077793A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
              • API String ID: 1411258926-22481851
              • Opcode ID: 2fa8f7361829994dfcf182d5188e6ec496ece1d6d56d3e1919d3ad188723c302
              • Instruction ID: f94a2f4523dc70a177e41e2a1f753981d04a73d3e4341b469cab579abc5df801
              • Opcode Fuzzy Hash: 2fa8f7361829994dfcf182d5188e6ec496ece1d6d56d3e1919d3ad188723c302
              • Instruction Fuzzy Hash: DE41E972C14629EACF19EFA4EC49DEEB778FF04350F408469E905A3161EA385D45CB90
              Function 007A7152 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 007A716A
              • CreateMenu.USER32 ref: 007A7185
              • SetMenu.USER32(?,00000000), ref: 007A7194
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A7221
              • IsMenu.USER32(?), ref: 007A7237
              • CreatePopupMenu.USER32 ref: 007A7241
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A726E
              • DrawMenuBar.USER32 ref: 007A7276
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
              • String ID: 0$F$P`
              • API String ID: 176399719-2045013408
              • Opcode ID: f68e53c23c0c8c92aa3bf3bb46f38a077d3a1d55cc8ada4b0e12a33fbcc40d65
              • Instruction ID: b2b98845b32b2fee95bcb0e58efb6712fd1d5f4dcd1f0657ed1882a6ebd80705
              • Opcode Fuzzy Hash: f68e53c23c0c8c92aa3bf3bb46f38a077d3a1d55cc8ada4b0e12a33fbcc40d65
              • Instruction Fuzzy Hash: 6A415674A01209EFDB24DFA4D884F9A7BB5FF8A310F144128F945A73A1D739A920CF94
              Function 0077F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0075E2A0,00000010,?,Bad directive syntax error,007AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0077F7C2
              • LoadStringW.USER32(00000000,?,0075E2A0,00000010), ref: 0077F7C9
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
              • _wprintf.LIBCMT ref: 0077F7FC
              • __swprintf.LIBCMT ref: 0077F81E
              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0077F88D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
              • API String ID: 1506413516-4153970271
              • Opcode ID: 7d35c976d028baac3b509a90d67e8355e538a466c41cafc1ff5dee712f0b9d73
              • Instruction ID: 60a77c969bc0a8290b5b87f15423a7e36db2b8c70f62171bc7dce03e87ac5381
              • Opcode Fuzzy Hash: 7d35c976d028baac3b509a90d67e8355e538a466c41cafc1ff5dee712f0b9d73
              • Instruction Fuzzy Hash: DF21913294021EEBCF15EF90DD0AEEE7738BF14300F044866F509661A1EA79A658CB51
              Function 007852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
                • Part of subcall function 00727924: _memmove.LIBCMT ref: 007279AD
              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00785330
              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00785346
              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00785357
              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00785369
              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0078537A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: SendString$_memmove
              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
              • API String ID: 2279737902-1007645807
              • Opcode ID: b5b275ebe38b0212829b58f983023fe7c67b323546ccfab0c76227b595f8f184
              • Instruction ID: f4bd5729be577af06b689cf22e342365bed3858d258ddd0d08e776c6ff600ff1
              • Opcode Fuzzy Hash: b5b275ebe38b0212829b58f983023fe7c67b323546ccfab0c76227b595f8f184
              • Instruction Fuzzy Hash: 2A11E770A90229BAD764BBB1DC4EDFF7B7CEBD2B54F00042AB401A21D1DEA85D44C6B1
              Function 007846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
              • String ID: 0.0.0.0
              • API String ID: 208665112-3771769585
              • Opcode ID: 3037400b4441e6b4181818bde9852f4af052d02aa44a75599ca74c675168af69
              • Instruction ID: 38e57b6f4f3896ff21450213e9938f9854f8cd4a976aa06cd1d274e084705319
              • Opcode Fuzzy Hash: 3037400b4441e6b4181818bde9852f4af052d02aa44a75599ca74c675168af69
              • Instruction Fuzzy Hash: 7411E731940115AFCB20BB709C4AEEA7BBCEF42711F4441BAF54596092EFBC99818B54
              Function 00784F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
              Download Yara Rule
              APIs
              • timeGetTime.WINMM ref: 00784F7A
                • Part of subcall function 0074049F: timeGetTime.WINMM(?,76BFB850,00730E7B), ref: 007404A3
              • Sleep.KERNEL32(0000000A), ref: 00784FA6
              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00784FCA
              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00784FEC
              • SetActiveWindow.USER32 ref: 0078500B
              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00785019
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00785038
              • Sleep.KERNEL32(000000FA), ref: 00785043
              • IsWindow.USER32 ref: 0078504F
              • EndDialog.USER32(00000000), ref: 00785060
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
              • String ID: BUTTON
              • API String ID: 1194449130-3405671355
              • Opcode ID: bc60b1a659784be1cd91a491333127d025ab1d84cb765ffcefe3f373b4656ea1
              • Instruction ID: 2a36ae2e6e8625d9992f58f0fcfdae7e2b08b67e685eaba7506684503a8ea9d9
              • Opcode Fuzzy Hash: bc60b1a659784be1cd91a491333127d025ab1d84cb765ffcefe3f373b4656ea1
              • Instruction Fuzzy Hash: 8321C9B0741A45AFE7107F70ECC8A363BA9FB5E785F089028F102851B1DB7D4D208B69
              Function 0078D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • CoInitialize.OLE32(00000000), ref: 0078D5EA
              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0078D67D
              • SHGetDesktopFolder.SHELL32(?), ref: 0078D691
              • CoCreateInstance.OLE32(007B2D7C,00000000,00000001,007D8C1C,?), ref: 0078D6DD
              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0078D74C
              • CoTaskMemFree.OLE32(?,?), ref: 0078D7A4
              • _memset.LIBCMT ref: 0078D7E1
              • SHBrowseForFolderW.SHELL32(?), ref: 0078D81D
              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0078D840
              • CoTaskMemFree.OLE32(00000000), ref: 0078D847
              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0078D87E
              • CoUninitialize.OLE32(00000001,00000000), ref: 0078D880
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
              • String ID:
              • API String ID: 1246142700-0
              • Opcode ID: 3bde7af9405602dd8fbb15c458c1edfade2213abc112be436fe7e0d94cb5e109
              • Instruction ID: f354b3a084a5a2a79bb68b0f7117d0f4fcd8f2903478fb8d2889a93cab019635
              • Opcode Fuzzy Hash: 3bde7af9405602dd8fbb15c458c1edfade2213abc112be436fe7e0d94cb5e109
              • Instruction Fuzzy Hash: 0BB1F975A00119EFDB14EFA4C888DAEBBB9EF49314F148469E909EB261DB34ED41CB50
              Function 0077C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,00000001), ref: 0077C283
              • GetWindowRect.USER32(00000000,?), ref: 0077C295
              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0077C2F3
              • GetDlgItem.USER32(?,00000002), ref: 0077C2FE
              • GetWindowRect.USER32(00000000,?), ref: 0077C310
              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0077C364
              • GetDlgItem.USER32(?,000003E9), ref: 0077C372
              • GetWindowRect.USER32(00000000,?), ref: 0077C383
              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0077C3C6
              • GetDlgItem.USER32(?,000003EA), ref: 0077C3D4
              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0077C3F1
              • InvalidateRect.USER32(?,00000000,00000001), ref: 0077C3FE
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$ItemMoveRect$Invalidate
              • String ID:
              • API String ID: 3096461208-0
              • Opcode ID: f8455f6724199763cdcb8e74a63850e82efbe0af8c7f747642b0e20ad30f2c5c
              • Instruction ID: 2c26e1a0b1bafeb2f57ee83cf7281a5a4659bd7bdfde3d7f830a451f4e3b249a
              • Opcode Fuzzy Hash: f8455f6724199763cdcb8e74a63850e82efbe0af8c7f747642b0e20ad30f2c5c
              • Instruction Fuzzy Hash: F7514D71B00205ABDF18CFA9DD89AAEBBBAEB89310F14C12DF51AD7290D7749D008B14
              Function 0078A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,007AF910), ref: 0078A90B
              • GetDriveTypeW.KERNEL32(00000061,007D89A0,00000061), ref: 0078A9D5
              • _wcscpy.LIBCMT ref: 0078A9FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharDriveLowerType_wcscpy
              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
              • API String ID: 2820617543-1000479233
              • Opcode ID: a9f08e5be9e768b75b3e6c266ff96a850adf16b4fe4c5b71663d2df632d783f7
              • Instruction ID: bea90216586850e3cfb3ec339e5c6603a552b1e5ec9c2b30697e09016009580d
              • Opcode Fuzzy Hash: a9f08e5be9e768b75b3e6c266ff96a850adf16b4fe4c5b71663d2df632d783f7
              • Instruction Fuzzy Hash: 9C51B031148301EBD304EF14D896AAFB7A9FF85310F14882EF595572A2DB39AD09CB93
              Function 007A8645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007A86FF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID: P`
              • API String ID: 634782764-2971936014
              • Opcode ID: 94c04021cdf2939cf578fa0412db4c98def939fa86f78f5d177c5cee80adaf97
              • Instruction ID: 676839bd8642a3bc1720085c89a87375606b5469a627059df2f0082c26e6177a
              • Opcode Fuzzy Hash: 94c04021cdf2939cf578fa0412db4c98def939fa86f78f5d177c5cee80adaf97
              • Instruction Fuzzy Hash: 9E51A330500254FEEBA49B64DC89FA97BA5FB87320F604321F950D61A1CF7DA990CB46
              Function 00729837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __i64tow__itow__swprintf
              • String ID: %.15g$0x%p$False$True
              • API String ID: 421087845-2263619337
              • Opcode ID: 6190f1a13d94379f0557f62a88b3d4b3deaa770c3e93efee14aaa9a4ab49e2c3
              • Instruction ID: 01520e7ecfd0cc8bc99b118d1fe4a6e3a7dd616ceeddb091c0cdf3b03d396010
              • Opcode Fuzzy Hash: 6190f1a13d94379f0557f62a88b3d4b3deaa770c3e93efee14aaa9a4ab49e2c3
              • Instruction Fuzzy Hash: 4B41B471A00215EFDB24DF34E846EBA77E8FF05300F28446EEA49D7292FA799945CB11
              Function 007A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
              Download Yara Rule
              APIs
              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007A755E
              • CreateCompatibleDC.GDI32(00000000), ref: 007A7565
              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007A7578
              • SelectObject.GDI32(00000000,00000000), ref: 007A7580
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 007A758B
              • DeleteDC.GDI32(00000000), ref: 007A7594
              • GetWindowLongW.USER32(?,000000EC), ref: 007A759E
              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007A75B2
              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007A75BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
              • String ID: static
              • API String ID: 2559357485-2160076837
              • Opcode ID: 73845025076e8b69fd3c1c1e333f9362f2e04828eb08e1c23656a1baa91629b8
              • Instruction ID: 354bd92b4f4697711fd15692107b14ae079ce31c698982c714e4005de00d97fb
              • Opcode Fuzzy Hash: 73845025076e8b69fd3c1c1e333f9362f2e04828eb08e1c23656a1baa91629b8
              • Instruction Fuzzy Hash: B4316C72504218EBDF159FA4DC08FDB3B69FF8A320F114324FA55960A0C739D821DBA8
              Function 00746E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00746E3E
                • Part of subcall function 00748B28: __getptd_noexit.LIBCMT ref: 00748B28
              • __gmtime64_s.LIBCMT ref: 00746ED7
              • __gmtime64_s.LIBCMT ref: 00746F0D
              • __gmtime64_s.LIBCMT ref: 00746F2A
              • __allrem.LIBCMT ref: 00746F80
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00746F9C
              • __allrem.LIBCMT ref: 00746FB3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00746FD1
              • __allrem.LIBCMT ref: 00746FE8
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00747006
              • __invoke_watson.LIBCMT ref: 00747077
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
              • String ID:
              • API String ID: 384356119-0
              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
              • Instruction ID: 7ba7011a5dc15f1b61797f191c76a3cd6b52c1550a27acd42e137d63f056bc1e
              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
              • Instruction Fuzzy Hash: 39712676A00716EBD718AF68DC45BAAB3F8BF05364F108229F814D7291F778DD448B91
              Function 00782527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00782542
              • GetMenuItemInfoW.USER32(007E5890,000000FF,00000000,00000030), ref: 007825A3
              • SetMenuItemInfoW.USER32(007E5890,00000004,00000000,00000030), ref: 007825D9
              • Sleep.KERNEL32(000001F4), ref: 007825EB
              • GetMenuItemCount.USER32(?), ref: 0078262F
              • GetMenuItemID.USER32(?,00000000), ref: 0078264B
              • GetMenuItemID.USER32(?,-00000001), ref: 00782675
              • GetMenuItemID.USER32(?,?), ref: 007826BA
              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00782700
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00782714
              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00782735
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
              • String ID:
              • API String ID: 4176008265-0
              • Opcode ID: 15ac7096cf55bec202286cb5f57403c3c0efc163b82fe6f97f92e4da0e87d080
              • Instruction ID: f45a6c10e7679650781b80bc62a0f7acd00939dc1e774ff525259e7754922a2e
              • Opcode Fuzzy Hash: 15ac7096cf55bec202286cb5f57403c3c0efc163b82fe6f97f92e4da0e87d080
              • Instruction Fuzzy Hash: CB61E3B0A40249EFDF11EFA4CC88DBE7BB8FB45306F144059E941A7252E739AD16DB20
              Function 00776B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
              Download Yara Rule
              APIs
              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00776BBF
              • SafeArrayAllocData.OLEAUT32(?), ref: 00776C18
              • VariantInit.OLEAUT32(?), ref: 00776C2A
              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00776C4A
              • VariantCopy.OLEAUT32(?,?), ref: 00776C9D
              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00776CB1
              • VariantClear.OLEAUT32(?), ref: 00776CC6
              • SafeArrayDestroyData.OLEAUT32(?), ref: 00776CD3
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00776CDC
              • VariantClear.OLEAUT32(?), ref: 00776CEE
              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00776CF9
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
              • String ID:
              • API String ID: 2706829360-0
              • Opcode ID: 52c1fb0926ad728cfbd595f83fb80e8c988c8f289bdb3113d13bf5ec3f1f181c
              • Instruction ID: 7331eee5a3bc27718714341808c2521bc9def4d9ccfd3926b55cbdfd63c94b0f
              • Opcode Fuzzy Hash: 52c1fb0926ad728cfbd595f83fb80e8c988c8f289bdb3113d13bf5ec3f1f181c
              • Instruction Fuzzy Hash: 77417F71A00219DFCF00DFA8D8489EEBBB9EF48350F04C069E955E7261DB38A945CFA4
              Function 007AD43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • GetSystemMetrics.USER32(0000000F), ref: 007AD47C
              • GetSystemMetrics.USER32(0000000F), ref: 007AD49C
              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007AD6D7
              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007AD6F5
              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007AD716
              • ShowWindow.USER32(00000003,00000000), ref: 007AD735
              • InvalidateRect.USER32(?,00000000,00000001), ref: 007AD75A
              • DefDlgProcW.USER32(?,00000005,?,?), ref: 007AD77D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
              • String ID: P`
              • API String ID: 1211466189-2971936014
              • Opcode ID: 7fcf51f075a8b1ffeb4a6e15928e73b193d3157a81c9e53e7666e95cf80d4a85
              • Instruction ID: 05f4da3d6327001c951cc9ec885558fd32ca395b7c48c21167afb0965dbe650e
              • Opcode Fuzzy Hash: 7fcf51f075a8b1ffeb4a6e15928e73b193d3157a81c9e53e7666e95cf80d4a85
              • Instruction Fuzzy Hash: DCB19C71500215EBDF28CF68C9C97AD7BB1BF89701F08C269EC4A9B695D738AD50CB50
              Function 00795732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WSOCK32(00000101,?), ref: 00795793
              • inet_addr.WSOCK32(?,?,?), ref: 007957D8
              • gethostbyname.WSOCK32(?), ref: 007957E4
              • IcmpCreateFile.IPHLPAPI ref: 007957F2
              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00795862
              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00795878
              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007958ED
              • WSACleanup.WSOCK32 ref: 007958F3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
              • String ID: Ping
              • API String ID: 1028309954-2246546115
              • Opcode ID: 7e9218a6909d36a408f98feb687d12d8d1cf8fa3879394f975a74600690275a0
              • Instruction ID: 45e8adf1f20c0e602a194de9788db1ce9ba6b56eb40f47680e518310a82958c3
              • Opcode Fuzzy Hash: 7e9218a6909d36a408f98feb687d12d8d1cf8fa3879394f975a74600690275a0
              • Instruction Fuzzy Hash: D7516D71604710DFDB11AF64EC49F2AB7E4EF49720F048929F996DB2A1DB38E900DB45
              Function 0078B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0078B4D0
              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0078B546
              • GetLastError.KERNEL32 ref: 0078B550
              • SetErrorMode.KERNEL32(00000000,READY), ref: 0078B5BD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Error$Mode$DiskFreeLastSpace
              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
              • API String ID: 4194297153-14809454
              • Opcode ID: 242b57d26e20d18d0de06708beb3af89e53eb23f5728496ccd95d1b3644b9ad7
              • Instruction ID: 71634be749ac2ae5ec5952bd696409f149946cb5ceec5d0787bea0a1e0b49e02
              • Opcode Fuzzy Hash: 242b57d26e20d18d0de06708beb3af89e53eb23f5728496ccd95d1b3644b9ad7
              • Instruction Fuzzy Hash: 61319075A40209DFCB10FFA8D889EAE7BB4FF49310F148126F505D7291DB789A52CB91
              Function 00778F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC
              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00779014
              • GetDlgCtrlID.USER32 ref: 0077901F
              • GetParent.USER32 ref: 0077903B
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0077903E
              • GetDlgCtrlID.USER32(?), ref: 00779047
              • GetParent.USER32(?), ref: 00779063
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00779066
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: 36ff2b06165cf4de50e00229393e9b68d5ac4295b71e9a8353d8895af32e079a
              • Instruction ID: a44a24a05d34a2af07a70a0de2c2391bd8591225f8ccf31c22d2f1a4fa24ee0f
              • Opcode Fuzzy Hash: 36ff2b06165cf4de50e00229393e9b68d5ac4295b71e9a8353d8895af32e079a
              • Instruction Fuzzy Hash: BB21F870A00108FBDF04ABA0CC89EFEBB74EF86310F108115F965972A1DB7D5815DB20
              Function 0077907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC
              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007790FD
              • GetDlgCtrlID.USER32 ref: 00779108
              • GetParent.USER32 ref: 00779124
              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00779127
              • GetDlgCtrlID.USER32(?), ref: 00779130
              • GetParent.USER32(?), ref: 0077914C
              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0077914F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$CtrlParent$ClassName_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 1536045017-1403004172
              • Opcode ID: d19997302ce83134fe7a0b3c96679dc43b315fe6fd61d9bd4f5e987b3b052e6c
              • Instruction ID: c9ea08607bda9865842a8c230c7e5b4d8492ee2a5b07be919dda8221f3931f7d
              • Opcode Fuzzy Hash: d19997302ce83134fe7a0b3c96679dc43b315fe6fd61d9bd4f5e987b3b052e6c
              • Instruction Fuzzy Hash: CC210474A00108FBDF14ABA4CC89EFEBB78EF89300F008016FA55972A1DB7D5819DB20
              Function 00779163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32 ref: 0077916F
              • GetClassNameW.USER32(00000000,?,00000100), ref: 00779184
              • _wcscmp.LIBCMT ref: 00779196
              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00779211
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClassMessageNameParentSend_wcscmp
              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
              • API String ID: 1704125052-3381328864
              • Opcode ID: 1945b15b45cf8ed44b34acd5fea663eca633a2cbbef6be74778949dd7d01cb62
              • Instruction ID: 2a57230b8a9dafd3a201b579a1a2d25a6ebb550ea4ce0beda369968d97214fe4
              • Opcode Fuzzy Hash: 1945b15b45cf8ed44b34acd5fea663eca633a2cbbef6be74778949dd7d01cb62
              • Instruction Fuzzy Hash: 20112777289317FAFE143624DC1EDA737ACAB11360B604026FA04E40D3FE6DA8215584
              Function 00787990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
              Download Yara Rule
              APIs
              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00787A6C
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ArraySafeVartype
              • String ID:
              • API String ID: 1725837607-0
              • Opcode ID: 026636953163e951e3edeaf7644445bef464cd7bf269851019d79a3775e33f80
              • Instruction ID: c4c29c46980357e9b43497d13973e5084e2ab47ac0b5471239def9b6f9c6a5d2
              • Opcode Fuzzy Hash: 026636953163e951e3edeaf7644445bef464cd7bf269851019d79a3775e33f80
              • Instruction Fuzzy Hash: 80B19371944219DFDB04EFA4C884BBEBBB9FF49321F244429E602E7251D738E941CBA0
              Function 007811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 007811F0
              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00780268,?,00000001), ref: 00781204
              • GetWindowThreadProcessId.USER32(00000000), ref: 0078120B
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00780268,?,00000001), ref: 0078121A
              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0078122C
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00780268,?,00000001), ref: 00781245
              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00780268,?,00000001), ref: 00781257
              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00780268,?,00000001), ref: 0078129C
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00780268,?,00000001), ref: 007812B1
              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00780268,?,00000001), ref: 007812BC
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
              • String ID:
              • API String ID: 2156557900-0
              • Opcode ID: 274b40c70238aa01a36c4df0e95ad9c268051e30ad2e192d6ed4c8c643b6c720
              • Instruction ID: c0f590c9ca5262ad719602f2bd39283080d9250c28df01e79cce3aff474bd51f
              • Opcode Fuzzy Hash: 274b40c70238aa01a36c4df0e95ad9c268051e30ad2e192d6ed4c8c643b6c720
              • Instruction Fuzzy Hash: D331DD75741204FBDB60FF90EC88FA937ADBBA9355F508125F800CA1A0D3BC9D418B69
              Function 0072FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0072FAA6
              • OleUninitialize.OLE32(?,00000000), ref: 0072FB45
              • UnregisterHotKey.USER32(?), ref: 0072FC9C
              • DestroyWindow.USER32(?), ref: 007645D6
              • FreeLibrary.KERNEL32(?), ref: 0076463B
              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00764668
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
              • String ID: close all
              • API String ID: 469580280-3243417748
              • Opcode ID: 942241a290e3781bcbe07a3819f8a2509581cebcc1456d2ade0f6ccc939af975
              • Instruction ID: 5ff9698a691347d0818317105d63525235f9a13cd2cff1ef12d01c623a280448
              • Opcode Fuzzy Hash: 942241a290e3781bcbe07a3819f8a2509581cebcc1456d2ade0f6ccc939af975
              • Instruction Fuzzy Hash: 81A19070701222CFDB19EF14D598A69F774BF05700F5442BDE90AAB262DB38AC56CF50
              Function 00799113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Variant$ClearInit$_memset
              • String ID: ,,{$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
              • API String ID: 2862541840-3894331932
              • Opcode ID: c738f593f949ce988eaf410304e619773fcd4695ea04d9d2923fdb868dc9e5e5
              • Instruction ID: 1bd00cc4b08f7f5d70c9878be55ccb83555c4c898b28831503e6782e65ca2942
              • Opcode Fuzzy Hash: c738f593f949ce988eaf410304e619773fcd4695ea04d9d2923fdb868dc9e5e5
              • Instruction Fuzzy Hash: 06917E71A00219EBEF24DFA9D848FAEB7B8EF45710F10815DF615AB280D7789945CFA0
              Function 0077A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
              Download Yara Rule
              APIs
              • EnumChildWindows.USER32(?,0077A439), ref: 0077A377
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ChildEnumWindows
              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
              • API String ID: 3555792229-1603158881
              • Opcode ID: 7e3057141bbea2686cbd22153833c2220c634bf84d5cd1271b2055edfd930b56
              • Instruction ID: 2b95c41e43d97c170ace69db57688e31980a946d9f66d9ea965ccf96cc1d6178
              • Opcode Fuzzy Hash: 7e3057141bbea2686cbd22153833c2220c634bf84d5cd1271b2055edfd930b56
              • Instruction Fuzzy Hash: DE91AF31A04606EAEF08DFA0C459BEDFB74BF84340F54C129E84DA7251DB396999CBD1
              Function 007AB351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00E26050), ref: 007AB3EB
              • IsWindowEnabled.USER32(00E26050), ref: 007AB3F7
              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007AB4DB
              • SendMessageW.USER32(00E26050,000000B0,?,?), ref: 007AB512
              • IsDlgButtonChecked.USER32(?,?), ref: 007AB54F
              • GetWindowLongW.USER32(00E26050,000000EC), ref: 007AB571
              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007AB589
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
              • String ID: P`
              • API String ID: 4072528602-2971936014
              • Opcode ID: ef34f7f1fb1bdadca2df5111aa82b65e5138ff89db5ad3dcd639d8af45dfc62a
              • Instruction ID: 04c1bf985d1c7825a3c6d0e849fd7b820a198f20cd63127e901f007f75090de9
              • Opcode Fuzzy Hash: ef34f7f1fb1bdadca2df5111aa82b65e5138ff89db5ad3dcd639d8af45dfc62a
              • Instruction Fuzzy Hash: 4871AF34605284EFDF209F95C894FBA7BB9EF8F300F148269E945972A3C739A950DB50
              Function 00722E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
              Download Yara Rule
              APIs
              • SetWindowLongW.USER32(?,000000EB), ref: 00722EAE
                • Part of subcall function 00721DB3: GetClientRect.USER32(?,?), ref: 00721DDC
                • Part of subcall function 00721DB3: GetWindowRect.USER32(?,?), ref: 00721E1D
                • Part of subcall function 00721DB3: ScreenToClient.USER32(?,?), ref: 00721E45
              • GetDC.USER32 ref: 0075CD32
              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0075CD45
              • SelectObject.GDI32(00000000,00000000), ref: 0075CD53
              • SelectObject.GDI32(00000000,00000000), ref: 0075CD68
              • ReleaseDC.USER32(?,00000000), ref: 0075CD70
              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0075CDFB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
              • String ID: U
              • API String ID: 4009187628-3372436214
              • Opcode ID: 413ed54c66d8f6af3072921c53051b0d0b6ab3033bb57c45573b63cd03f640c8
              • Instruction ID: b721aebddb6d9c9b383bade7a42b385d583ce4a596425b76ee70abc8be7660e0
              • Opcode Fuzzy Hash: 413ed54c66d8f6af3072921c53051b0d0b6ab3033bb57c45573b63cd03f640c8
              • Instruction Fuzzy Hash: 4471D231900309EFCF229F64CC84BEA7BB5FF49315F18426AED559A2A6C7788C45DB60
              Function 00791A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00791A50
              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00791A7C
              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00791ABE
              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00791AD3
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00791AE0
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00791B10
              • InternetCloseHandle.WININET(00000000), ref: 00791B57
                • Part of subcall function 00792483: GetLastError.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 00792498
                • Part of subcall function 00792483: SetEvent.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 007924AD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
              • String ID:
              • API String ID: 2603140658-3916222277
              • Opcode ID: d3e947783936d35bf35bdb94e938e746bc164116ac1f0fdf15903fa4136e1edb
              • Instruction ID: c884b6f07889c1a98bb8a487e564d189d6699d3851abae64f6a448b2450ed1bf
              • Opcode Fuzzy Hash: d3e947783936d35bf35bdb94e938e746bc164116ac1f0fdf15903fa4136e1edb
              • Instruction Fuzzy Hash: 9341A1B1501219BFEF119F60DC89FFB7BADEF09350F408126F9059A191E7789E508BA4
              Function 007A62CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007A62EC
              • GetWindowLongW.USER32(00E26050,000000F0), ref: 007A631F
              • GetWindowLongW.USER32(00E26050,000000F0), ref: 007A6354
              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007A6386
              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007A63B0
              • GetWindowLongW.USER32(00000000,000000F0), ref: 007A63C1
              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007A63DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LongWindow$MessageSend
              • String ID: P`
              • API String ID: 2178440468-2971936014
              • Opcode ID: 01e544deec5187832cd4231942e8e198a3d26dd562ab5ed6b5814c1133cb42c3
              • Instruction ID: 5dd0ab784a5db7ec7a8db530742645680e7bee0c7f6e22a1702247ff79ae5b93
              • Opcode Fuzzy Hash: 01e544deec5187832cd4231942e8e198a3d26dd562ab5ed6b5814c1133cb42c3
              • Instruction Fuzzy Hash: E0313138640284EFDB20CF58DC84F5937E1FB8A714F1982A8F6118F2B2CB79A8419B55
              Function 00798C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007AF910), ref: 00798D28
              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007AF910), ref: 00798D5C
              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00798ED6
              • SysFreeString.OLEAUT32(?), ref: 00798F00
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Free$FileLibraryModuleNamePathQueryStringType
              • String ID:
              • API String ID: 560350794-0
              • Opcode ID: cf1ec89319b09b657a5bf7e3d5803ae0aa8a7cd5b6091f8ed29759d9aff2d762
              • Instruction ID: ead94d182b7f0ef84ff2896580815e372ad31fd21e535436227707b51ebdae73
              • Opcode Fuzzy Hash: cf1ec89319b09b657a5bf7e3d5803ae0aa8a7cd5b6091f8ed29759d9aff2d762
              • Instruction Fuzzy Hash: 39F19D71A00209EFDF44DF98D888EAEB7B9FF49314F108098F915AB251DB35AE41CB61
              Function 0079F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0079F6B5
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079F848
              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079F86C
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079F8AC
              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079F8CE
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0079FA4A
              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0079FA7C
              • CloseHandle.KERNEL32(?), ref: 0079FAAB
              • CloseHandle.KERNEL32(?), ref: 0079FB22
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
              • String ID:
              • API String ID: 4090791747-0
              • Opcode ID: b1988d9a0c94d3b52792b78608ae1ab9cb5dd21fb964bf9044a911f384a35794
              • Instruction ID: 6eb08110bedbd5f6ed78393803d5af8200fd15297c7013eb677daa211f336274
              • Opcode Fuzzy Hash: b1988d9a0c94d3b52792b78608ae1ab9cb5dd21fb964bf9044a911f384a35794
              • Instruction Fuzzy Hash: 2EE1AF71604300DFCB14EF24D885B6ABBE1EF85354F18856DF9999B2A2DB38EC41CB52
              Function 00784CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00783697,?), ref: 0078468B
                • Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00783697,?), ref: 007846A4
                • Part of subcall function 00784A31: GetFileAttributesW.KERNEL32(?,0078370B), ref: 00784A32
              • lstrcmpiW.KERNEL32(?,?), ref: 00784D40
              • _wcscmp.LIBCMT ref: 00784D5A
              • MoveFileW.KERNEL32(?,?), ref: 00784D75
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
              • String ID:
              • API String ID: 793581249-0
              • Opcode ID: 62e713dccb7172ac835fbabb67aa8a2a48410f5c66496d2256b9777e8efd50f9
              • Instruction ID: 42a402f9a89551f9be4dd5391ee467a34b6f12958199d77fb95f28792939ae83
              • Opcode Fuzzy Hash: 62e713dccb7172ac835fbabb67aa8a2a48410f5c66496d2256b9777e8efd50f9
              • Instruction Fuzzy Hash: A05175B2548385DBC724EBA0D8859DFB3ECAF85310F40492EF689D3151EF78A588C766
              Function 00722B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
              Download Yara Rule
              APIs
              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0075C2F7
              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0075C319
              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0075C331
              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0075C34F
              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0075C370
              • DestroyIcon.USER32(00000000), ref: 0075C37F
              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0075C39C
              • DestroyIcon.USER32(?), ref: 0075C3AB
                • Part of subcall function 007AA4AF: DeleteObject.GDI32(00000000), ref: 007AA4E8
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
              • String ID:
              • API String ID: 2819616528-0
              • Opcode ID: c0db0d8cc41d9b01ef85d31c121f87c987fe91edd7b6dd82e9f15cc5152971b7
              • Instruction ID: 5abb7d6cb574173d353f640d48c56d133807d10d6477e3d125cf08263cc3a994
              • Opcode Fuzzy Hash: c0db0d8cc41d9b01ef85d31c121f87c987fe91edd7b6dd82e9f15cc5152971b7
              • Instruction Fuzzy Hash: 68515970600309FFDB24DF64DC45BAA3BA5EB58311F108528F942972A1DBB8ED91DB60
              Function 0077966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0077A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0077A84C
                • Part of subcall function 0077A82C: GetCurrentThreadId.KERNEL32 ref: 0077A853
                • Part of subcall function 0077A82C: AttachThreadInput.USER32(00000000,?,00779683,?,00000001), ref: 0077A85A
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0077968E
              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007796AB
              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007796AE
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 007796B7
              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007796D5
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007796D8
              • MapVirtualKeyW.USER32(00000025,00000000), ref: 007796E1
              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007796F8
              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007796FB
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
              • String ID:
              • API String ID: 2014098862-0
              • Opcode ID: 0f259e9bc9c42f063f41f89fae6747e2802c842141581820f1fd2cb50cb26639
              • Instruction ID: 72488cd9d0e2a3e302ac17e49556b9e1783b4a61e1082deddd647cb69a360c5b
              • Opcode Fuzzy Hash: 0f259e9bc9c42f063f41f89fae6747e2802c842141581820f1fd2cb50cb26639
              • Instruction Fuzzy Hash: 7C11E571910618FEFA106FA0DC89F6A3B1DEB8D791F104425F344AB0E0C9F65C11DEA8
              Function 00778921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0077853C,00000B00,?,?), ref: 0077892A
              • HeapAlloc.KERNEL32(00000000,?,0077853C,00000B00,?,?), ref: 00778931
              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0077853C,00000B00,?,?), ref: 00778946
              • GetCurrentProcess.KERNEL32(?,00000000,?,0077853C,00000B00,?,?), ref: 0077894E
              • DuplicateHandle.KERNEL32(00000000,?,0077853C,00000B00,?,?), ref: 00778951
              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0077853C,00000B00,?,?), ref: 00778961
              • GetCurrentProcess.KERNEL32(0077853C,00000000,?,0077853C,00000B00,?,?), ref: 00778969
              • DuplicateHandle.KERNEL32(00000000,?,0077853C,00000B00,?,?), ref: 0077896C
              • CreateThread.KERNEL32(00000000,00000000,00778992,00000000,00000000,00000000), ref: 00778986
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
              • String ID:
              • API String ID: 1957940570-0
              • Opcode ID: b50a03abe7f85822c05b74d79aa88a7764e25e90931cdd5bfc26b825ff15a1bd
              • Instruction ID: 232ad303df1ebb487e2a3f1416ed0ff0a7283c47de5718ad951ea7daa94757fa
              • Opcode Fuzzy Hash: b50a03abe7f85822c05b74d79aa88a7764e25e90931cdd5bfc26b825ff15a1bd
              • Instruction Fuzzy Hash: 2F01A8B5240308FFE660ABA5DC4DF6B3BACEB89711F418421FA05DB1A1DA749C008A25
              Function 00799B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: NULL Pointer assignment$Not an Object type
              • API String ID: 0-572801152
              • Opcode ID: 30401e1811a9c74719e2d50ed1cd5918231b5b43e74adee9829d2fd9a2bb45bc
              • Instruction ID: c80a458392a9b8791421dfa18648785d91c43e57e3027f732c94b249cfb6ba8f
              • Opcode Fuzzy Hash: 30401e1811a9c74719e2d50ed1cd5918231b5b43e74adee9829d2fd9a2bb45bc
              • Instruction Fuzzy Hash: 38C19571A002099FEF10DFA8E884BAEB7F5FF48354F14846DEA05A7281E7789D41CB60
              Function 0079975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0077710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?,?,00777455), ref: 00777127
                • Part of subcall function 0077710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777142
                • Part of subcall function 0077710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777150
                • Part of subcall function 0077710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?), ref: 00777160
              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00799806
              • _memset.LIBCMT ref: 00799813
              • _memset.LIBCMT ref: 00799956
              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00799982
              • CoTaskMemFree.OLE32(?), ref: 0079998D
              Strings
              • NULL Pointer assignment, xrefs: 007999DB
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
              • String ID: NULL Pointer assignment
              • API String ID: 1300414916-2785691316
              • Opcode ID: 04093938b713d95de507fff54fb785a095d30f5285e6b897e391739f15e4236b
              • Instruction ID: 1fabe908cb52b2dfc0a02fdb85233e26fef47208d3e322dde183174fd31013a9
              • Opcode Fuzzy Hash: 04093938b713d95de507fff54fb785a095d30f5285e6b897e391739f15e4236b
              • Instruction Fuzzy Hash: AD912671D00229EBDF10DFA4E845ADEBBB9EF09310F10815AE519A7251DB79AA44CFA0
              Function 00782A96 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9
              • _memset.LIBCMT ref: 00782B87
              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00782BB6
              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00782C69
              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00782C97
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ItemMenu$Info$Default_memset_wcscpy
              • String ID: 0$a$a
              • API String ID: 4152858687-1215725937
              • Opcode ID: 086eebbdaf87714a330a9aa4408e7f5fa263d6657121f78345d0f24d13b9bdc2
              • Instruction ID: 82877e079fa19d3c66a87494f05b22479cf9b2aebc6ea069b213adc4eea2642b
              • Opcode Fuzzy Hash: 086eebbdaf87714a330a9aa4408e7f5fa263d6657121f78345d0f24d13b9bdc2
              • Instruction Fuzzy Hash: F951C1B16493009AD724AF28D84967F7BE4EF49321F044A2DF895D61E2DB78CC0687A2
              Function 007A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007A6E24
              • SendMessageW.USER32(?,00001036,00000000,?), ref: 007A6E38
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007A6E52
              • _wcscat.LIBCMT ref: 007A6EAD
              • SendMessageW.USER32(?,00001057,00000000,?), ref: 007A6EC4
              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007A6EF2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$Window_wcscat
              • String ID: SysListView32
              • API String ID: 307300125-78025650
              • Opcode ID: 24877963418c1978908cdddfd727718d32a7e6dbffef88e508f60e113728b7f0
              • Instruction ID: 2a92d9b2fc50befb1e69c81a0b8568acfc2d42113d32257bb3d4dc5d087228c1
              • Opcode Fuzzy Hash: 24877963418c1978908cdddfd727718d32a7e6dbffef88e508f60e113728b7f0
              • Instruction Fuzzy Hash: 0B41A171A00348EFDF219FA4CC85BEA77A8EF49350F14452AF644E7291D6799D848B60
              Function 0079E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00783C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00783C7A
                • Part of subcall function 00783C55: Process32FirstW.KERNEL32(00000000,?), ref: 00783C88
                • Part of subcall function 00783C55: CloseHandle.KERNEL32(00000000), ref: 00783D52
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079E9A4
              • GetLastError.KERNEL32 ref: 0079E9B7
              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079E9E6
              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0079EA63
              • GetLastError.KERNEL32(00000000), ref: 0079EA6E
              • CloseHandle.KERNEL32(00000000), ref: 0079EAA3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
              • String ID: SeDebugPrivilege
              • API String ID: 2533919879-2896544425
              • Opcode ID: dd95f0274f24ff49363e81ab44b9eab365714f38d245d5272f5e897d0960376a
              • Instruction ID: 2f7defb2eaa73b82a301fc63ef4a97631d133a510c3c629fcb918e07954a43f2
              • Opcode Fuzzy Hash: dd95f0274f24ff49363e81ab44b9eab365714f38d245d5272f5e897d0960376a
              • Instruction Fuzzy Hash: 3A419A71200200DFDF14EF64DCA9F6EBBA5AF81354F08C458F9469B2D2CB78A804CB96
              Function 007A7291 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 007A72AA
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A7351
              • IsMenu.USER32(?), ref: 007A7369
              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A73B1
              • DrawMenuBar.USER32 ref: 007A73C4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Menu$Item$DrawInfoInsert_memset
              • String ID: 0$P`
              • API String ID: 3866635326-3728011039
              • Opcode ID: 9d9d1939be7b7286ba468adfbe123e0cc273f2aaf3cfb80840577acd022d3255
              • Instruction ID: f1c28ebd31330faddcea7dcd1070d817863f2205e82c245d6ecee2b7824eccb1
              • Opcode Fuzzy Hash: 9d9d1939be7b7286ba468adfbe123e0cc273f2aaf3cfb80840577acd022d3255
              • Instruction Fuzzy Hash: FB413575A01288EFDF24DF50D884AAABBB8FF4A314F158629FD05AB250D738AD14DF50
              Function 00782F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
              Download Yara Rule
              APIs
              • LoadIconW.USER32(00000000,00007F03), ref: 00783033
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: IconLoad
              • String ID: blank$info$question$stop$warning
              • API String ID: 2457776203-404129466
              • Opcode ID: e6e722c78576c56a1a89b8c36a9b9649e71613e138bb107ef6e86edc9e40ea86
              • Instruction ID: e279c763c35f6ece7d4a669c7bf93b4c8294e1aee640da20215f98322da9331f
              • Opcode Fuzzy Hash: e6e722c78576c56a1a89b8c36a9b9649e71613e138bb107ef6e86edc9e40ea86
              • Instruction Fuzzy Hash: 9D112B31388346BED714AB58DC46C6B77ACDF15720B50002BF900E6282DB7C9F5157A5
              Function 007842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00784312
              • LoadStringW.USER32(00000000), ref: 00784319
              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0078432F
              • LoadStringW.USER32(00000000), ref: 00784336
              • _wprintf.LIBCMT ref: 0078435C
              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0078437A
              Strings
              • %s (%d) : ==> %s: %s %s, xrefs: 00784357
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: HandleLoadModuleString$Message_wprintf
              • String ID: %s (%d) : ==> %s: %s %s
              • API String ID: 3648134473-3128320259
              • Opcode ID: 2530e9f3718a1a6895e1c4e6986ea06bc249e674a4697857b1695913b05def2b
              • Instruction ID: ab97a246ef3e8ac7f04b378d6d0fcba70c5dad11f782dab661dae41d0a4edf90
              • Opcode Fuzzy Hash: 2530e9f3718a1a6895e1c4e6986ea06bc249e674a4697857b1695913b05def2b
              • Instruction Fuzzy Hash: 850162F294020CBFE751A7E0DD89EE7776CEB49300F0045A1F749E2051EA785E854B75
              Function 00722A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000), ref: 00722ACF
              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00722B17
              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000), ref: 0075C21A
              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0075C1C7,00000004,00000000,00000000,00000000), ref: 0075C286
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ShowWindow
              • String ID:
              • API String ID: 1268545403-0
              • Opcode ID: 5fd7eab34080901f5a75c75dfb667356506e9c66bd016af20ee513e44ccbd2a5
              • Instruction ID: 87c7e7da1754d5402db779113b8117c2e5af4ee3a94fbeb1713d903604911fec
              • Opcode Fuzzy Hash: 5fd7eab34080901f5a75c75dfb667356506e9c66bd016af20ee513e44ccbd2a5
              • Instruction Fuzzy Hash: C241FB306047D0FEC7368B68AC8CBAA7BE2BB86310F54C42DE94746962C67DD887D710
              Function 007870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,000001F5), ref: 007870DD
                • Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
                • Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00787114
              • EnterCriticalSection.KERNEL32(?), ref: 00787130
              • _memmove.LIBCMT ref: 0078717E
              • _memmove.LIBCMT ref: 0078719B
              • LeaveCriticalSection.KERNEL32(?), ref: 007871AA
              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007871BF
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 007871DE
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
              • String ID:
              • API String ID: 256516436-0
              • Opcode ID: b5ecceac75cc57e6b58f368b51a3aab3217e1999645204a8029f6491e7d93c6c
              • Instruction ID: 8495bdd07388b48ba0881abc69a11cab502512491b0e7de6926611e39a09077c
              • Opcode Fuzzy Hash: b5ecceac75cc57e6b58f368b51a3aab3217e1999645204a8029f6491e7d93c6c
              • Instruction Fuzzy Hash: D9317031D00205EBCB10EFA4DC89AAEB778FF85710F1481B5E904AB246DB38DE14CBA4
              Function 007A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
              Download Yara Rule
              APIs
              • DeleteObject.GDI32(00000000), ref: 007A61EB
              • GetDC.USER32(00000000), ref: 007A61F3
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A61FE
              • ReleaseDC.USER32(00000000,00000000), ref: 007A620A
              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007A6246
              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007A6257
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 007A6291
              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007A62B1
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
              • String ID:
              • API String ID: 3864802216-0
              • Opcode ID: 918610b3deaa1600c4527eacbfcfcfaed66ca2dc37dce203f1fa212414b3edbe
              • Instruction ID: 062e094b14f6f520f88efdf8a2ec48a614d36021d531f8a6d0d7d4c6f0dd8f25
              • Opcode Fuzzy Hash: 918610b3deaa1600c4527eacbfcfcfaed66ca2dc37dce203f1fa212414b3edbe
              • Instruction Fuzzy Hash: F9314F72101214BFEB118F50CC8AFEB3BA9FF8A765F084165FE089A191D6799C41CB64
              Function 0078EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
                • Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9
              • _wcstok.LIBCMT ref: 0078EC94
              • _wcscpy.LIBCMT ref: 0078ED23
              • _memset.LIBCMT ref: 0078ED56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
              • String ID: X
              • API String ID: 774024439-3081909835
              • Opcode ID: 0bee63c50001f68160ad4df2a255bca2f11ec548f57153ccfc7168449600291c
              • Instruction ID: 44f2fde0a902581a8d9bebf5ef4e7978211287c1b7bd0fd68607b1a1477d6c3f
              • Opcode Fuzzy Hash: 0bee63c50001f68160ad4df2a255bca2f11ec548f57153ccfc7168449600291c
              • Instruction Fuzzy Hash: 88C19C71608710DFC754EF24D889A6AB7E4FF85310F04492DF9999B2A2DB38EC45CB92
              Function 00796B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
              Download Yara Rule
              APIs
              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00796C00
              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00796C21
              • WSAGetLastError.WSOCK32(00000000), ref: 00796C34
              • htons.WSOCK32(?,?,?,00000000,?), ref: 00796CEA
              • inet_ntoa.WSOCK32(?), ref: 00796CA7
                • Part of subcall function 0077A7E9: _strlen.LIBCMT ref: 0077A7F3
                • Part of subcall function 0077A7E9: _memmove.LIBCMT ref: 0077A815
              • _strlen.LIBCMT ref: 00796D44
              • _memmove.LIBCMT ref: 00796DAD
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
              • String ID:
              • API String ID: 3619996494-0
              • Opcode ID: 742aa569f086c4be90f04a8c17245e9d3957630aad6edad8cfdd12038512c1ff
              • Instruction ID: c946a9f3231f59cdc69475be8a47520cecd553ea83f53f5a1543cd79797b7169
              • Opcode Fuzzy Hash: 742aa569f086c4be90f04a8c17245e9d3957630aad6edad8cfdd12038512c1ff
              • Instruction Fuzzy Hash: A381E471204310EBDB10EF24EC89E6AB7E8AF84714F548A1CF5559B292DB78ED04CB91
              Function 00721424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e545a8a09eb64da0db2bcc4ce7307df38d775e7cde37c2fca618592e889a68f6
              • Instruction ID: 00457b2ff26d8837ef51fc63d8cf0ca601f58c270b2e59defbd75d40547775b7
              • Opcode Fuzzy Hash: e545a8a09eb64da0db2bcc4ce7307df38d775e7cde37c2fca618592e889a68f6
              • Instruction Fuzzy Hash: 0E717C30900119EFCB04DF98DC89ABFBB79FF99310F648159F915AA251C738AA51CFA4
              Function 0079F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0079F448
              • _memset.LIBCMT ref: 0079F511
              • ShellExecuteExW.SHELL32(?), ref: 0079F556
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
                • Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9
              • GetProcessId.KERNEL32(00000000), ref: 0079F5CD
              • CloseHandle.KERNEL32(00000000), ref: 0079F5FC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
              • String ID: @
              • API String ID: 3522835683-2766056989
              • Opcode ID: 93fef1453c18f136150a8304a484d258b3656931ebeb8605aaf1253a8eb0bac0
              • Instruction ID: 380d4983941eb426828f3d20bef5508e9f48d4a53de05535905e0bdcb04d35d5
              • Opcode Fuzzy Hash: 93fef1453c18f136150a8304a484d258b3656931ebeb8605aaf1253a8eb0bac0
              • Instruction Fuzzy Hash: 6B61BE75A00629DFCF04EFA4D8859AEBBF5FF49310F188069E855AB351CB38AD41CB94
              Function 00780F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(?), ref: 00780F8C
              • GetKeyboardState.USER32(?), ref: 00780FA1
              • SetKeyboardState.USER32(?), ref: 00781002
              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00781030
              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0078104F
              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00781095
              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007810B8
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: a8112544c6cd3abde0da2a47159f3eff734df547313a2f4241849a7704874a1c
              • Instruction ID: eeef7302a53de7886ab94521c515d2c041a66b13b5a79f9a66472d6152a0a462
              • Opcode Fuzzy Hash: a8112544c6cd3abde0da2a47159f3eff734df547313a2f4241849a7704874a1c
              • Instruction Fuzzy Hash: 165103A0A847D53DFB3662348C09BB6BFAD6B06300F088589E2D8858C3C29DDCDAD751
              Function 00780D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
              Download Yara Rule
              APIs
              • GetParent.USER32(00000000), ref: 00780DA5
              • GetKeyboardState.USER32(?), ref: 00780DBA
              • SetKeyboardState.USER32(?), ref: 00780E1B
              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00780E47
              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00780E64
              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00780EA8
              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00780EC9
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessagePost$KeyboardState$Parent
              • String ID:
              • API String ID: 87235514-0
              • Opcode ID: 5032f6883cb0bc7e27887208b3cf7c86c2fe46eae5e8e6706bbf3a4b0408f30d
              • Instruction ID: 4b7612a8f219f7129f1ca43cdce59b03cb51dad3b3772887b67acb8426916b1c
              • Opcode Fuzzy Hash: 5032f6883cb0bc7e27887208b3cf7c86c2fe46eae5e8e6706bbf3a4b0408f30d
              • Instruction Fuzzy Hash: CC51E7A06847D57DFB7267748C45B7B7EA96B06300F088889F1D4864C2D399AC9DD7A0
              Function 007855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _wcsncpy$LocalTime
              • String ID:
              • API String ID: 2945705084-0
              • Opcode ID: ff39da0914d5a385255870f484a0e85af6bfe27e9702924d631c21dcf9d7475b
              • Instruction ID: a2b63b65cd62b0df49ad9af5194dba5922f6a00cf61594e7d69676bff6cc14c8
              • Opcode Fuzzy Hash: ff39da0914d5a385255870f484a0e85af6bfe27e9702924d631c21dcf9d7475b
              • Instruction Fuzzy Hash: 85418565C50654B6CB11FBF48C4AACFB3B89F05310F508956F518E3222FB38A765C7AA
              Function 007AA056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: P`
              • API String ID: 0-2971936014
              • Opcode ID: 383e07c7a5fc45f63e9065f4a6284413097f25063f041f985fdbd10d64d5e322
              • Instruction ID: b7eb72828f266b2d46b4d39ef00d4e0f7cbee6de33ef2e3b77ecf828f9d8c150
              • Opcode Fuzzy Hash: 383e07c7a5fc45f63e9065f4a6284413097f25063f041f985fdbd10d64d5e322
              • Instruction Fuzzy Hash: 5D419035905148BFD720DB68CC88FAABBB5EB8A310F144365F816A72E1D738AD41DB51
              Function 0077D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
              Download Yara Rule
              APIs
              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0077D5D4
              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0077D60A
              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0077D61B
              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0077D69D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorMode$AddressCreateInstanceProc
              • String ID: ,,{$DllGetClassObject
              • API String ID: 753597075-623769245
              • Opcode ID: 85cee345e9b0d373eaa557cc296730b5c8ffb6e12359dfcd1419b68e3d167f4d
              • Instruction ID: 48791c50f7a6760c9a5521c44842a5afd8e18f2cba530be1f2135bcbcfb84e30
              • Opcode Fuzzy Hash: 85cee345e9b0d373eaa557cc296730b5c8ffb6e12359dfcd1419b68e3d167f4d
              • Instruction Fuzzy Hash: 22413CB1600204EFDF25DF54C884A9A7BB9EF84390B15C1A9E90DDF205D7B9DD44DBA0
              Function 00783671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00783697,?), ref: 0078468B
                • Part of subcall function 0078466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00783697,?), ref: 007846A4
              • lstrcmpiW.KERNEL32(?,?), ref: 007836B7
              • _wcscmp.LIBCMT ref: 007836D3
              • MoveFileW.KERNEL32(?,?), ref: 007836EB
              • _wcscat.LIBCMT ref: 00783733
              • SHFileOperationW.SHELL32(?), ref: 0078379F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
              • String ID: \*.*
              • API String ID: 1377345388-1173974218
              • Opcode ID: ee1ff5301572affdee1aaf3661edef3c6fad69642d5fc144ca6a78e427a40c12
              • Instruction ID: 68e098d7f7c7e032b5e3a84ac5d4c711cf1977b2924136eea591cbbcf6c567c8
              • Opcode Fuzzy Hash: ee1ff5301572affdee1aaf3661edef3c6fad69642d5fc144ca6a78e427a40c12
              • Instruction Fuzzy Hash: 1641AFB1648344AAC755EF68C4459DFB7E8EF89740F40082EF49AC3251EB38D689C752
              Function 007A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
              Download Yara Rule
              APIs
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007A0FD4
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007A0FFE
              • FreeLibrary.KERNEL32(00000000), ref: 007A10B5
                • Part of subcall function 007A0FA5: RegCloseKey.ADVAPI32(?), ref: 007A101B
                • Part of subcall function 007A0FA5: FreeLibrary.KERNEL32(?), ref: 007A106D
                • Part of subcall function 007A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007A1090
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 007A1058
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: EnumFreeLibrary$CloseDeleteOpen
              • String ID:
              • API String ID: 395352322-0
              • Opcode ID: 43cbdc4640a044048785753a9eedd1ee949f42c1fa18184a182fbdad4f153b78
              • Instruction ID: bcc08d8de1b3de0e2a94301fdf96baa4fbe0642ef3eb8f6d5fce94323c350701
              • Opcode Fuzzy Hash: 43cbdc4640a044048785753a9eedd1ee949f42c1fa18184a182fbdad4f153b78
              • Instruction Fuzzy Hash: A3311C71900109FFEB15DB90DC89AFFB7BCEF4A300F404269E501A2141EA789E859AA4
              Function 0077DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DB2E
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DB54
              • SysAllocString.OLEAUT32(00000000), ref: 0077DB57
              • SysAllocString.OLEAUT32(?), ref: 0077DB75
              • SysFreeString.OLEAUT32(?), ref: 0077DB7E
              • StringFromGUID2.OLE32(?,?,00000028), ref: 0077DBA3
              • SysAllocString.OLEAUT32(?), ref: 0077DBB1
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: d2299d3419fef8b4e97fa0cdb0d9e9f057a732746f5764a9b01acbc97b547dd7
              • Instruction ID: b641803902164050ff577e65dabd9f07495fdc49f438dc17a024464cb5161da9
              • Opcode Fuzzy Hash: d2299d3419fef8b4e97fa0cdb0d9e9f057a732746f5764a9b01acbc97b547dd7
              • Instruction Fuzzy Hash: 51218676600219AFDF20DFB8DC48CBB73ACEF493A0B01C525F918DB160D6789C4187A4
              Function 00796173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00797D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00797DB6
              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007961C6
              • WSAGetLastError.WSOCK32(00000000), ref: 007961D5
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0079620E
              • connect.WSOCK32(00000000,?,00000010), ref: 00796217
              • WSAGetLastError.WSOCK32 ref: 00796221
              • closesocket.WSOCK32(00000000), ref: 0079624A
              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00796263
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
              • String ID:
              • API String ID: 910771015-0
              • Opcode ID: 64fad1f2e7580eec0544b961823e8f91c86cd5e0a85d1fc1f9f8a7a20037f3b1
              • Instruction ID: bfe2b0083a91c01b632281c2b438dce5cf4e8282c0b12f39cb723aae090119de
              • Opcode Fuzzy Hash: 64fad1f2e7580eec0544b961823e8f91c86cd5e0a85d1fc1f9f8a7a20037f3b1
              • Instruction Fuzzy Hash: 6331B371600118AFDF10AF64EC89BBE77ADEF45760F048129FD05A7291DB78AC04CBA1
              Function 0077F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __wcsnicmp
              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
              • API String ID: 1038674560-2734436370
              • Opcode ID: 06dce37e936c5d052e1ed52b41970575bbbc8663ed9a044d1249fb2483399985
              • Instruction ID: 60a2c8e483ab123099398b258f57e9f562574b4db732fb91782788af383c5552
              • Opcode Fuzzy Hash: 06dce37e936c5d052e1ed52b41970575bbbc8663ed9a044d1249fb2483399985
              • Instruction Fuzzy Hash: A22179B2204111E6DA25B634AE06FA773D8DF55390F50C039F88DC7092EB6C9D42C2D4
              Function 0077DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DC09
              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077DC2F
              • SysAllocString.OLEAUT32(00000000), ref: 0077DC32
              • SysAllocString.OLEAUT32 ref: 0077DC53
              • SysFreeString.OLEAUT32 ref: 0077DC5C
              • StringFromGUID2.OLE32(?,?,00000028), ref: 0077DC76
              • SysAllocString.OLEAUT32(?), ref: 0077DC84
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
              • String ID:
              • API String ID: 3761583154-0
              • Opcode ID: 3495b843004ef29f6d4ebc1e5b34092ec250d292353ec1a472a8a73041a2f9ce
              • Instruction ID: 277564f49823d7aee625718a6259428beeaadf088035af7e811cf1a6177b1ca8
              • Opcode Fuzzy Hash: 3495b843004ef29f6d4ebc1e5b34092ec250d292353ec1a472a8a73041a2f9ce
              • Instruction Fuzzy Hash: 0C211275604214AF9F219BF8DC89DAB77ACEF49360B10C135F919CB261D678DC41CB64
              Function 007A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00721D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00721D73
                • Part of subcall function 00721D35: GetStockObject.GDI32(00000011), ref: 00721D87
                • Part of subcall function 00721D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00721D91
              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007A7632
              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007A763F
              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007A764A
              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007A7659
              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007A7665
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$CreateObjectStockWindow
              • String ID: Msctls_Progress32
              • API String ID: 1025951953-3636473452
              • Opcode ID: 65fab7808e30b9b6e44f6c235b63c116f5ad26322bb35de88154aeddcae3888b
              • Instruction ID: 3852faff23249a436c03268caaf2e7cf154615231afba9b84cd472ddb66f21c9
              • Opcode Fuzzy Hash: 65fab7808e30b9b6e44f6c235b63c116f5ad26322bb35de88154aeddcae3888b
              • Instruction Fuzzy Hash: F311B2B2110219BFEF158F64CC85EE77F6DEF49798F014215FA04A60A0CA76AC21DBA4
              Function 00749AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
              Download Yara Rule
              APIs
              • __init_pointers.LIBCMT ref: 00749AE6
                • Part of subcall function 00743187: EncodePointer.KERNEL32(00000000), ref: 0074318A
                • Part of subcall function 00743187: __initp_misc_winsig.LIBCMT ref: 007431A5
                • Part of subcall function 00743187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00749EA0
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00749EB4
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00749EC7
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00749EDA
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00749EED
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00749F00
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00749F13
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00749F26
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00749F39
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00749F4C
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00749F5F
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00749F72
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00749F85
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00749F98
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00749FAB
                • Part of subcall function 00743187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00749FBE
              • __mtinitlocks.LIBCMT ref: 00749AEB
              • __mtterm.LIBCMT ref: 00749AF4
                • Part of subcall function 00749B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00749AF9,00747CD0,007DA0B8,00000014), ref: 00749C56
                • Part of subcall function 00749B5C: _free.LIBCMT ref: 00749C5D
                • Part of subcall function 00749B5C: DeleteCriticalSection.KERNEL32(02~,?,?,00749AF9,00747CD0,007DA0B8,00000014), ref: 00749C7F
              • __calloc_crt.LIBCMT ref: 00749B19
              • __initptd.LIBCMT ref: 00749B3B
              • GetCurrentThreadId.KERNEL32 ref: 00749B42
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 3567560977-0
              • Opcode ID: c1d9e44e1ed6712e166f3787b7a2c41e98f96c30d16d6df8b4de68f036edc360
              • Instruction ID: 82e388172150b0d97ebe81c8006d85c493fc4897112a783b5bc8ca7f64d5ffbb
              • Opcode Fuzzy Hash: c1d9e44e1ed6712e166f3787b7a2c41e98f96c30d16d6df8b4de68f036edc360
              • Instruction Fuzzy Hash: 2DF0B47270A711AAE635B774BC0BA4B37E4DF02734F218A1AF764C50D2FF2C984189A5
              Function 007AB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 007AB644
              • _memset.LIBCMT ref: 007AB653
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007E6F20,007E6F64), ref: 007AB682
              • CloseHandle.KERNEL32 ref: 007AB694
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memset$CloseCreateHandleProcess
              • String ID: o~$do~
              • API String ID: 3277943733-3636950277
              • Opcode ID: dd84b28f2611d98319d84967e8f9e80ddd09df290b362f3643e82b7220d4b02d
              • Instruction ID: 28e62d952fc382be5ffb19b7c5bcf060dfaff514b25befc68309fd05d07321f3
              • Opcode Fuzzy Hash: dd84b28f2611d98319d84967e8f9e80ddd09df290b362f3643e82b7220d4b02d
              • Instruction Fuzzy Hash: 8EF0FEB2641344BAE7102765BC4AFBB7A9CEB1D7D5F408031FA08E9192D77D5C108BAC
              Function 0074406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00743F85), ref: 00744085
              • GetProcAddress.KERNEL32(00000000), ref: 0074408C
              • EncodePointer.KERNEL32(00000000), ref: 00744097
              • DecodePointer.KERNEL32(00743F85), ref: 007440B2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
              • String ID: RoUninitialize$combase.dll
              • API String ID: 3489934621-2819208100
              • Opcode ID: 957880e74f26123dc9c805e8289386c845beabf4107745db5950744b992e22f7
              • Instruction ID: c5c1417c43a1ee527cc30b3cb879a553e36183e846ee53e1caed3846a5283894
              • Opcode Fuzzy Hash: 957880e74f26123dc9c805e8289386c845beabf4107745db5950744b992e22f7
              • Instruction Fuzzy Hash: 29E0BF70642744EFDB10AFA2EC4DB453AA4B759742F10C56CF101E60B0CB7E4600DA1D
              Function 007864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove$__itow__swprintf
              • String ID:
              • API String ID: 3253778849-0
              • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
              • Instruction ID: 34e4fbedb0c302cc1c9f356eb3c8764575a7db2477aec1fa0d1b89d86cfe1dbd
              • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
              • Instruction Fuzzy Hash: 75617E3064066AEBCF05FF60DC89EFE37A5AF05304F084559F9555B292EB38D915CB90
              Function 007A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 007A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A02BD
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007A02FD
              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007A0320
              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007A0349
              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007A038C
              • RegCloseKey.ADVAPI32(00000000), ref: 007A0399
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
              • String ID:
              • API String ID: 4046560759-0
              • Opcode ID: 1a3fcf4536174728860fe0b9c3f1413430798523c4bb43c7d51e760761e8c12e
              • Instruction ID: 5f23c7fe3b3a15526fe3480bd6f64d8128b87d31d94affe7c2061f0c9023aa6f
              • Opcode Fuzzy Hash: 1a3fcf4536174728860fe0b9c3f1413430798523c4bb43c7d51e760761e8c12e
              • Instruction Fuzzy Hash: C8513B71108200EFCB14EF64D849E6BBBE9FF85314F04491DF595872A1DB39E905CB92
              Function 007A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
              Download Yara Rule
              APIs
              • GetMenu.USER32(?), ref: 007A57FB
              • GetMenuItemCount.USER32(00000000), ref: 007A5832
              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007A585A
              • GetMenuItemID.USER32(?,?), ref: 007A58C9
              • GetSubMenu.USER32(?,?), ref: 007A58D7
              • PostMessageW.USER32(?,00000111,?,00000000), ref: 007A5928
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Menu$Item$CountMessagePostString
              • String ID:
              • API String ID: 650687236-0
              • Opcode ID: d3c28e983410499711435085a9c73c281ba856b95a45f07df04bb45db9f21e6d
              • Instruction ID: de5debc8e2e54a7f667d05e26f7fb134c2b14d6f1e60fd3ce5bfce4dc95f073f
              • Opcode Fuzzy Hash: d3c28e983410499711435085a9c73c281ba856b95a45f07df04bb45db9f21e6d
              • Instruction Fuzzy Hash: EB518E35E00625EFCF05EFA4C845AAEB7B4EF89320F144169E901BB351CB38AE41CB90
              Function 0077EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0077EF06
              • VariantClear.OLEAUT32(00000013), ref: 0077EF78
              • VariantClear.OLEAUT32(00000000), ref: 0077EFD3
              • _memmove.LIBCMT ref: 0077EFFD
              • VariantClear.OLEAUT32(?), ref: 0077F04A
              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0077F078
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Variant$Clear$ChangeInitType_memmove
              • String ID:
              • API String ID: 1101466143-0
              • Opcode ID: 58b98edaef4f30951767471ca9eb070f79509bdba388419d8d3868881f12cc15
              • Instruction ID: 940c43def439863e8046c5c1d470462b1f4a924d74a46a3be2910bc7e359d766
              • Opcode Fuzzy Hash: 58b98edaef4f30951767471ca9eb070f79509bdba388419d8d3868881f12cc15
              • Instruction Fuzzy Hash: 3D516AB5A00209EFCB14DF58C884AAAB7B8FF4D354B158569ED59DB301E338E911CFA0
              Function 0078220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00782258
              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007822A3
              • IsMenu.USER32(00000000), ref: 007822C3
              • CreatePopupMenu.USER32 ref: 007822F7
              • GetMenuItemCount.USER32(000000FF), ref: 00782355
              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00782386
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
              • String ID:
              • API String ID: 3311875123-0
              • Opcode ID: a6b73778cc865e2a8cdcb0e8bb86d15b14f8ffef8fe7ad9cf9903b81675413e0
              • Instruction ID: 7806389331a8557591fdbfe20ca263e6e8bf30f1cbe43177c112654e3086222f
              • Opcode Fuzzy Hash: a6b73778cc865e2a8cdcb0e8bb86d15b14f8ffef8fe7ad9cf9903b81675413e0
              • Instruction Fuzzy Hash: E251D270A40209EFDF21EF68D898BADBBF5FF46316F108129E81197692D77C8906CB51
              Function 00721765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0072179A
              • GetWindowRect.USER32(?,?), ref: 007217FE
              • ScreenToClient.USER32(?,?), ref: 0072181B
              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0072182C
              • EndPaint.USER32(?,?), ref: 00721876
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: PaintWindow$BeginClientLongRectScreenViewport
              • String ID:
              • API String ID: 1827037458-0
              • Opcode ID: 7b94ad11a43fd1dfb1b30559c7e13923f4a41984c16338384c2f412e1b8d6875
              • Instruction ID: 2173949933fd06e08844c344e312e9aef5cf6e4b5245e680f718c6e9c4491ede
              • Opcode Fuzzy Hash: 7b94ad11a43fd1dfb1b30559c7e13923f4a41984c16338384c2f412e1b8d6875
              • Instruction Fuzzy Hash: A241AE30500754EFD710DF24DCC8BBA7BE8FB5A724F144668F9A48B2A1C778A845DB62
              Function 007AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(007E57B0,00000000,00E26050,?,?,007E57B0,?,007AB5A8,?,?), ref: 007AB712
              • EnableWindow.USER32(00000000,00000000), ref: 007AB736
              • ShowWindow.USER32(007E57B0,00000000,00E26050,?,?,007E57B0,?,007AB5A8,?,?), ref: 007AB796
              • ShowWindow.USER32(00000000,00000004,?,007AB5A8,?,?), ref: 007AB7A8
              • EnableWindow.USER32(00000000,00000001), ref: 007AB7CC
              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007AB7EF
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Show$Enable$MessageSend
              • String ID:
              • API String ID: 642888154-0
              • Opcode ID: 8977eae6ca4e3e1187791315fa42d528acba948e45cbac732d56239bd020917f
              • Instruction ID: 0ae0291e6d0901df3debbd560fa5aec9463a849a328fffd0238780bb3d2a95c6
              • Opcode Fuzzy Hash: 8977eae6ca4e3e1187791315fa42d528acba948e45cbac732d56239bd020917f
              • Instruction Fuzzy Hash: F8416034601240AFDB25CF24C499B947BE1FB86310F5882BAE9488F6A3C779AC56CB51
              Function 0079709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,?,?,?,?,?,00794E41,?,?,00000000,00000001), ref: 007970AC
                • Part of subcall function 007939A0: GetWindowRect.USER32(?,?), ref: 007939B3
              • GetDesktopWindow.USER32 ref: 007970D6
              • GetWindowRect.USER32(00000000), ref: 007970DD
              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0079710F
                • Part of subcall function 00785244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC
              • GetCursorPos.USER32(?), ref: 0079713B
              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00797199
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
              • String ID:
              • API String ID: 4137160315-0
              • Opcode ID: f1e1e4181e0b4bdb11ce68b72ee5f60d01505161b4744859982be359ead40255
              • Instruction ID: 33a4b6969b6719c44724e87188b4ce125f385bb29e616ff3678ceee9acf64db8
              • Opcode Fuzzy Hash: f1e1e4181e0b4bdb11ce68b72ee5f60d01505161b4744859982be359ead40255
              • Instruction Fuzzy Hash: 98310472508309ABCB24EF54D849F9BB7E9FFC9314F000919F48597191CB38EA08CB96
              Function 00778879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007780C0
                • Part of subcall function 007780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007780CA
                • Part of subcall function 007780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007780D9
                • Part of subcall function 007780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007780E0
                • Part of subcall function 007780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007780F6
              • GetLengthSid.ADVAPI32(?,00000000,0077842F), ref: 007788CA
              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007788D6
              • HeapAlloc.KERNEL32(00000000), ref: 007788DD
              • CopySid.ADVAPI32(00000000,00000000,?), ref: 007788F6
              • GetProcessHeap.KERNEL32(00000000,00000000,0077842F), ref: 0077890A
              • HeapFree.KERNEL32(00000000), ref: 00778911
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
              • String ID:
              • API String ID: 3008561057-0
              • Opcode ID: b0daf58389a5c762ba2d8882de04b94aad5baa31403b24ea7d69d96f94881aa3
              • Instruction ID: f713ba195cb11ca32f8170d198611268abb3d54169ebc9bd7b99248d46a346ac
              • Opcode Fuzzy Hash: b0daf58389a5c762ba2d8882de04b94aad5baa31403b24ea7d69d96f94881aa3
              • Instruction Fuzzy Hash: A611AF31651209FFDF509FA4DC09BBE7B68EB85351F10C028E99997210CB3AAD00DF62
              Function 007785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007785E2
              • OpenProcessToken.ADVAPI32(00000000), ref: 007785E9
              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007785F8
              • CloseHandle.KERNEL32(00000004), ref: 00778603
              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00778632
              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00778646
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
              • String ID:
              • API String ID: 1413079979-0
              • Opcode ID: 15d927ab8d421becf6f09306eb15da98b5074e54fc012b84521065f5a35ec5ad
              • Instruction ID: ca4c24a1386c1f28c999feacb50d788c2495c61c9034989a25fefdcb9c90f274
              • Opcode Fuzzy Hash: 15d927ab8d421becf6f09306eb15da98b5074e54fc012b84521065f5a35ec5ad
              • Instruction Fuzzy Hash: AD115C72540209ABDF018FA4DD49BDE7BA9EF49344F048064FE04A2161C7798D60DB61
              Function 0077B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 0077B7B5
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0077B7C6
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0077B7CD
              • ReleaseDC.USER32(00000000,00000000), ref: 0077B7D5
              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0077B7EC
              • MulDiv.KERNEL32(000009EC,?,?), ref: 0077B7FE
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CapsDevice$Release
              • String ID:
              • API String ID: 1035833867-0
              • Opcode ID: 9d017dc68154a3b2a5dcdf264163cd28cc8bec193c864735a5bb30db0e341c04
              • Instruction ID: fec0bf978dd809e84cacea3162429169609f4eaf8c839c4d434e40dd354b9bd5
              • Opcode Fuzzy Hash: 9d017dc68154a3b2a5dcdf264163cd28cc8bec193c864735a5bb30db0e341c04
              • Instruction Fuzzy Hash: E5018475E00209BBEF109BE69C49B5EBFB8EB89351F008076FA08A7291D6749C00CF91
              Function 00740162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
              Download Yara Rule
              APIs
              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00740193
              • MapVirtualKeyW.USER32(00000010,00000000), ref: 0074019B
              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007401A6
              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007401B1
              • MapVirtualKeyW.USER32(00000011,00000000), ref: 007401B9
              • MapVirtualKeyW.USER32(00000012,00000000), ref: 007401C1
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Virtual
              • String ID:
              • API String ID: 4278518827-0
              • Opcode ID: 4fd732c8a6342e269fae53997258d880f1cdde691132cb4d6c3b83c21fafd411
              • Instruction ID: 685d4c9aedf825331d65fec0b1493d44f1ee6c59dc3749111009f8899a73f457
              • Opcode Fuzzy Hash: 4fd732c8a6342e269fae53997258d880f1cdde691132cb4d6c3b83c21fafd411
              • Instruction Fuzzy Hash: 68016CB0901759BDE3008F5A8C85B52FFA8FF59354F00411BE15C47941C7F5A864CBE5
              Function 007853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007853F9
              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0078540F
              • GetWindowThreadProcessId.USER32(?,?), ref: 0078541E
              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078542D
              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00785437
              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078543E
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
              • String ID:
              • API String ID: 839392675-0
              • Opcode ID: 2b3e96bf1490858b58e758a256bcb7903063a1b8588b64266cc7f5bd7aef5944
              • Instruction ID: 112b3868f22b926845a73aef411f400dd9f87b699b7392334037bb785b696de2
              • Opcode Fuzzy Hash: 2b3e96bf1490858b58e758a256bcb7903063a1b8588b64266cc7f5bd7aef5944
              • Instruction Fuzzy Hash: 1CF01D32241558BBE7215BE2DC0DEAB7A7CEBC7B11F004169FA04D105196A91A0186B9
              Function 00787230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InterlockedExchange.KERNEL32(?,?), ref: 00787243
              • EnterCriticalSection.KERNEL32(?,?,00730EE4,?,?), ref: 00787254
              • TerminateThread.KERNEL32(00000000,000001F6,?,00730EE4,?,?), ref: 00787261
              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00730EE4,?,?), ref: 0078726E
                • Part of subcall function 00786C35: CloseHandle.KERNEL32(00000000,?,0078727B,?,00730EE4,?,?), ref: 00786C3F
              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00787281
              • LeaveCriticalSection.KERNEL32(?,?,00730EE4,?,?), ref: 00787288
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
              • String ID:
              • API String ID: 3495660284-0
              • Opcode ID: 91b2c7cd35ac62536f2fe4c8c9d5fed4ebd1dbc9ddbfea80becdad159f431893
              • Instruction ID: 2174be6014fd009612239c3a0dd3f8c39e6122e1c224bfb014a955c2dd4babc0
              • Opcode Fuzzy Hash: 91b2c7cd35ac62536f2fe4c8c9d5fed4ebd1dbc9ddbfea80becdad159f431893
              • Instruction Fuzzy Hash: 16F05E36580612EBD7622BA4ED4CAEE7739FF86702B104531F503910E0DB7E5801CB65
              Function 00778992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0077899D
              • UnloadUserProfile.USERENV(?,?), ref: 007789A9
              • CloseHandle.KERNEL32(?), ref: 007789B2
              • CloseHandle.KERNEL32(?), ref: 007789BA
              • GetProcessHeap.KERNEL32(00000000,?), ref: 007789C3
              • HeapFree.KERNEL32(00000000), ref: 007789CA
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
              • String ID:
              • API String ID: 146765662-0
              • Opcode ID: 9ab8ec639aa8b211b20c3da97d477db76047b278b91c9a3feb2fd2e680dae82c
              • Instruction ID: 1e0f9e00f1c58845619aaaee6a4c18a825a487c4364254ba2885794ad36ff462
              • Opcode Fuzzy Hash: 9ab8ec639aa8b211b20c3da97d477db76047b278b91c9a3feb2fd2e680dae82c
              • Instruction Fuzzy Hash: 35E05276104505FFDB011FE5EC0C95ABF69FBCA762B508631F21981470CB3A9861DF58
              Function 00777530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
              Download Yara Rule
              APIs
              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007B2C7C,?), ref: 007776EA
              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007B2C7C,?), ref: 00777702
              • CLSIDFromProgID.OLE32(?,?,00000000,007AFB80,000000FF,?,00000000,00000800,00000000,?,007B2C7C,?), ref: 00777727
              • _memcmp.LIBCMT ref: 00777748
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FromProg$FreeTask_memcmp
              • String ID: ,,{
              • API String ID: 314563124-821077388
              • Opcode ID: 82d6e85cda5e35b07252caaa982675004da55439b63232a100d19347df85bd86
              • Instruction ID: 1a264a3bb5224b316d39946f6d99de2f1f5cbf9f7e5f297a6d13a717ec9d5aa7
              • Opcode Fuzzy Hash: 82d6e85cda5e35b07252caaa982675004da55439b63232a100d19347df85bd86
              • Instruction Fuzzy Hash: 1D810B75A00109EFCF08DFA4C984EEEB7B9FF89355F208558E505AB250DB75AE06CB60
              Function 007985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 00798613
              • CharUpperBuffW.USER32(?,?), ref: 00798722
              • VariantClear.OLEAUT32(?), ref: 0079889A
                • Part of subcall function 00787562: VariantInit.OLEAUT32(00000000), ref: 007875A2
                • Part of subcall function 00787562: VariantCopy.OLEAUT32(00000000,?), ref: 007875AB
                • Part of subcall function 00787562: VariantClear.OLEAUT32(00000000), ref: 007875B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Variant$ClearInit$BuffCharCopyUpper
              • String ID: AUTOIT.ERROR$Incorrect Parameter format
              • API String ID: 4237274167-1221869570
              • Opcode ID: c9908db92141134454542961a0569c14c648a65c3ec3ef8845d6f71f6e91258d
              • Instruction ID: a89358e7b7fe910d7310a8bf04f9b0e5c24f3ec29f72353a0030dc7634dcde3e
              • Opcode Fuzzy Hash: c9908db92141134454542961a0569c14c648a65c3ec3ef8845d6f71f6e91258d
              • Instruction Fuzzy Hash: 70919F70608301DFCB40DF24D48495ABBF4EF8A714F14892EF98A8B362DB35E945CB92
              Function 00733137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove$_free
              • String ID: 3cs$_s
              • API String ID: 2620147621-944816363
              • Opcode ID: 12f00d24251fa76a1ec51fa7898df28480c8615f21e29221eb68ab40e19edd44
              • Instruction ID: 353d8154226009b2499e2dd679fdfcd58f90823960bfa041da5cfb0f038c5e39
              • Opcode Fuzzy Hash: 12f00d24251fa76a1ec51fa7898df28480c8615f21e29221eb68ab40e19edd44
              • Instruction Fuzzy Hash: C4515D71A043419FEB25CF28C440B6ABBF5BF85310F44492DE999C7352DB39E945CB82
              Function 00736192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memset$_memmove
              • String ID: 3cs$ERCP
              • API String ID: 2532777613-503592135
              • Opcode ID: 2181e902178b21c3e6679f6955dab7c6f9f6a91ff5ed27e3960a51425af60928
              • Instruction ID: 232dc5220e54fc0b056ca28959520a566f532a55447864a2daf384d0bc8ff03a
              • Opcode Fuzzy Hash: 2181e902178b21c3e6679f6955dab7c6f9f6a91ff5ed27e3960a51425af60928
              • Instruction Fuzzy Hash: 40519071A00705EBEB24DF65C8457ABB7F4BF04314F20857EE54ACB282E778AA44CB80
              Function 007A97F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(00E2DC40,?), ref: 007A9863
              • ScreenToClient.USER32(00000002,00000002), ref: 007A9896
              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007A9903
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$ClientMoveRectScreen
              • String ID: P`
              • API String ID: 3880355969-2971936014
              • Opcode ID: c7aa05df7e8949ccfffc859657c95b1351e1fefab0425c5c659607efc0a21567
              • Instruction ID: 6c6288ec21a773f7205fe80ed732870cf1a5171cd55b8504ad0081de067d0f90
              • Opcode Fuzzy Hash: c7aa05df7e8949ccfffc859657c95b1351e1fefab0425c5c659607efc0a21567
              • Instruction Fuzzy Hash: D5514034A00209EFCF10CF54C884AAE7BB5FF96360F148259F9559B2A0D738ED51CB90
              Function 00782753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 007827C0
              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007827DC
              • DeleteMenu.USER32(?,00000007,00000000), ref: 00782822
              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007E5890,00000000), ref: 0078286B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Menu$Delete$InfoItem_memset
              • String ID: 0
              • API String ID: 1173514356-4108050209
              • Opcode ID: 3d6aeb782878df142c66653478d46e28dd6e7360bf73643e02a88f30c61c624a
              • Instruction ID: b6d888a9eb9fd78a8329da66677b8ad6bce2a4bd3d83fb046194d17f6ac6a099
              • Opcode Fuzzy Hash: 3d6aeb782878df142c66653478d46e28dd6e7360bf73643e02a88f30c61c624a
              • Instruction Fuzzy Hash: E541A270644341AFDB24EF24CC48B1ABBE4EF85315F14492EF965D7292D738E906CB62
              Function 007A8851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
              Download Yara Rule
              APIs
              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A88DE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: InvalidateRect
              • String ID: P`
              • API String ID: 634782764-2971936014
              • Opcode ID: 035fc0fa56b976184a69184b2ac0fc35de4e2e56c1c1f15021de730b80ca51ab
              • Instruction ID: 015b0a707b7f5d57160882b99f6efdd33c6606c7c0615fb8a8926c770c9f9dff
              • Opcode Fuzzy Hash: 035fc0fa56b976184a69184b2ac0fc35de4e2e56c1c1f15021de730b80ca51ab
              • Instruction Fuzzy Hash: 9631F234600108EFEBA09B58CC85BBA37B5FB8B310F544212FA11E61A1CE3CE9809B57
              Function 007AAB37 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106windowCOMMON
              Download Yara Rule
              APIs
              • ClientToScreen.USER32(?,?), ref: 007AAB60
              • GetWindowRect.USER32(?,?), ref: 007AABD6
              • PtInRect.USER32(?,?,007AC014), ref: 007AABE6
              • MessageBeep.USER32(00000000), ref: 007AAC57
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Rect$BeepClientMessageScreenWindow
              • String ID: P`
              • API String ID: 1352109105-2971936014
              • Opcode ID: 8b5ac7b05ee8b7526cd39370764add9f9431d6eab992a48fc6f655f10fa06e23
              • Instruction ID: 8bceaeef2f1effcd4f13b95d44861ba63259bd2a532d6aa5b66712ffd76db3bc
              • Opcode Fuzzy Hash: 8b5ac7b05ee8b7526cd39370764add9f9431d6eab992a48fc6f655f10fa06e23
              • Instruction Fuzzy Hash: 6C417F70600219EFDB11DF58D884B697BF5FF8A320F1482A9E8159F261D738E845CFA2
              Function 0079D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0079D7C5
                • Part of subcall function 0072784B: _memmove.LIBCMT ref: 00727899
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharLower_memmove
              • String ID: cdecl$none$stdcall$winapi
              • API String ID: 3425801089-567219261
              • Opcode ID: 47c24c7c337ea242c003bf0a21570a919fb9662a1a66633ab9ec4888ee577cb7
              • Instruction ID: 5c63a95dc381d3cc22f557c20042906f7a143dda015c0cf7c9530403f0c10649
              • Opcode Fuzzy Hash: 47c24c7c337ea242c003bf0a21570a919fb9662a1a66633ab9ec4888ee577cb7
              • Instruction Fuzzy Hash: 0E31CF71A04619EBCF14EF94D855DBEB3B4FF01320B00862AE869973D2DB39AD05CB80
              Function 00778E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC
              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00778F14
              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00778F27
              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00778F57
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$_memmove$ClassName
              • String ID: ComboBox$ListBox
              • API String ID: 365058703-1403004172
              • Opcode ID: 0f574cf4efa123c110e80b38a2dc924e78c1e122706e6b86e16df93bc43fd938
              • Instruction ID: 346a780887f9b4a278f21451af9b5cff8264e8024772286f229566d6dea51f80
              • Opcode Fuzzy Hash: 0f574cf4efa123c110e80b38a2dc924e78c1e122706e6b86e16df93bc43fd938
              • Instruction Fuzzy Hash: BC21EE71A40104BEDF18ABB0DC8DDFEB769DF463A0F048129F429A62E0DB3D5809D660
              Function 0079182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079184C
              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00791872
              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007918A2
              • InternetCloseHandle.WININET(00000000), ref: 007918E9
                • Part of subcall function 00792483: GetLastError.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 00792498
                • Part of subcall function 00792483: SetEvent.KERNEL32(?,?,00791817,00000000,00000000,00000001), ref: 007924AD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
              • String ID:
              • API String ID: 3113390036-3916222277
              • Opcode ID: 8761f72ba59f9d50962a8491481174caa4869e3416d62b97b945c66489f91fc6
              • Instruction ID: e14ba4c1ea09331d8ab2eedd2621f842364998b4b68ae5c71474b76412e9237d
              • Opcode Fuzzy Hash: 8761f72ba59f9d50962a8491481174caa4869e3416d62b97b945c66489f91fc6
              • Instruction Fuzzy Hash: A821D4B5500309BFEF11AFA0EC89EBF77EDEB89754F50412AF40596140DB289D15A7A0
              Function 007AC498 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • GetCursorPos.USER32(?), ref: 007AC4D2
              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0075B9AB,?,?,?,?,?), ref: 007AC4E7
              • GetCursorPos.USER32(?), ref: 007AC534
              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0075B9AB,?,?,?), ref: 007AC56E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Cursor$LongMenuPopupProcTrackWindow
              • String ID: P`
              • API String ID: 2864067406-2971936014
              • Opcode ID: d7ce8b95af0e76a21a926b8ea16988a224ccebaf7733d53396841a3c16c4bbed
              • Instruction ID: ef757191dcd6d515580ecf4bea323de0f97ffdf15295cb3a0379c1e0f3a7ce6c
              • Opcode Fuzzy Hash: d7ce8b95af0e76a21a926b8ea16988a224ccebaf7733d53396841a3c16c4bbed
              • Instruction Fuzzy Hash: 7531A735900058FFCB16CF58C858DEA7BB5EF8A310F144165F9058B261C739AD60DF94
              Function 007A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00721D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00721D73
                • Part of subcall function 00721D35: GetStockObject.GDI32(00000011), ref: 00721D87
                • Part of subcall function 00721D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00721D91
              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007A6461
              • LoadLibraryW.KERNEL32(?), ref: 007A6468
              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007A647D
              • DestroyWindow.USER32(?), ref: 007A6485
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
              • String ID: SysAnimate32
              • API String ID: 4146253029-1011021900
              • Opcode ID: b6617208152856517fc717ab4d75cb2cb3472b012ddf9ff26c11b47d150bec80
              • Instruction ID: 1db059c1183952c4df96fd3d52285e7d3aaad5ff6773f52a24267fbb39830e1c
              • Opcode Fuzzy Hash: b6617208152856517fc717ab4d75cb2cb3472b012ddf9ff26c11b47d150bec80
              • Instruction Fuzzy Hash: EA218EB1200245EBEF104FA4DC84EBA77A9EB9A724F188729FA1096190D779DC519760
              Function 00786D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(0000000C), ref: 00786DBC
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00786DEF
              • GetStdHandle.KERNEL32(0000000C), ref: 00786E01
              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00786E3B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: 8cb2513d1247ece21bcf63d0f87aa1b4b13e7b3d2471cb301974c808fffbe791
              • Instruction ID: 51f04c3454f87ea2a49d3e5f14561e8f5759fd016e068dd8ce632b0a3ee9049b
              • Opcode Fuzzy Hash: 8cb2513d1247ece21bcf63d0f87aa1b4b13e7b3d2471cb301974c808fffbe791
              • Instruction Fuzzy Hash: EA218174740209BBDF20AF69DC04B9A77B4FF85720F204619FDA1D72D0D77499508B64
              Function 00786E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00786E89
              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00786EBB
              • GetStdHandle.KERNEL32(000000F6), ref: 00786ECC
              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00786F06
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CreateHandle$FilePipe
              • String ID: nul
              • API String ID: 4209266947-2873401336
              • Opcode ID: cbe88f7e98c92256a88ad86c84cdcfe957958af0cc3e551d50dcbde1b406bccf
              • Instruction ID: 84924bacadbaa45ae65743d8bb1e727f05e6e644b9969a4c407a660a527c8dc6
              • Opcode Fuzzy Hash: cbe88f7e98c92256a88ad86c84cdcfe957958af0cc3e551d50dcbde1b406bccf
              • Instruction Fuzzy Hash: 5C21B679540305BBDB20AF69DC04A9A77E8FF85730F204A19FDA1D72D0EB74A850CB61
              Function 0078AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNEL32(00000001), ref: 0078AC54
              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0078ACA8
              • __swprintf.LIBCMT ref: 0078ACC1
              • SetErrorMode.KERNEL32(00000000,00000001,00000000,007AF910), ref: 0078ACFF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorMode$InformationVolume__swprintf
              • String ID: %lu
              • API String ID: 3164766367-685833217
              • Opcode ID: b01ce67af530e7e8a7fb2a14c15485566658448e19c7b4eafc9aa28bf6416ac2
              • Instruction ID: ce3e04f3343951b9290071df086c31316a0c48cab0068016589f51313432df0d
              • Opcode Fuzzy Hash: b01ce67af530e7e8a7fb2a14c15485566658448e19c7b4eafc9aa28bf6416ac2
              • Instruction Fuzzy Hash: 6D217170A00109EFCB10EFA5DD49EAE7BB8FF89714B048069F909DB251DB75EA41CB61
              Function 00781142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 0078115F
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 00781184
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 0078118E
              • Sleep.KERNEL32(?,?,?,?,?,?,?,0077FCED,?,00780D40,?,00008000), ref: 007811C1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CounterPerformanceQuerySleep
              • String ID: @x
              • API String ID: 2875609808-1688982417
              • Opcode ID: 433c4dfd29e8761309e32daccf18b415519fbe00b7151ec2d7eab407cbb4e432
              • Instruction ID: 6345e669b785c3c8220d1be0ed0b547ea135795d657e9b04bd4cc087dd63d5a5
              • Opcode Fuzzy Hash: 433c4dfd29e8761309e32daccf18b415519fbe00b7151ec2d7eab407cbb4e432
              • Instruction Fuzzy Hash: E3113C31D4051DD7CF00AFE5D848AEEBB7CFF49721F408055EA85B2240CB789562CB95
              Function 00781AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
              Download Yara Rule
              APIs
              • CharUpperBuffW.USER32(?,?), ref: 00781B19
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharUpper
              • String ID: APPEND$EXISTS$KEYS$REMOVE
              • API String ID: 3964851224-769500911
              • Opcode ID: b76f31d0724228275d34295cc37f98056cdfaf95a01d26e2d97e4bc2792c18cb
              • Instruction ID: 798a7520eaea2bfe643d2fe2899fb3b190954e6738b974196ab8667db61af134
              • Opcode Fuzzy Hash: b76f31d0724228275d34295cc37f98056cdfaf95a01d26e2d97e4bc2792c18cb
              • Instruction Fuzzy Hash: 08115EB0940118DFCF40EFA4E8558EEB7B4FF26304F5484A5D855A7291EB3A5D06CB90
              Function 00722218 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • GetSysColor.USER32(00000008), ref: 00722231
              • SetTextColor.GDI32(?,000000FF), ref: 0072223B
              • SetBkMode.GDI32(?,00000001), ref: 00722250
              • GetStockObject.GDI32(00000005), ref: 00722258
              • GetWindowDC.USER32(?,00000000), ref: 0075BE83
              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0075BE90
              • GetPixel.GDI32(00000000,?,00000000), ref: 0075BEA9
              • GetPixel.GDI32(00000000,00000000,?), ref: 0075BEC2
              • GetPixel.GDI32(00000000,?,?), ref: 0075BEE2
              • ReleaseDC.USER32(?,00000000), ref: 0075BEED
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
              • String ID: q0v
              • API String ID: 1946975507-2993000639
              • Opcode ID: abe6bdae7b89eb52b6021bceb0f2657bb845f18281f50bf26641c50c7fb630f0
              • Instruction ID: 01d34c2250fcbec51e53fe221bd4f0dc76095576369e95aa1bb90028595faeab
              • Opcode Fuzzy Hash: abe6bdae7b89eb52b6021bceb0f2657bb845f18281f50bf26641c50c7fb630f0
              • Instruction Fuzzy Hash: 48E06D32504248EADF215FA4FC0D7E83F10EB46332F14C376FA69880E187BA4994DB26
              Function 0079EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0079EC07
              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0079EC37
              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0079ED6A
              • CloseHandle.KERNEL32(?), ref: 0079EDEB
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process$CloseCountersHandleInfoMemoryOpen
              • String ID:
              • API String ID: 2364364464-0
              • Opcode ID: 5a8759702c7cd97abef9ad873dfb7c892abd80b72f800c06a0283bc0dd355981
              • Instruction ID: 7cbdd7ad5ce8425635be059e9a6eada7491df88e4da06e16619f0e52c2acdd38
              • Opcode Fuzzy Hash: 5a8759702c7cd97abef9ad873dfb7c892abd80b72f800c06a0283bc0dd355981
              • Instruction Fuzzy Hash: D28184B1600710AFDB60EF28D84AF2AB7E5AF48710F08881DF999DB2D2D775AC40CB55
              Function 0074541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
              • Instruction ID: 3473826d269517cc9d0edf765b116fc27570bc59d42660764efe92d8feb8f0f0
              • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
              • Instruction Fuzzy Hash: 2C51E970A00B05DBCB249FA9D84457EB7B3AF41331F248729F8359A2D2D7789D608F41
              Function 007A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 007A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079FDAD,?,?), ref: 007A0E31
              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007A00FD
              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007A013C
              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007A0183
              • RegCloseKey.ADVAPI32(?,?), ref: 007A01AF
              • RegCloseKey.ADVAPI32(00000000), ref: 007A01BC
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
              • String ID:
              • API String ID: 3440857362-0
              • Opcode ID: 16027cf62125f855dbf2a93cac3a125ff2061c37f905e0db4a2a6da21ae103e4
              • Instruction ID: 09fe89e7ff6da8bb56ec8daf56aebf57dbae24537ee15b961b805ddd2980ddf4
              • Opcode Fuzzy Hash: 16027cf62125f855dbf2a93cac3a125ff2061c37f905e0db4a2a6da21ae103e4
              • Instruction Fuzzy Hash: 5A516C71208204EFD704EF64D885EAEB7E9FF85304F44892DF59587291DB39E944CB92
              Function 0079D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0079D927
              • GetProcAddress.KERNEL32(00000000,?), ref: 0079D9AA
              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0079D9C6
              • GetProcAddress.KERNEL32(00000000,?), ref: 0079DA07
              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0079DA21
                • Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00787896,?,?,00000000), ref: 00725A2C
                • Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00787896,?,?,00000000,?,?), ref: 00725A50
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
              • String ID:
              • API String ID: 327935632-0
              • Opcode ID: 2a84676e246ce94165793f610d40901340f6351976a80cb97cde721017638552
              • Instruction ID: 6181bc638834a1d81d8a2cc02c3b3977611d63ecb5e7664687bd141d754cc292
              • Opcode Fuzzy Hash: 2a84676e246ce94165793f610d40901340f6351976a80cb97cde721017638552
              • Instruction Fuzzy Hash: B9512675A00619DFCB10EFA8E4889ADB7B5FF19320B04C065E959AB312DB38AD45CF90
              Function 0078E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0078E61F
              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0078E648
              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0078E687
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0078E6AC
              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0078E6B4
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
              • String ID:
              • API String ID: 1389676194-0
              • Opcode ID: 6105ac9e9159153dcc96dbcde4026d9d462b6608c77833279ac691cf43f3e4a9
              • Instruction ID: 330937d39ae028aa20254e9eb8aee83e44b02117035aa108a37861df08eab5a4
              • Opcode Fuzzy Hash: 6105ac9e9159153dcc96dbcde4026d9d462b6608c77833279ac691cf43f3e4a9
              • Instruction Fuzzy Hash: 9A513935A00215DFCB00EF64D985AADBBF5EF49310F1880A9E909AB361DB39ED10CB54
              Function 00722344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
              Download Yara Rule
              APIs
              • GetCursorPos.USER32(?), ref: 00722357
              • ScreenToClient.USER32(007E57B0,?), ref: 00722374
              • GetAsyncKeyState.USER32(00000001), ref: 00722399
              • GetAsyncKeyState.USER32(00000002), ref: 007223A7
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AsyncState$ClientCursorScreen
              • String ID:
              • API String ID: 4210589936-0
              • Opcode ID: 4e59e948ea394488e33c71aad1dd5c6f5ffb06e946268904c6405ef95423cb7f
              • Instruction ID: 0d39107b67fa8223668e5064557727969464924b903be47133284776677609f7
              • Opcode Fuzzy Hash: 4e59e948ea394488e33c71aad1dd5c6f5ffb06e946268904c6405ef95423cb7f
              • Instruction Fuzzy Hash: 69418E35604219FFDF15DF68CC48AE9BBB4FB05361F20431AF828A22E2C7789954DB91
              Function 007763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007763E7
              • TranslateAcceleratorW.USER32(?,?,?), ref: 00776433
              • TranslateMessage.USER32(?), ref: 0077645C
              • DispatchMessageW.USER32(?), ref: 00776466
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00776475
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Message$PeekTranslate$AcceleratorDispatch
              • String ID:
              • API String ID: 2108273632-0
              • Opcode ID: 471af4153fe5205a746e84c48931faa98ec4e149defac5d4e293ab8400964edd
              • Instruction ID: dddd0287bda6888a19e8f2a8ba3a412ed9dad68c6b960417fe2cfd3d525c5a0b
              • Opcode Fuzzy Hash: 471af4153fe5205a746e84c48931faa98ec4e149defac5d4e293ab8400964edd
              • Instruction Fuzzy Hash: E9310571901ACAEFDF24CFB0CC84BB67BACAB05384F14C165E529CA0A4E73D9944DB60
              Function 00778A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 00778A30
              • PostMessageW.USER32(?,00000201,00000001), ref: 00778ADA
              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00778AE2
              • PostMessageW.USER32(?,00000202,00000000), ref: 00778AF0
              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00778AF8
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessagePostSleep$RectWindow
              • String ID:
              • API String ID: 3382505437-0
              • Opcode ID: bf8de98d3930645bab73571d82e79bc4278be28cdddeec1e056b69a899cec1a9
              • Instruction ID: c55f28df355bf6a85613e20f7d8ce374b5aab700f2350b1035442a72164adbc2
              • Opcode Fuzzy Hash: bf8de98d3930645bab73571d82e79bc4278be28cdddeec1e056b69a899cec1a9
              • Instruction Fuzzy Hash: FF31E071500219EBDF14CFA8DD4CA9E3BB5EB45315F11C22AF928EA2D0C7B89910CB91
              Function 0077B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • IsWindowVisible.USER32(?), ref: 0077B204
              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0077B221
              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0077B259
              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0077B27F
              • _wcsstr.LIBCMT ref: 0077B289
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
              • String ID:
              • API String ID: 3902887630-0
              • Opcode ID: c377abfa810cabb5a45beb3739e868dc9e884bfb8cc3a92d4bd8ad7924dcabd1
              • Instruction ID: 7d4d6d605a1603b165077b921689deb817d21f4dbf770cdf267bf29f4b6a4543
              • Opcode Fuzzy Hash: c377abfa810cabb5a45beb3739e868dc9e884bfb8cc3a92d4bd8ad7924dcabd1
              • Instruction Fuzzy Hash: 9221F571605204BAEF155B759C09F7F7B98EF8A7A0F00C13DF908DA162EF799C4096A0
              Function 007AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • GetWindowLongW.USER32(?,000000F0), ref: 007AB192
              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007AB1B7
              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007AB1CF
              • GetSystemMetrics.USER32(00000004), ref: 007AB1F8
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00790E90,00000000), ref: 007AB216
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Long$MetricsSystem
              • String ID:
              • API String ID: 2294984445-0
              • Opcode ID: 8525cee74c56b0e537df2f5695cc47c39af564e4811d3ccb0b46917046cfec81
              • Instruction ID: 4141f05d845fc145c2edc2d536b0a893534dc8fb82356863aeac8171eea95b82
              • Opcode Fuzzy Hash: 8525cee74c56b0e537df2f5695cc47c39af564e4811d3ccb0b46917046cfec81
              • Instruction Fuzzy Hash: FD218071A11665AFCB109F78DC54B6A37A4FB8A321F108739F922D71E1E7389C609B90
              Function 00779307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00779320
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00779352
              • __itow.LIBCMT ref: 0077936A
              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00779392
              • __itow.LIBCMT ref: 007793A3
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$__itow$_memmove
              • String ID:
              • API String ID: 2983881199-0
              • Opcode ID: d6f25b8e6d3e87df3349a2978afd191c1ecc4732eda4fc3f2c33aa3e007b7034
              • Instruction ID: 1a85cc57ef1b384f1a60bb015cb2c3eecce355d6164850f24b4887b18dd7af78
              • Opcode Fuzzy Hash: d6f25b8e6d3e87df3349a2978afd191c1ecc4732eda4fc3f2c33aa3e007b7034
              • Instruction Fuzzy Hash: 4521D731702218EBDF109EA49C89EEE7BADEB89751F048025FE09D71D1D6B8CD51C7A1
              Function 00795A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
              Download Yara Rule
              APIs
              • IsWindow.USER32(00000000), ref: 00795A6E
              • GetForegroundWindow.USER32 ref: 00795A85
              • GetDC.USER32(00000000), ref: 00795AC1
              • GetPixel.GDI32(00000000,?,00000003), ref: 00795ACD
              • ReleaseDC.USER32(00000000,00000003), ref: 00795B08
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$ForegroundPixelRelease
              • String ID:
              • API String ID: 4156661090-0
              • Opcode ID: c3e0fd5b1120e4851ecf9ec3cf2a49b4c514328f1e903e966280e39f869a8f13
              • Instruction ID: 11d7a2a2e818e4a2b20ec0505d3f9f5c0c9e3f9d1055e3402eb75193daf36e65
              • Opcode Fuzzy Hash: c3e0fd5b1120e4851ecf9ec3cf2a49b4c514328f1e903e966280e39f869a8f13
              • Instruction Fuzzy Hash: DE218075A00114EFDB14EFA4DC88A5ABBF5EF89310F14C079E949D7352CA38AC00CB54
              Function 007212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
              Download Yara Rule
              APIs
              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0072134D
              • SelectObject.GDI32(?,00000000), ref: 0072135C
              • BeginPath.GDI32(?), ref: 00721373
              • SelectObject.GDI32(?,00000000), ref: 0072139C
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ObjectSelect$BeginCreatePath
              • String ID:
              • API String ID: 3225163088-0
              • Opcode ID: b45b985aa1ead43770876ffafa9ee94e54fdcfd1b6fc78015f78345b809bc16e
              • Instruction ID: 8a45ab6325c44a8cb77014666c60bce93c87ac41313a2277b5a1e528deb1b0e8
              • Opcode Fuzzy Hash: b45b985aa1ead43770876ffafa9ee94e54fdcfd1b6fc78015f78345b809bc16e
              • Instruction Fuzzy Hash: 50216D3080165CEFDB10CF65EC8476A7BA9FB14325F548226F8109A5B1D3BD9891DF98
              Function 00784A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThreadId.KERNEL32 ref: 00784ABA
              • __beginthreadex.LIBCMT ref: 00784AD8
              • MessageBoxW.USER32(?,?,?,?), ref: 00784AED
              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00784B03
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00784B0A
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
              • String ID:
              • API String ID: 3824534824-0
              • Opcode ID: e1ba3418a4ec3a661c2bb8ca24e1304c1ceef42cd5edead9640f266d194fbb92
              • Instruction ID: a5210f0951c7bc283edd7d1e6ec0792d72a86bff0e1ba99822e392798018d4c5
              • Opcode Fuzzy Hash: e1ba3418a4ec3a661c2bb8ca24e1304c1ceef42cd5edead9640f266d194fbb92
              • Instruction Fuzzy Hash: FC112BB6905259BFCB009FA8DC48A9B7FACFB89324F148269F914D7250D7BDCD0087A5
              Function 00778202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
              Download Yara Rule
              APIs
              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0077821E
              • GetLastError.KERNEL32(?,00777CE2,?,?,?), ref: 00778228
              • GetProcessHeap.KERNEL32(00000008,?,?,00777CE2,?,?,?), ref: 00778237
              • HeapAlloc.KERNEL32(00000000,?,00777CE2,?,?,?), ref: 0077823E
              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00778255
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
              • String ID:
              • API String ID: 842720411-0
              • Opcode ID: 6d61c38ebe6f51170541f5ef83fd911e4c0999bcc4638ebb5b59798185e32da9
              • Instruction ID: d78e60eca59dc5f6e2086b576fcb02086ba5a1c83b8acb8d7fb697758b729c23
              • Opcode Fuzzy Hash: 6d61c38ebe6f51170541f5ef83fd911e4c0999bcc4638ebb5b59798185e32da9
              • Instruction Fuzzy Hash: B5016971380208BFDF204FA6DC4CD6B7BACFF8A796B508569F809C2220DA358C00CA61
              Function 0077710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
              Download Yara Rule
              APIs
              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?,?,00777455), ref: 00777127
              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777142
              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 00777150
              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?), ref: 00777160
              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00777044,80070057,?,?), ref: 0077716C
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: From$Prog$FreeStringTasklstrcmpi
              • String ID:
              • API String ID: 3897988419-0
              • Opcode ID: 511cf77429d5e06ffdfe38bbed13de9f9fd820f46798c03d723425e97a5671f1
              • Instruction ID: f43ec4d84ff9f144acd7dabe0c734002e59a2cbe7a0653f17e93af1a119c42ab
              • Opcode Fuzzy Hash: 511cf77429d5e06ffdfe38bbed13de9f9fd820f46798c03d723425e97a5671f1
              • Instruction Fuzzy Hash: AA01BC76600208ABCF184FA4DC44AAA7BACEB857A1F108174FD08D6220DB39DD00DBA0
              Function 00785244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
              Download Yara Rule
              APIs
              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00785260
              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0078526E
              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00785276
              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00785280
              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: PerformanceQuery$CounterSleep$Frequency
              • String ID:
              • API String ID: 2833360925-0
              • Opcode ID: f80e939c5f4456ad9e77a2601ad7acb8a0e6df6732cf5888c442bbbb8c36a69f
              • Instruction ID: 34019f878774bfe47ff2915b54c86a9a255a156bb4dad4f756b122cf719b184f
              • Opcode Fuzzy Hash: f80e939c5f4456ad9e77a2601ad7acb8a0e6df6732cf5888c442bbbb8c36a69f
              • Instruction Fuzzy Hash: D2015771D41A2DDBCF00EFE4E848AEDBB78FB4D311F404166E981B2140CF3859548BA5
              Function 0077810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
              Download Yara Rule
              APIs
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00778121
              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0077812B
              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0077813A
              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00778141
              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00778157
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: HeapInformationToken$AllocErrorLastProcess
              • String ID:
              • API String ID: 44706859-0
              • Opcode ID: 77740d075ce535ec01d442c5f22ae05a24943ccb06234176cc948eb2f056d84a
              • Instruction ID: 23728d51d4ab55f2f00ad92c8d6389b8b30e3302d0b1df5673957a5d63858597
              • Opcode Fuzzy Hash: 77740d075ce535ec01d442c5f22ae05a24943ccb06234176cc948eb2f056d84a
              • Instruction Fuzzy Hash: B4F04F71340308AFEB511FA5EC8CE673BACEF8A799B408039F949C6150CF699D41DA61
              Function 0077C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
              Download Yara Rule
              APIs
              • GetDlgItem.USER32(?,000003E9), ref: 0077C1F7
              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0077C20E
              • MessageBeep.USER32(00000000), ref: 0077C226
              • KillTimer.USER32(?,0000040A), ref: 0077C242
              • EndDialog.USER32(?,00000001), ref: 0077C25C
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BeepDialogItemKillMessageTextTimerWindow
              • String ID:
              • API String ID: 3741023627-0
              • Opcode ID: 889b8297a0bbf201752c84ce0b38947acab504064e81b7edc0965364bcfbdcef
              • Instruction ID: d837b2103cb137a0fa16d1ea7faaaef9edee590f4804a11789a1a9a551b29009
              • Opcode Fuzzy Hash: 889b8297a0bbf201752c84ce0b38947acab504064e81b7edc0965364bcfbdcef
              • Instruction Fuzzy Hash: BE01AD30404704ABEB255BA0ED4EB9677B8BB05B06F00826DE586A14E2DBE8A9448B95
              Function 007213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
              Download Yara Rule
              APIs
              • EndPath.GDI32(?), ref: 007213BF
              • StrokeAndFillPath.GDI32(?,?,0075B888,00000000,?), ref: 007213DB
              • SelectObject.GDI32(?,00000000), ref: 007213EE
              • DeleteObject.GDI32 ref: 00721401
              • StrokePath.GDI32(?), ref: 0072141C
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Path$ObjectStroke$DeleteFillSelect
              • String ID:
              • API String ID: 2625713937-0
              • Opcode ID: ff63a026c3a1b2ee6712c36c1b5e6dadd0172dda41d528f5cd7c99de3b5d1c1a
              • Instruction ID: 47c87bf0d984049cd908401cebe15fef5f111e8db701221d7ce1bae59505c94a
              • Opcode Fuzzy Hash: ff63a026c3a1b2ee6712c36c1b5e6dadd0172dda41d528f5cd7c99de3b5d1c1a
              • Instruction Fuzzy Hash: 85F01930001A8CEBDB155F66EC8C7593BA5BB5532AF58D324E469880F1C77C8995DF18
              Function 0078C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 0078C432
              • CoCreateInstance.OLE32(007B2D6C,00000000,00000001,007B2BDC,?), ref: 0078C44A
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
              • CoUninitialize.OLE32 ref: 0078C6B7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CreateInitializeInstanceUninitialize_memmove
              • String ID: .lnk
              • API String ID: 2683427295-24824748
              • Opcode ID: 1ac4819ceef6a5c3bbcc529352c6d47bd30efd335b2c62fa583664f190d137d6
              • Instruction ID: f20c9aca4a9b86ab4ed7e0c32630e5b15251ac0135275b39032fc3b8ea207e60
              • Opcode Fuzzy Hash: 1ac4819ceef6a5c3bbcc529352c6d47bd30efd335b2c62fa583664f190d137d6
              • Instruction Fuzzy Hash: 3EA17AB1204205EFD304EF54D885EABB7E8FF85314F04492DF195871A2EB75EA09CB62
              Function 00732CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00740DB6: std::exception::exception.LIBCMT ref: 00740DEC
                • Part of subcall function 00740DB6: __CxxThrowException@8.LIBCMT ref: 00740E01
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 00727A51: _memmove.LIBCMT ref: 00727AAB
              • __swprintf.LIBCMT ref: 00732ECD
              Strings
              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00732D66
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
              • API String ID: 1943609520-557222456
              • Opcode ID: 03119419182c05ec8d98b023c79efb5e06410b7b9f938de34f393718e4779140
              • Instruction ID: 91efeeb922c404d1c7a4a7dbdcbc01a0db760da5a579907cf0227b967741748f
              • Opcode Fuzzy Hash: 03119419182c05ec8d98b023c79efb5e06410b7b9f938de34f393718e4779140
              • Instruction Fuzzy Hash: 82918C71108311DFD718EF24D88AC6EB7A8EF85710F14491DF9869B2A2EB38ED45CB52
              Function 0078B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00724750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00724743,?,?,007237AE,?), ref: 00724770
              • CoInitialize.OLE32(00000000), ref: 0078B9BB
              • CoCreateInstance.OLE32(007B2D6C,00000000,00000001,007B2BDC,?), ref: 0078B9D4
              • CoUninitialize.OLE32 ref: 0078B9F1
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
              • String ID: .lnk
              • API String ID: 2126378814-24824748
              • Opcode ID: 024f704008a47bc5ba5319ae0971a36edd128561eddf4d0bee9ff4af21af0020
              • Instruction ID: d9c53aba1cb8e9291e974414a0f0b7a199611715f1761740ea764b5be1ec38c0
              • Opcode Fuzzy Hash: 024f704008a47bc5ba5319ae0971a36edd128561eddf4d0bee9ff4af21af0020
              • Instruction Fuzzy Hash: AAA135756043119FCB14EF14C484D5ABBE5FF89324F148958F8999B3A2CB39EC45CB91
              Function 0077B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
              Download Yara Rule
              APIs
              • OleSetContainedObject.OLE32(?,00000001), ref: 0077B4BE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ContainedObject
              • String ID: AutoIt3GUI$Container$%{
              • API String ID: 3565006973-901144802
              • Opcode ID: b4cd40ce38eda6c675367cbe3e67ecb5d737e2f0350320311f4d927410678e4f
              • Instruction ID: 5533aeddd1868ff9261802da21d8c5e2c1bed90411e734690d4a4eb6caf3940d
              • Opcode Fuzzy Hash: b4cd40ce38eda6c675367cbe3e67ecb5d737e2f0350320311f4d927410678e4f
              • Instruction Fuzzy Hash: 78913870600601AFDB14DF64C884B6ABBF9FF49754F24856EF94ACB291DB74E841CB60
              Function 0074501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 007450AD
                • Part of subcall function 007500F0: __87except.LIBCMT ref: 0075012B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorHandling__87except__start
              • String ID: pow
              • API String ID: 2905807303-2276729525
              • Opcode ID: 7ce5663c142ea4b16d2009411098226b1c64620c13b01f162892fdd19805b65f
              • Instruction ID: d32c41f706fe54ba9369459031921ae1fbe375a67dab32ea552713205126e364
              • Opcode Fuzzy Hash: 7ce5663c142ea4b16d2009411098226b1c64620c13b01f162892fdd19805b65f
              • Instruction Fuzzy Hash: C2515B25908A0587DB157B24C9493BE2F94AB41701F208D5DE8D5862EBEF7C8DCCDACA
              Function 00768584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _memmove
              • String ID: 3cs$_s
              • API String ID: 4104443479-944816363
              • Opcode ID: 54a36fb9f7ce09497bfc6d0e7341adf87f162c765c0814f64702f3579cc7ee11
              • Instruction ID: b67e55d272d885eeb2a838595e6bacb830a9777ad3dcebcf8a787bc79f36ee8a
              • Opcode Fuzzy Hash: 54a36fb9f7ce09497bfc6d0e7341adf87f162c765c0814f64702f3579cc7ee11
              • Instruction Fuzzy Hash: F2516EB09006059FDF64CF68C884AAEB7F1FF44304F248629E85BD7251EB39A965CB51
              Function 0072152E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
              Download Yara Rule
              APIs
              • BeginPath.GDI32(00000000), ref: 0072154C
              • PolyDraw.GDI32(00000000,00000002,?,?), ref: 007215C3
              • PolyDraw.GDI32(00000000,00000002,00000810,?), ref: 00721602
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: DrawPoly$BeginPath
              • String ID: 0v
              • API String ID: 695094842-4066190830
              • Opcode ID: 79d8e66c20b7524ae2a9d8894424b8e7da77aeb72610e695ef07c6ae385545b7
              • Instruction ID: ca937399c80ea7bb31448444a2e85ba326f08589fecac91d8e5063e7d5535a42
              • Opcode Fuzzy Hash: 79d8e66c20b7524ae2a9d8894424b8e7da77aeb72610e695ef07c6ae385545b7
              • Instruction Fuzzy Hash: C241AD7590021CEFCB10CF98D880AAEBBB9FF54320F548269E82697250D738AA51DF90
              Function 007797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 007814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00779296,?,?,00000034,00000800,?,00000034), ref: 007814E6
              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0077983F
                • Part of subcall function 00781487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007814B1
                • Part of subcall function 007813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00781409
                • Part of subcall function 007813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0077925A,00000034,?,?,00001004,00000000,00000000), ref: 00781419
                • Part of subcall function 007813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0077925A,00000034,?,?,00001004,00000000,00000000), ref: 0078142F
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007798AC
              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007798F9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
              • String ID: @
              • API String ID: 4150878124-2766056989
              • Opcode ID: feda5a48ebb44feda9e7105170841c2dac42482913f13aa5008aa49709824678
              • Instruction ID: 776ebfe6c95a1c9752ed44e8c325d83c8e68cbd627d1fe65483ca519c72f0564
              • Opcode Fuzzy Hash: feda5a48ebb44feda9e7105170841c2dac42482913f13aa5008aa49709824678
              • Instruction Fuzzy Hash: CA41507690121CBFDF10EFA4CC45ADEBBB8EB49340F108059FA49B7141DA746E45CBA1
              Function 007A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007AF910,00000000,?,?,?,?), ref: 007A79DF
              • GetWindowLongW.USER32 ref: 007A79FC
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A7A0C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Long
              • String ID: SysTreeView32
              • API String ID: 847901565-1698111956
              • Opcode ID: a1f65d59fe0bcfd2555ec61f95417a5bf58343012853f679c4fb8d646cbb7974
              • Instruction ID: 25c2b1f120893f7479dcae4e2284a1f0836ebf34d3322e81c64df185acabd8f4
              • Opcode Fuzzy Hash: a1f65d59fe0bcfd2555ec61f95417a5bf58343012853f679c4fb8d646cbb7974
              • Instruction Fuzzy Hash: 4531D031204606AFDB158E78DC45BEB77A9EB8A324F208725F875922E1D738ED51CB50
              Function 007A7A71 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 007A7B61
              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A7B76
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: '$P`
              • API String ID: 3850602802-2085440863
              • Opcode ID: 0713b40d6d4440baa9cf13e4a6941a3ecf7fe21540de260be5b18b22555e8e8b
              • Instruction ID: d25c6275944368457e24487e2adeb6bcdade0edae54b92ed37f48e78fc4e7c11
              • Opcode Fuzzy Hash: 0713b40d6d4440baa9cf13e4a6941a3ecf7fe21540de260be5b18b22555e8e8b
              • Instruction Fuzzy Hash: 15411BB4A05209EFDB18CF68C981BDABBB5FF49300F10416AE904EB351D774A951CFA0
              Function 007A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007A7461
              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007A7475
              • SendMessageW.USER32(?,00001002,00000000,?), ref: 007A7499
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$Window
              • String ID: SysMonthCal32
              • API String ID: 2326795674-1439706946
              • Opcode ID: e037f52367a93d58c547a29679937da10280d3ec71a9658fb20dbef7a75f9955
              • Instruction ID: 7fa349bb2d5c70d098482a503968f3fae1d416964eeddbb7f0fcf978144dc5c6
              • Opcode Fuzzy Hash: e037f52367a93d58c547a29679937da10280d3ec71a9658fb20dbef7a75f9955
              • Instruction Fuzzy Hash: 4B21A132600258ABDF158FA4CC46FEA3B7AEF8D724F110214FE156B1D0DA79AC51DBA0
              Function 007A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007A6D3B
              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007A6D4B
              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007A6D70
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$MoveWindow
              • String ID: Listbox
              • API String ID: 3315199576-2633736733
              • Opcode ID: b7513aaa3e9e93418e2c874f2ceb88ff1192261b1b3e54a0cdf1e1c9573a386a
              • Instruction ID: 823d84068781038cd95150401239d45f06fa2d42b32d67c9c66b43d26ceaeec7
              • Opcode Fuzzy Hash: b7513aaa3e9e93418e2c874f2ceb88ff1192261b1b3e54a0cdf1e1c9573a386a
              • Instruction Fuzzy Hash: 44219232711118BFDF118F54DC45EBB3BBAEFCA760F058224FA459B1A0C679AC519BA0
              Function 007939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              • __snwprintf.LIBCMT ref: 00793A66
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __snwprintf_memmove
              • String ID: , $$AUTOITCALLVARIABLE%d$%{
              • API String ID: 3506404897-390091804
              • Opcode ID: 7e76c1c7c9813c71227eb0b7baf38c0136f1eeb3ed55af118b63ac909ae49947
              • Instruction ID: e582dc5986933b95014ce259eaf724be8cba0874993b8a1f214cb24c37bb5578
              • Opcode Fuzzy Hash: 7e76c1c7c9813c71227eb0b7baf38c0136f1eeb3ed55af118b63ac909ae49947
              • Instruction Fuzzy Hash: D6218171600129EFCF14EF64DC85EAE77B9EF44300F408459F559A7281DB39EA45CB62
              Function 007A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007A7772
              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007A7787
              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007A7794
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: msctls_trackbar32
              • API String ID: 3850602802-1010561917
              • Opcode ID: 993d34495d47f29d623e8147cbbbedd44fe764b28e97cdbd7ae26ddd45c6dc25
              • Instruction ID: 09811dfc60336af4e31e30a294a905ae16e68f878779101a9d0d29a0866f0767
              • Opcode Fuzzy Hash: 993d34495d47f29d623e8147cbbbedd44fe764b28e97cdbd7ae26ddd45c6dc25
              • Instruction Fuzzy Hash: 5D110672244208BFEF245F75CC45FEB77A9EFCAB54F114229FA41A60A0D676E811CB20
              Function 00746B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __calloc_crt
              • String ID: }$@B~
              • API String ID: 3494438863-1696300617
              • Opcode ID: 352d62c80c4c81e1f9ccab9e963c125472fd9afc5d0349282007bbbc25e12785
              • Instruction ID: eca0705d03ca31bb9d7c4a360ebe6b87370f05fa6e907f3a4a680385e7bd14aa
              • Opcode Fuzzy Hash: 352d62c80c4c81e1f9ccab9e963c125472fd9afc5d0349282007bbbc25e12785
              • Instruction Fuzzy Hash: 3CF068F5605A198BF7649F54BC91B6627D9F706734B70442AE300CE290EB7C8C41C6DA
              Function 007AACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32(?,007E57B0,007AD809,000000FC,?,00000000,00000000,?,?,?,0075B969,?,?,?,?,?), ref: 007AACD1
              • GetFocus.USER32 ref: 007AACD9
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
                • Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC
              • SendMessageW.USER32(00E2DC40,000000B0,000001BC,000001C0), ref: 007AAD4B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$Long$FocusForegroundMessageSend
              • String ID: P`
              • API String ID: 3601265619-2971936014
              • Opcode ID: 2fec066b99aaa1e6240f0b0c01f9000ab852d406f1cd2e55293e996a54ad382e
              • Instruction ID: 82ccc9964572dd200307e7899756b6d48dab9554b574fb0e58105fff0cb30b6b
              • Opcode Fuzzy Hash: 2fec066b99aaa1e6240f0b0c01f9000ab852d406f1cd2e55293e996a54ad382e
              • Instruction Fuzzy Hash: 21019235301510EFCB249F28D888A6537E6EBCA325B18427DF4268B2B1CB39AC46CF51
              Function 00761935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32(?), ref: 00761775
                • Part of subcall function 0079BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0076195E,?), ref: 0079BFFE
                • Part of subcall function 0079BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0079C010
              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0076196D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Library$AddressDirectoryFreeLoadProcSystem
              • String ID: WIN_XPe$d
              • API String ID: 582185067-47553282
              • Opcode ID: 3edf571bde32716c041d56d295323564bd27dbb1b7c655b4a2638859bc2795dd
              • Instruction ID: 1e6873b4c8943e3a21fe24ab3881b3f248318f06f3413ea793dd856ae03ca168
              • Opcode Fuzzy Hash: 3edf571bde32716c041d56d295323564bd27dbb1b7c655b4a2638859bc2795dd
              • Instruction Fuzzy Hash: 08F0E571801109DFDB15DBA1DAC8AECBBF8BB58301FA84095E503A70A0D7799F84DF64
              Function 00749B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • __lock.LIBCMT ref: 00749B94
                • Part of subcall function 00749C0B: __mtinitlocknum.LIBCMT ref: 00749C1D
                • Part of subcall function 00749C0B: EnterCriticalSection.KERNEL32(00000000,?,00749A7C,0000000D), ref: 00749C36
              • __updatetlocinfoEx_nolock.LIBCMT ref: 00749BA4
                • Part of subcall function 00749100: ___addlocaleref.LIBCMT ref: 0074911C
                • Part of subcall function 00749100: ___removelocaleref.LIBCMT ref: 00749127
                • Part of subcall function 00749100: ___freetlocinfo.LIBCMT ref: 0074913B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
              • String ID: 8}$8}
              • API String ID: 547918592-1526444488
              • Opcode ID: 133b53c991ca17357dc965adb72e12632c9ce6b7ab5146e4fa4be1bfed77ff01
              • Instruction ID: 2e9f0f6e6ffe692ae581df950854e3f94f9226c5f60e8d1b5a8d51e06ba9123f
              • Opcode Fuzzy Hash: 133b53c991ca17357dc965adb72e12632c9ce6b7ab5146e4fa4be1bfed77ff01
              • Instruction Fuzzy Hash: C8E08CF1983708FAEA92BBE4690BF1E2770AB00B21F20415BF155595C1CF7C2400C62B
              Function 00724C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00724B83,?), ref: 00724C44
              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00724C56
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-1355242751
              • Opcode ID: 1a090bbe50735bb416a82acade521d006238f57430e08ad4df9eedaea3a89ee7
              • Instruction ID: b596d3b5993d1e108fbbb640d82a6473dc06d10ef82f3ced14c32e321e299b06
              • Opcode Fuzzy Hash: 1a090bbe50735bb416a82acade521d006238f57430e08ad4df9eedaea3a89ee7
              • Instruction Fuzzy Hash: 88D0C7B0500B23CFC7209FB5E80821A72E6AF02341B20C83AE492E6260E678C8C0CA20
              Function 00724C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,?,00724BD0,?,00724DEF,?,007E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00724C11
              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00724C23
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
              • API String ID: 2574300362-3689287502
              • Opcode ID: 13687aeba9cafec2f18a1115bff97af6d96f5e06e4ed155d91714e6f9ed1bad7
              • Instruction ID: 14cafdb498f403c6a9a448b80ac14be438ee883305dbc5053e976471d6eb281c
              • Opcode Fuzzy Hash: 13687aeba9cafec2f18a1115bff97af6d96f5e06e4ed155d91714e6f9ed1bad7
              • Instruction Fuzzy Hash: 61D01270511723CFD720AFB5ED48646B6E6EF4A352B11CC3AD486D6150E6B8D4C0C664
              Function 007A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(advapi32.dll,?,007A1039), ref: 007A0DF5
              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007A0E07
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: RegDeleteKeyExW$advapi32.dll
              • API String ID: 2574300362-4033151799
              • Opcode ID: 85931ddb89a5ef378a15bda1907c9f8f24f3846145c74960307f103b82515c90
              • Instruction ID: 75766b6928d4264527ca2d0c4ec988dceb082b97f83e74286c150abd5cbf68db
              • Opcode Fuzzy Hash: 85931ddb89a5ef378a15bda1907c9f8f24f3846145c74960307f103b82515c90
              • Instruction Fuzzy Hash: 97D0C270440316CFC3206FB0D80824276E5AF52341F00CC7ED582C2290D6B8D4A0C644
              Function 007990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00798CF4,?,007AF910), ref: 007990EE
              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00799100
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetModuleHandleExW$kernel32.dll
              • API String ID: 2574300362-199464113
              • Opcode ID: 916181810b8ad321dcb4d5ce654821d5e2f99a5c97a198ee25417fe020d11d5a
              • Instruction ID: 04d179c2c9c3feaeb36933fccbf32f7f8c1583dc343790c80f73902d85d985f3
              • Opcode Fuzzy Hash: 916181810b8ad321dcb4d5ce654821d5e2f99a5c97a198ee25417fe020d11d5a
              • Instruction Fuzzy Hash: 38D0C270550717CFDB209F75D80820272F5AF02342B15CC3ED481C2150E678C480C650
              Function 00761714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LocalTime__swprintf
              • String ID: %.3d$WIN_XPe
              • API String ID: 2070861257-2409531811
              • Opcode ID: 0ad7af6990aa732a19755243038d9a3b3a5189f6d711996af3dfb574309c8a9f
              • Instruction ID: 46ff38917f0eda972491a0b18513ba5f5cee962d2f3a56f643c26c4f40183384
              • Opcode Fuzzy Hash: 0ad7af6990aa732a19755243038d9a3b3a5189f6d711996af3dfb574309c8a9f
              • Instruction Fuzzy Hash: ACD017B1804119EACB409A90988C8BD737CAB19301FA80462F90BE2080E23E9B94EB21
              Function 0077717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f5c00832fcf44a9dc9afa6ab8f663f683bde5aa465eb5d883c4583b7ef3bb5c
              • Instruction ID: eee69dac7ff18c6180029741d0976e1e3fa9106e8257c56e4654cbe877dfd9cf
              • Opcode Fuzzy Hash: 1f5c00832fcf44a9dc9afa6ab8f663f683bde5aa465eb5d883c4583b7ef3bb5c
              • Instruction Fuzzy Hash: 98C17E74A04216EFCF18CFA4C884EAEBBB5FF48754B158598E809EB251D734ED81DB90
              Function 0079E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
              Download Yara Rule
              APIs
              • CharLowerBuffW.USER32(?,?), ref: 0079E0BE
              • CharLowerBuffW.USER32(?,?), ref: 0079E101
                • Part of subcall function 0079D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0079D7C5
              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0079E301
              • _memmove.LIBCMT ref: 0079E314
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: BuffCharLower$AllocVirtual_memmove
              • String ID:
              • API String ID: 3659485706-0
              • Opcode ID: 4a28319d73e34126e86e6a01376a1bc7d09c321afe7fb04a006680880aea783b
              • Instruction ID: 170da52f3819815f889e1bfa8992ebcff78389b1d605886d308e9cdc534ed973
              • Opcode Fuzzy Hash: 4a28319d73e34126e86e6a01376a1bc7d09c321afe7fb04a006680880aea783b
              • Instruction Fuzzy Hash: AAC17971A08311DFCB04DF28D484A6ABBE4FF89714F04896EF9999B351D734E946CB82
              Function 00798093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
              Download Yara Rule
              APIs
              • CoInitialize.OLE32(00000000), ref: 007980C3
              • CoUninitialize.OLE32 ref: 007980CE
                • Part of subcall function 0077D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0077D5D4
              • VariantInit.OLEAUT32(?), ref: 007980D9
              • VariantClear.OLEAUT32(?), ref: 007983AA
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
              • String ID:
              • API String ID: 780911581-0
              • Opcode ID: 6b903381018578ef3abbadbcba6f1ecb079945868d0842ffe0a2f8e8ca17712d
              • Instruction ID: 5a7490938cc3746c2256026d904ad674199aca83b318ec744a8bf8bc42a2fdbe
              • Opcode Fuzzy Hash: 6b903381018578ef3abbadbcba6f1ecb079945868d0842ffe0a2f8e8ca17712d
              • Instruction Fuzzy Hash: 01A15975604711DFCB40DF64D485A2AB7E4BF8A714F08844CFA969B3A1CB38EC44CB86
              Function 0077687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Variant$AllocClearCopyInitString
              • String ID:
              • API String ID: 2808897238-0
              • Opcode ID: c1cbf54b496683df70cb58fef55538c032519c89d4a93e41ba0c2eccaf50a43c
              • Instruction ID: c89ca8f1d24904b3d86e5c861641cc6d50cd71c906d8358bea92b77194657b04
              • Opcode Fuzzy Hash: c1cbf54b496683df70cb58fef55538c032519c89d4a93e41ba0c2eccaf50a43c
              • Instruction Fuzzy Hash: C951D374704B01DACF24AF65D895A3AB3E5AF45390F24C81FE68EDB295DB3CD8808B45
              Function 00779A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00779AD2
              • __itow.LIBCMT ref: 00779B03
                • Part of subcall function 00779D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00779DBE
              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00779B6C
              • __itow.LIBCMT ref: 00779BC3
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend$__itow
              • String ID:
              • API String ID: 3379773720-0
              • Opcode ID: f9f3b9d6e25480ea2b948dbae3013541eed12d58636206cd3e7e4c8fd975ad19
              • Instruction ID: d549ff660d9e3aaea7d6b332cf8fde3c6c1af0c5f29368aa7e2c45aa7596e185
              • Opcode Fuzzy Hash: f9f3b9d6e25480ea2b948dbae3013541eed12d58636206cd3e7e4c8fd975ad19
              • Instruction Fuzzy Hash: 2741B3B0A01218EBDF25DF54D849FFE7BB9EF45750F004069FA09A3291DB789944CBA1
              Function 007969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
              Download Yara Rule
              APIs
              • socket.WSOCK32(00000002,00000002,00000011), ref: 007969D1
              • WSAGetLastError.WSOCK32(00000000), ref: 007969E1
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00796A45
              • WSAGetLastError.WSOCK32(00000000), ref: 00796A51
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ErrorLast$__itow__swprintfsocket
              • String ID:
              • API String ID: 2214342067-0
              • Opcode ID: 6a7123ccc75b0debe4e705b9d91e0bd9965b672a5093afe774ce2d8d8d484057
              • Instruction ID: 47843c4f6c95f33088e3209c11923677a658788ac85bad9590773acb6e8e88ea
              • Opcode Fuzzy Hash: 6a7123ccc75b0debe4e705b9d91e0bd9965b672a5093afe774ce2d8d8d484057
              • Instruction Fuzzy Hash: DB41C375700210AFEB60AF64EC8AF3A77E4DF04B10F48C158FA19AF2C2DA799D008795
              Function 0079641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007AF910), ref: 007964A7
              • _strlen.LIBCMT ref: 007964D9
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _strlen
              • String ID:
              • API String ID: 4218353326-0
              • Opcode ID: ad628f23cc82b0a3003e5bc1a7258827ce80e0648acdc900b95931d602afe4c6
              • Instruction ID: 74ba80af74fedd53efc5510a76fbcf274f0c2786c4345bf8c53f639fb0c1dcdd
              • Opcode Fuzzy Hash: ad628f23cc82b0a3003e5bc1a7258827ce80e0648acdc900b95931d602afe4c6
              • Instruction Fuzzy Hash: F041C471A00114EFCF14EBA8FC99EAEB7B9AF44310F148255F91997296DB38EE50CB50
              Function 0078B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
              Download Yara Rule
              APIs
              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0078B89E
              • GetLastError.KERNEL32(?,00000000), ref: 0078B8C4
              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0078B8E9
              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0078B915
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CreateHardLink$DeleteErrorFileLast
              • String ID:
              • API String ID: 3321077145-0
              • Opcode ID: b077783006f1a97cc82294c7ac150ee9b99f44aed2bd8050b4b9a19c5104df06
              • Instruction ID: 325508ebc8f88db4f5bd7412a388057674145eb9d4965f0a24067cc5b79752ac
              • Opcode Fuzzy Hash: b077783006f1a97cc82294c7ac150ee9b99f44aed2bd8050b4b9a19c5104df06
              • Instruction Fuzzy Hash: 1E412939600620DFCB10EF55D488A5DBBE1EF8A310F098098ED4A9B362CB38FD41CB95
              Function 00780AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00780B27
              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00780B43
              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00780BA9
              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00780BFB
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 5e7be5571c34a94f6f1112d8e2b521af8040db9995b9f58aab6fc75be6df96dd
              • Instruction ID: e890d3bb94f1f8f5c8ff8d0eaa1c7378ab1d2fab8d481ca046b7d76779abe666
              • Opcode Fuzzy Hash: 5e7be5571c34a94f6f1112d8e2b521af8040db9995b9f58aab6fc75be6df96dd
              • Instruction Fuzzy Hash: 4E315CB0DC0608AFFF71AB658C09BF9BFA5AB45324F04825AF490521D1C37C895897E5
              Function 00780C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
              Download Yara Rule
              APIs
              • GetKeyboardState.USER32(?,76BFC520,?,00008000), ref: 00780C66
              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00780C82
              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00780CE1
              • SendInput.USER32(00000001,?,0000001C,76BFC520,?,00008000), ref: 00780D33
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: KeyboardState$InputMessagePostSend
              • String ID:
              • API String ID: 432972143-0
              • Opcode ID: 658d66f5f1ce67c0433f1eac005fb616eee592688f738f4121a477a48d800fdb
              • Instruction ID: ffea89463665f94a2732f3f8bd6c9efaf69bf653d39ab1a05549d1ee64a7fff1
              • Opcode Fuzzy Hash: 658d66f5f1ce67c0433f1eac005fb616eee592688f738f4121a477a48d800fdb
              • Instruction Fuzzy Hash: DA315830A80208AEFF70AFA5CC087FEBB66AB85320F04871AE484521D1C33D995997F1
              Function 007561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007561FB
              • __isleadbyte_l.LIBCMT ref: 00756229
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00756257
              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0075628D
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID:
              • API String ID: 3058430110-0
              • Opcode ID: 94af2bec6a77caf4414708babbbe21221c28f35c8145b1e9acd55a154a5ba088
              • Instruction ID: b492e88bad5d409e5c8ac43f383a0baebc7fa91ddc4daaeb17f3ccf8524ff56c
              • Opcode Fuzzy Hash: 94af2bec6a77caf4414708babbbe21221c28f35c8145b1e9acd55a154a5ba088
              • Instruction Fuzzy Hash: 0C31C03060424AEFDF218F65CC48BBA7BA9FF41312F554128EC64871A1EBB9D954DB90
              Function 007A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • GetForegroundWindow.USER32 ref: 007A4F02
                • Part of subcall function 00783641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0078365B
                • Part of subcall function 00783641: GetCurrentThreadId.KERNEL32 ref: 00783662
                • Part of subcall function 00783641: AttachThreadInput.USER32(00000000,?,00785005), ref: 00783669
              • GetCaretPos.USER32(?), ref: 007A4F13
              • ClientToScreen.USER32(00000000,?), ref: 007A4F4E
              • GetForegroundWindow.USER32 ref: 007A4F54
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
              • String ID:
              • API String ID: 2759813231-0
              • Opcode ID: 3315f082b2395857c05332062d2fbe2cfb9ed43e936273e21f513381092b64f1
              • Instruction ID: 601fa21dfd76d2815cc7c2797eeb107bf6665a4180dbf6eb1213397031c8b764
              • Opcode Fuzzy Hash: 3315f082b2395857c05332062d2fbe2cfb9ed43e936273e21f513381092b64f1
              • Instruction Fuzzy Hash: 1E313071D00118AFDB04EFA9D885DEFB7F9EF89300F14446AE515E7201EA799E058BA1
              Function 00778656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0077810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00778121
                • Part of subcall function 0077810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0077812B
                • Part of subcall function 0077810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0077813A
                • Part of subcall function 0077810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00778141
                • Part of subcall function 0077810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00778157
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007786A3
              • _memcmp.LIBCMT ref: 007786C6
              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007786FC
              • HeapFree.KERNEL32(00000000), ref: 00778703
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
              • String ID:
              • API String ID: 1592001646-0
              • Opcode ID: 230291bbdb27b1c175a54f4cb09706ef3b8297521815c9e1e41d064b19edd2c3
              • Instruction ID: 1cac9fd3c82d766d33350d51f8d2a81de8c2c487f6914fdb36f89297f62fa235
              • Opcode Fuzzy Hash: 230291bbdb27b1c175a54f4cb09706ef3b8297521815c9e1e41d064b19edd2c3
              • Instruction Fuzzy Hash: B8216B71E80108EBDF10DFA4C949BEEB7B8EF45344F158059E458E7242EB38AE05CBA1
              Function 0074098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • __setmode.LIBCMT ref: 007409AE
                • Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00787896,?,?,00000000), ref: 00725A2C
                • Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00787896,?,?,00000000,?,?), ref: 00725A50
              • _fprintf.LIBCMT ref: 007409E5
              • OutputDebugStringW.KERNEL32(?), ref: 00775DBB
                • Part of subcall function 00744AAA: _flsall.LIBCMT ref: 00744AC3
              • __setmode.LIBCMT ref: 00740A1A
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
              • String ID:
              • API String ID: 521402451-0
              • Opcode ID: 0e3661ed6a73da013aa966e4ab0d6c9eb7d2c7754d6a19e204795211ab5299cb
              • Instruction ID: 57effa93a02ef80b98269598015dce77b765c64057bb6152e4995e80e5ad0414
              • Opcode Fuzzy Hash: 0e3661ed6a73da013aa966e4ab0d6c9eb7d2c7754d6a19e204795211ab5299cb
              • Instruction Fuzzy Hash: 1D112771A04204EFDB04B7B4AC8FAFE77689F46320F648155F204A7182EF7C584257E5
              Function 00791767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
              Download Yara Rule
              APIs
              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007917A3
                • Part of subcall function 0079182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079184C
                • Part of subcall function 0079182D: InternetCloseHandle.WININET(00000000), ref: 007918E9
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Internet$CloseConnectHandleOpen
              • String ID:
              • API String ID: 1463438336-0
              • Opcode ID: 044678d8d0a0cebcdb267da6352ce492c5da7bb645dc2eb80013e99fd7802766
              • Instruction ID: 6de1ee4455788c31e1ab05a47804d52510c194381cd2a7b4a3f3ca687a4179be
              • Opcode Fuzzy Hash: 044678d8d0a0cebcdb267da6352ce492c5da7bb645dc2eb80013e99fd7802766
              • Instruction Fuzzy Hash: EF210B31200602BFDF129FA0EC00FBBB7E9FF89710F504429F91196550DB79D821A7A0
              Function 00783A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNEL32(?,007AFAC0), ref: 00783A64
              • GetLastError.KERNEL32 ref: 00783A73
              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00783A82
              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007AFAC0), ref: 00783ADF
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CreateDirectory$AttributesErrorFileLast
              • String ID:
              • API String ID: 2267087916-0
              • Opcode ID: b6655b126bc8cedfd7516fbd32d5d6d7ab21873126599d2985f90328dee71438
              • Instruction ID: 0c1a5b281b8e802f0220ccb9e843826373e365ba04d7a2164ccd04d9938284b7
              • Opcode Fuzzy Hash: b6655b126bc8cedfd7516fbd32d5d6d7ab21873126599d2985f90328dee71438
              • Instruction Fuzzy Hash: 4D21B174148201CF8314EF28D8858AA7BE8FE56764F108A2EF499C72A1D7399E46CB43
              Function 007550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00755101
                • Part of subcall function 0074571C: __FF_MSGBANNER.LIBCMT ref: 00745733
                • Part of subcall function 0074571C: __NMSG_WRITE.LIBCMT ref: 0074573A
                • Part of subcall function 0074571C: RtlAllocateHeap.NTDLL(00E10000,00000000,00000001,00000000,?,?,?,00740DD3,?), ref: 0074575F
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: a021debab228e68a020f7295427b1d8e73fe7c9db1dffae71b4536c3b75acf60
              • Instruction ID: cf3e435773e66418075bf2b48da38749d599ecb0278fd02f4e33606b4808a369
              • Opcode Fuzzy Hash: a021debab228e68a020f7295427b1d8e73fe7c9db1dffae71b4536c3b75acf60
              • Instruction Fuzzy Hash: BA11C1B2900E19EFCB213FB4AC5D79D3B989B053A2B204529FD489A151DFBC88449B95
              Function 007244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 007244CF
                • Part of subcall function 0072407C: _memset.LIBCMT ref: 007240FC
                • Part of subcall function 0072407C: _wcscpy.LIBCMT ref: 00724150
                • Part of subcall function 0072407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00724160
              • KillTimer.USER32(?,00000001,?,?), ref: 00724524
              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00724533
              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0075D4B9
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
              • String ID:
              • API String ID: 1378193009-0
              • Opcode ID: 6e0d85b9ab943307591a58570d667e571f8df8e26ada234b2dae80389db3f1a6
              • Instruction ID: 25c94dad73a26dfeca88ba057cf13b017394d6807bf03627e2b45da7bbab6b1f
              • Opcode Fuzzy Hash: 6e0d85b9ab943307591a58570d667e571f8df8e26ada234b2dae80389db3f1a6
              • Instruction Fuzzy Hash: 6E21F5709047D4AFE732CB249845BE6BBECAB05309F04009DEBCA9A141C7B82D88CB45
              Function 00796369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00787896,?,?,00000000), ref: 00725A2C
                • Part of subcall function 00725A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00787896,?,?,00000000,?,?), ref: 00725A50
              • gethostbyname.WSOCK32(?,?,?), ref: 00796399
              • WSAGetLastError.WSOCK32(00000000), ref: 007963A4
              • _memmove.LIBCMT ref: 007963D1
              • inet_ntoa.WSOCK32(?), ref: 007963DC
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
              • String ID:
              • API String ID: 1504782959-0
              • Opcode ID: a983a9d54f5c7a62849a58f2679c830e9b611c521c0c230a9fc989506bc463a6
              • Instruction ID: a888b0a04b7a0c0de26c8bc104d52d58edcb083ffc71ef8d920a83c8b3d20dbc
              • Opcode Fuzzy Hash: a983a9d54f5c7a62849a58f2679c830e9b611c521c0c230a9fc989506bc463a6
              • Instruction Fuzzy Hash: 1B116072500119EFCF04FBA4ED4ACEEB7B9EF45310B148165F505A7161DB38AE14DB61
              Function 00778B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,000000B0,?,?), ref: 00778B61
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00778B73
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00778B89
              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00778BA4
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: 46a741c296a5de4e4826ceaac7bef05eabb832665e5e7e1891f312cda248bd3d
              • Instruction ID: ebb713f5ad28c550eba2e6fb6b2a6b3e73670139ef56296d049ad2e58dc27a24
              • Opcode Fuzzy Hash: 46a741c296a5de4e4826ceaac7bef05eabb832665e5e7e1891f312cda248bd3d
              • Instruction Fuzzy Hash: 2D113AB9940218FFDF11DB95C884EADBB74EB48350F204095E904B7250DA716E10DB94
              Function 00721290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • DefDlgProcW.USER32(?,00000020,?), ref: 007212D8
              • GetClientRect.USER32(?,?), ref: 0075B5FB
              • GetCursorPos.USER32(?), ref: 0075B605
              • ScreenToClient.USER32(?,?), ref: 0075B610
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Client$CursorLongProcRectScreenWindow
              • String ID:
              • API String ID: 4127811313-0
              • Opcode ID: e7a8e43358dc2310a638dacd3319aa37be094f13544eae2c615955280b83f594
              • Instruction ID: 8231bf4710c4cd68095b2f45fe71ab86062506a92f8041dab4f5be6366aa576e
              • Opcode Fuzzy Hash: e7a8e43358dc2310a638dacd3319aa37be094f13544eae2c615955280b83f594
              • Instruction Fuzzy Hash: BA112B35A00069EFCB10DF94E8899EE77F8FB56301F504455F901E7141D738BA51CBA9
              Function 0077D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0077D84D
              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0077D864
              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0077D879
              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0077D897
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Type$Register$FileLoadModuleNameUser
              • String ID:
              • API String ID: 1352324309-0
              • Opcode ID: c49c40bc01684d6d54dfe6bd15214d5f9246e8bdc3f6d5e191233881b1587561
              • Instruction ID: 27b4e23d7d69c34c0155e08c7a1f982425047be7f9f129c1427ac98a3ff020ce
              • Opcode Fuzzy Hash: c49c40bc01684d6d54dfe6bd15214d5f9246e8bdc3f6d5e191233881b1587561
              • Instruction Fuzzy Hash: C411A1B5605304DBEB308F90DC08F93BBBCEF44B50F10C569E51AC6040D7B8E9089BA2
              Function 00756FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 4dc8c512a39e9760f9ac9e9f12b33c549085bb7f9e0fa38d3aebce467a09eaf2
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 63014B7244814EBBCF1A5E84EC05CEE3FA6BB18352B588415FE1859071D27AC9B9EB81
              Function 007AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetWindowRect.USER32(?,?), ref: 007AB2E4
              • ScreenToClient.USER32(?,?), ref: 007AB2FC
              • ScreenToClient.USER32(?,?), ref: 007AB320
              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007AB33B
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClientRectScreen$InvalidateWindow
              • String ID:
              • API String ID: 357397906-0
              • Opcode ID: ea7305400be4abb7e9ddc8f78c2b543a644bb1aaa83bf33be0091849ea15fd94
              • Instruction ID: 7e1d865055a4d2833ef428c382ab186c9ccb645dbfbfa3a1ff5fc1c64da4ae81
              • Opcode Fuzzy Hash: ea7305400be4abb7e9ddc8f78c2b543a644bb1aaa83bf33be0091849ea15fd94
              • Instruction Fuzzy Hash: 781144B9D00209EFDB41CFA9C8849EEBBF9FF49311F108166E914E3220D735AA559F94
              Function 00786BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • EnterCriticalSection.KERNEL32(?), ref: 00786BE6
                • Part of subcall function 007876C4: _memset.LIBCMT ref: 007876F9
              • _memmove.LIBCMT ref: 00786C09
              • _memset.LIBCMT ref: 00786C16
              • LeaveCriticalSection.KERNEL32(?), ref: 00786C26
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CriticalSection_memset$EnterLeave_memmove
              • String ID:
              • API String ID: 48991266-0
              • Opcode ID: 786b932ef59e2d4ed366a673bafccdd196135f55814c89e61420cc23bacf03c1
              • Instruction ID: 5b01cb9efa15269a640cb0d6cc77521a7ed2dec35880c20c771131301de47ba7
              • Opcode Fuzzy Hash: 786b932ef59e2d4ed366a673bafccdd196135f55814c89e61420cc23bacf03c1
              • Instruction Fuzzy Hash: E9F0543A200100BBCF456F95DC89A4ABB29EF85320F04C061FE085E267D735E811CBB5
              Function 00778712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentThread.KERNEL32 ref: 0077871B
              • OpenThreadToken.ADVAPI32(00000000,?,?,?,007782E6), ref: 00778722
              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007782E6), ref: 0077872F
              • OpenProcessToken.ADVAPI32(00000000,?,?,?,007782E6), ref: 00778736
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CurrentOpenProcessThreadToken
              • String ID:
              • API String ID: 3974789173-0
              • Opcode ID: 2b9291216053feac05d719409a7dcc5dc20c30b182253f614b77ecd2e1207be3
              • Instruction ID: 85752b35b67b10afb79cd3d844c2714915a7d2b4445b1687cdf9a9e3a6d9c88e
              • Opcode Fuzzy Hash: 2b9291216053feac05d719409a7dcc5dc20c30b182253f614b77ecd2e1207be3
              • Instruction Fuzzy Hash: B8E086366512119BDB605FF09D0CB973BACEF927D1F14C828F24AC9080DA3C8441C755
              Function 00726240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: %{
              • API String ID: 0-3407211727
              • Opcode ID: 28a0301c7d86dbd1caf059bcb4835bc7666877053a4d102231cfa76f1df9d662
              • Instruction ID: 86edab6cf3415980c3ecb31ab357124d880ce98c0d94075b4a8629e09aff8add
              • Opcode Fuzzy Hash: 28a0301c7d86dbd1caf059bcb4835bc7666877053a4d102231cfa76f1df9d662
              • Instruction Fuzzy Hash: 4EB19E71900129DBCF24EF94E8859FEB7B5FF48310F104127E956A7292EB389E85CB91
              Function 0079AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __itow_s
              • String ID: xb~$xb~
              • API String ID: 3653519197-3572622674
              • Opcode ID: cd3129e52eafb88a1cfa816871b96e429a880519e4920a444f500dc9cb1ed279
              • Instruction ID: 25b23ce8065c51dc31e09d819f521719ce4633b7f78d6a09e0b08f4739e00020
              • Opcode Fuzzy Hash: cd3129e52eafb88a1cfa816871b96e429a880519e4920a444f500dc9cb1ed279
              • Instruction Fuzzy Hash: 62B1A170A00109EFCF14DF54E995DBABBB9FF58310F148059FA459B291EB38E980CBA0
              Function 0078AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0073FC86: _wcscpy.LIBCMT ref: 0073FCA9
                • Part of subcall function 00729837: __itow.LIBCMT ref: 00729862
                • Part of subcall function 00729837: __swprintf.LIBCMT ref: 007298AC
              • __wcsnicmp.LIBCMT ref: 0078B02D
              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0078B0F6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
              • String ID: LPT
              • API String ID: 3222508074-1350329615
              • Opcode ID: 314fdf92c4bc089daff2c26ec8c8006518dac629aff995559abf09672f2a8d5b
              • Instruction ID: 7668334d3e4fc85e9733c317c670743cda6e9d882d3bd059e58ff8e40ebdee79
              • Opcode Fuzzy Hash: 314fdf92c4bc089daff2c26ec8c8006518dac629aff995559abf09672f2a8d5b
              • Instruction Fuzzy Hash: 3461C575E40218EFCB14EF94D899EAEB7B5EF09310F144069F916AB391D738AE40CB54
              Function 00732957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000), ref: 00732968
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00732981
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: GlobalMemorySleepStatus
              • String ID: @
              • API String ID: 2783356886-2766056989
              • Opcode ID: 2100af5003261345a812e330f66480f453a04838f925e08a55dd0677ccfbad6b
              • Instruction ID: 871dfdeed2ddb26fd2fde58cebf8cd3984bacb4f8fca494479be5af6b86f3bd5
              • Opcode Fuzzy Hash: 2100af5003261345a812e330f66480f453a04838f925e08a55dd0677ccfbad6b
              • Instruction Fuzzy Hash: 13514572408754DBD320EF10E88ABAFBBE8FB85354F46885DF2D8410A1DB359529CB66
              Function 00789734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00724F0B: __fread_nolock.LIBCMT ref: 00724F29
              • _wcscmp.LIBCMT ref: 00789824
              • _wcscmp.LIBCMT ref: 00789837
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: _wcscmp$__fread_nolock
              • String ID: FILE
              • API String ID: 4029003684-3121273764
              • Opcode ID: b9bf06f25b960786377b0dfa60e5e08de4701f99514a01f49674b87d5683b70d
              • Instruction ID: 19825d7d347a234a63139a99a0709edd67175a8f549feaba83bb8669bf6dfbd1
              • Opcode Fuzzy Hash: b9bf06f25b960786377b0dfa60e5e08de4701f99514a01f49674b87d5683b70d
              • Instruction Fuzzy Hash: EE41C871A4021ABADF20AEA0DC49FEFB7BDDF85710F040469FA04B7181DB79A9048B61
              Function 00760574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClearVariant
              • String ID: Dd~$Dd~
              • API String ID: 1473721057-373322267
              • Opcode ID: 61caa01a63a9af09e8da0a815bbd66d0e19d087865a92127a7f0c8b20c9aa51b
              • Instruction ID: 8618f75da192704c8699a40f713c88b501ef5226960706b37bf30d332a71d6be
              • Opcode Fuzzy Hash: 61caa01a63a9af09e8da0a815bbd66d0e19d087865a92127a7f0c8b20c9aa51b
              • Instruction Fuzzy Hash: E9510478605391EFDB54CF19D580A1ABBF1BB99750F54881CE9858B361E339EC81CF82
              Function 0079258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 0079259E
              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007925D4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CrackInternet_memset
              • String ID: |
              • API String ID: 1413715105-2343686810
              • Opcode ID: 707bcba7ae19f64351ff59a64b17864454f03aa7b9e10312a7d00f229d8022fb
              • Instruction ID: d61073124fc61d6372ce1eda54915527c53e009e730a6cf289ff01617393da15
              • Opcode Fuzzy Hash: 707bcba7ae19f64351ff59a64b17864454f03aa7b9e10312a7d00f229d8022fb
              • Instruction Fuzzy Hash: 24311A71800119EBCF15EFA1DC89EEEBFB8FF08350F104059F915A6262EB395956DB60
              Function 007A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • DestroyWindow.USER32(?,?,?,?), ref: 007A6B17
              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007A6B53
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$DestroyMove
              • String ID: static
              • API String ID: 2139405536-2160076837
              • Opcode ID: aae456290eb135274503474a8f3313fef4fcc75277e52540f1c7c57443f88c1c
              • Instruction ID: 19aa2b7b48c354df9dc03a88025d6096e2f614482b9bda1c3ba51fd3b4cf8176
              • Opcode Fuzzy Hash: aae456290eb135274503474a8f3313fef4fcc75277e52540f1c7c57443f88c1c
              • Instruction Fuzzy Hash: 0931A1B1200604AEDB109F74CC80BFB73A9FF89760F148619F9A5D7190DA38AC91CB60
              Function 007828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00782911
              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0078294C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: d1e88b4ea694fdb153e9335b3783c87b1d121d5ae8d6175a7e78442447bd8c99
              • Instruction ID: 1289deaa55fd48f9c25e4211e06dd76aff60528ffe62270e8646a7f96d3051d8
              • Opcode Fuzzy Hash: d1e88b4ea694fdb153e9335b3783c87b1d121d5ae8d6175a7e78442447bd8c99
              • Instruction Fuzzy Hash: 66312531A40305EFEF24EF59C885BAEBBB8EF05351F140029ED81B61A2D778A942CB51
              Function 007216DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
                • Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC
              • GetParent.USER32(?), ref: 0075B7BA
              • DefDlgProcW.USER32(?,00000133,?,?,?,?,?,?,?,?,007219B3,?,?,?,00000006,?), ref: 0075B834
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LongWindow$ParentProc
              • String ID: P`
              • API String ID: 2181805148-2971936014
              • Opcode ID: 6f7e553ab75e1e7c1917b1d49a27c22ff72f8390aeb91ebdfd1559045e7413c8
              • Instruction ID: 1ef68bbf2fcebdbf4220731de30931c6d03b55cf600f4b5142996a70c5e4ec7d
              • Opcode Fuzzy Hash: 6f7e553ab75e1e7c1917b1d49a27c22ff72f8390aeb91ebdfd1559045e7413c8
              • Instruction Fuzzy Hash: 3221B634201558EFCB208F28D888DA93B96FF9A325F944250F9255B3F2C779AD12DB50
              Function 007A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007A6761
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A676C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: Combobox
              • API String ID: 3850602802-2096851135
              • Opcode ID: d5e766b9b305d143223cdc9d2fa2043d10d53325206cb09057023462734722ed
              • Instruction ID: 49630193d619d362783adebd0a123c724848b9fe4e2737d21115a44676d50dc2
              • Opcode Fuzzy Hash: d5e766b9b305d143223cdc9d2fa2043d10d53325206cb09057023462734722ed
              • Instruction Fuzzy Hash: 7E11C4B5310208AFEF11DF64CC84EBB376AEBDA368F154229F91497290D639DC9187A0
              Function 007A96F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: P`
              • API String ID: 0-2971936014
              • Opcode ID: 15bb0dc1e9800867960dd9e3dfda67d82f7ad645d931cabfa2f42484ceee065e
              • Instruction ID: 9efa5c8c250f31cec49b10784783b0544d6cbb59288b33ade5318b68e6689d5f
              • Opcode Fuzzy Hash: 15bb0dc1e9800867960dd9e3dfda67d82f7ad645d931cabfa2f42484ceee065e
              • Instruction Fuzzy Hash: D2216D35124118FFEB109E64CC45FBA37A4EB8A310F504265FB12DA5E0D679EA20DB70
              Function 007A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00721D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00721D73
                • Part of subcall function 00721D35: GetStockObject.GDI32(00000011), ref: 00721D87
                • Part of subcall function 00721D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00721D91
              • GetWindowRect.USER32(00000000,?), ref: 007A6C71
              • GetSysColor.USER32(00000012), ref: 007A6C8B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Window$ColorCreateMessageObjectRectSendStock
              • String ID: static
              • API String ID: 1983116058-2160076837
              • Opcode ID: 7e9c026e53ac076c8315b1cc4db386f5780471d255f9f49ba7bceb9399fae7c1
              • Instruction ID: 7d6c58eb5ed8f3862b494d75e15f8433e90fe684431eea53e3fa269f1c962f76
              • Opcode Fuzzy Hash: 7e9c026e53ac076c8315b1cc4db386f5780471d255f9f49ba7bceb9399fae7c1
              • Instruction Fuzzy Hash: 65215672A10219AFDF04DFB8CC45AEA7BA9FB49314F044A28F995D2250D639E860DB60
              Function 007A678B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CreateMenuPopup
              • String ID: P`
              • API String ID: 3826294624-2971936014
              • Opcode ID: 6628cea5e239b893f312a2fa8dace90f6febdc3be2efe9587fcf356a435e75eb
              • Instruction ID: 185dff406b036a831c66831886bdb40de488ce5d4e74987a3f12eac785f829dd
              • Opcode Fuzzy Hash: 6628cea5e239b893f312a2fa8dace90f6febdc3be2efe9587fcf356a435e75eb
              • Instruction Fuzzy Hash: C4219D78501A09DFCB20CF28C444BD677E5FB8A324F488269E8598B3A1C339AC56CF51
              Function 007A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
              Download Yara Rule
              APIs
              • GetWindowTextLengthW.USER32(00000000), ref: 007A69A2
              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007A69B1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LengthMessageSendTextWindow
              • String ID: edit
              • API String ID: 2978978980-2167791130
              • Opcode ID: 5496b47fa8df8033287cfb9f5497658f5bfa187c2612a7a9c4c0c3ba6eda1f82
              • Instruction ID: e4fa693dff9780c740333877d4e3ed9b625d399380c2e5b87fbbae475b47248b
              • Opcode Fuzzy Hash: 5496b47fa8df8033287cfb9f5497658f5bfa187c2612a7a9c4c0c3ba6eda1f82
              • Instruction Fuzzy Hash: BA118C71500208AFEB108E74DC44AEB37A9EB96378F544728F9A5971E0C739EC519B60
              Function 007829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule
              APIs
              • _memset.LIBCMT ref: 00782A22
              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00782A41
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: InfoItemMenu_memset
              • String ID: 0
              • API String ID: 2223754486-4108050209
              • Opcode ID: 4d1a3acb7280bcccf51c7597e5afc4b5d64bff13f5920c199692b182fa3ed710
              • Instruction ID: 44b414358cf5865259c5bdb2c957fdde11b96e85806164e7eef4a68ee01e376d
              • Opcode Fuzzy Hash: 4d1a3acb7280bcccf51c7597e5afc4b5d64bff13f5920c199692b182fa3ed710
              • Instruction Fuzzy Hash: 7811D336941118EBCB38EA98D944B9A77A8AF45315F04C021EC55E7292D738AD07C792
              Function 007921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
              Download Yara Rule
              APIs
              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0079222C
              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00792255
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Internet$OpenOption
              • String ID: <local>
              • API String ID: 942729171-4266983199
              • Opcode ID: 281943512b1b8c13a63382e6ac95fe840c6a97ac7c46114ec9d48b819c37723a
              • Instruction ID: 6ffacab100a9b66250f446069726553364808c757f1504124de5dacda544ff72
              • Opcode Fuzzy Hash: 281943512b1b8c13a63382e6ac95fe840c6a97ac7c46114ec9d48b819c37723a
              • Instruction Fuzzy Hash: 59112570541225FADF28AF51AC85EFBFBACFF06751F10822AFA0446001D3785892D6F0
              Function 007A84E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
              Download Yara Rule
              APIs
              • SendMessageW.USER32(?,?,?,?), ref: 007A8530
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: MessageSend
              • String ID: P`
              • API String ID: 3850602802-2971936014
              • Opcode ID: c5f5d239e17435bb43e5264634a9feeec6275d1dedf9c89d43e078e9bb9738fb
              • Instruction ID: 130f0258665387aa6c70fca603bb47308201a1edd065186c4e4e780ae78c0ebe
              • Opcode Fuzzy Hash: c5f5d239e17435bb43e5264634a9feeec6275d1dedf9c89d43e078e9bb9738fb
              • Instruction Fuzzy Hash: C5211775A00209EFCB45CF94D8408EA7BB5FB8D340B004654FD01A7320DB35ED61DB91
              Function 00722327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID:
              • String ID: P`
              • API String ID: 0-2971936014
              • Opcode ID: 22325ca6a13e1609487d8cf9340cdb09e4f3382bbe52332e4ccb0880c008d99b
              • Instruction ID: a78f7bab7f338bcbf3f00928c55ed43106193ff937c7421d486c7b7c1af7916e
              • Opcode Fuzzy Hash: 22325ca6a13e1609487d8cf9340cdb09e4f3382bbe52332e4ccb0880c008d99b
              • Instruction Fuzzy Hash: 9E112B34604604EFCB20DF28D880EA57BE6BB89320F148259F9699B2E1C775E945CF90
              Function 0073092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00723C14,007E52F8,?,?,?), ref: 0073096E
                • Part of subcall function 00727BCC: _memmove.LIBCMT ref: 00727C06
              • _wcscat.LIBCMT ref: 00764CB7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FullNamePath_memmove_wcscat
              • String ID: S~
              • API String ID: 257928180-3256534576
              • Opcode ID: edd16496d48d66f23ecb0ebaff2b8be9d3b30bcb69b370733315cd8773a0a342
              • Instruction ID: 14bf19affe80a8a59cc5d59b00a84fdaa99791a142808c9b6cc70fdca9051a92
              • Opcode Fuzzy Hash: edd16496d48d66f23ecb0ebaff2b8be9d3b30bcb69b370733315cd8773a0a342
              • Instruction Fuzzy Hash: A211E530A0220CDB9B00EBA0D809FCD73A8AF08355F0044A5B984D3282EAB8A6848B50
              Function 00778E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC
              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00778E73
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 0ce1c94066dd38c852e0f2495928a1cf7c8bd6b17bc60921365cc55cec847e8c
              • Instruction ID: b5e45379bf4f6d476c88296e6a78184e96dc177686c8620fbb5add908ed47e21
              • Opcode Fuzzy Hash: 0ce1c94066dd38c852e0f2495928a1cf7c8bd6b17bc60921365cc55cec847e8c
              • Instruction Fuzzy Hash: D201F1B1741228EB9F18EBA0CC49CFE7368EF42360B048A19F869572E1EF395808D751
              Function 00788D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: __fread_nolock_memmove
              • String ID: EA06
              • API String ID: 1988441806-3962188686
              • Opcode ID: ce34bc6a125297b40b281fe26dca971c7a111923d1ade9ff3c5e03c2c0c88227
              • Instruction ID: 2ff66f228347177da54ea76bf76dbd3f6f669195aacfa91f51a7f550c5b428e1
              • Opcode Fuzzy Hash: ce34bc6a125297b40b281fe26dca971c7a111923d1ade9ff3c5e03c2c0c88227
              • Instruction Fuzzy Hash: EC01F971944218BFDB58DBA8C81AEFEBBF8DB15311F00419BF552D2281E978A61487A0
              Function 00778CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC
              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00778D6B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 01321a0cbf2e9d579ca2368bfe44dc520c5a154e20d3b33d9a329a9f3a6214ec
              • Instruction ID: 3f081405470ea3af6f17e08e34f04e1e49ee279373764370a55c4ed54a217269
              • Opcode Fuzzy Hash: 01321a0cbf2e9d579ca2368bfe44dc520c5a154e20d3b33d9a329a9f3a6214ec
              • Instruction Fuzzy Hash: E501B1B1B81118EBDF28EBA0C95AEFE77A8DF15380F104019B80963291DE295A08D262
              Function 00778D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00727DE1: _memmove.LIBCMT ref: 00727E22
                • Part of subcall function 0077AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0077AABC
              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00778DEE
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClassMessageNameSend_memmove
              • String ID: ComboBox$ListBox
              • API String ID: 372448540-1403004172
              • Opcode ID: 740eb41d92d7df1300d1fe3fcb32916cf8252f5e1a1c0b27cc6b2e528899e505
              • Instruction ID: f2841016607a9c662c0513e6cb1ea79913cf39c9280fbce7a066d6bc2b108f10
              • Opcode Fuzzy Hash: 740eb41d92d7df1300d1fe3fcb32916cf8252f5e1a1c0b27cc6b2e528899e505
              • Instruction Fuzzy Hash: 2B01F7B1B81118F7DF29E6A4C94AEFE77ACCF16340F108016B80963291DE2D5E08D272
              Function 0077C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • VariantInit.OLEAUT32(?), ref: 0077C534
                • Part of subcall function 0077C816: _memmove.LIBCMT ref: 0077C860
                • Part of subcall function 0077C816: VariantInit.OLEAUT32(00000000), ref: 0077C882
                • Part of subcall function 0077C816: VariantCopy.OLEAUT32(00000000,?), ref: 0077C88C
              • VariantClear.OLEAUT32(?), ref: 0077C556
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: Variant$Init$ClearCopy_memmove
              • String ID: d}}
              • API String ID: 2932060187-79343828
              • Opcode ID: 73ea7cc17b19c8777b486cbde763d63de049a262c2921480d8a4ffe7da84786f
              • Instruction ID: 776421ddc41248e48063515827a872e28f77e710f9ca454e97c89e423b82eab1
              • Opcode Fuzzy Hash: 73ea7cc17b19c8777b486cbde763d63de049a262c2921480d8a4ffe7da84786f
              • Instruction Fuzzy Hash: 88111E719007089FCB10DFAAD88489AF7F8FF18350B50862FE58AD7611E775AA44CF90
              Function 007AC57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00722612: GetWindowLongW.USER32(?,000000EB), ref: 00722623
              • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0075B93A,?,?,?), ref: 007AC5F1
                • Part of subcall function 007225DB: GetWindowLongW.USER32(?,000000EB), ref: 007225EC
              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007AC5D7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: LongWindow$MessageProcSend
              • String ID: P`
              • API String ID: 982171247-2971936014
              • Opcode ID: a96f247dabea14d79eade917917dfe047eeb32f1c5d21ba97b1c95764c3783ec
              • Instruction ID: 0502b1d2cd508a38885167c148a133840a468147b8a25d01adaa4fcdf871352d
              • Opcode Fuzzy Hash: a96f247dabea14d79eade917917dfe047eeb32f1c5d21ba97b1c95764c3783ec
              • Instruction Fuzzy Hash: 5E01DD31201214FBCB265F14DC48F6A3BA6FFCA364F144124F9511B2E1CB7AA821DB90
              Function 00784F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: ClassName_wcscmp
              • String ID: #32770
              • API String ID: 2292705959-463685578
              • Opcode ID: 71e611f0c3320fd4d7eea13eccdb1d22d6a5b0129120f36f52b8c3a41e2cda4f
              • Instruction ID: 13348278247f882e837cfdaf558a959e0d48122601f1189fde335a238934bb1d
              • Opcode Fuzzy Hash: 71e611f0c3320fd4d7eea13eccdb1d22d6a5b0129120f36f52b8c3a41e2cda4f
              • Instruction Fuzzy Hash: DCE068326002282BE320ABA9AC49FA7F7BCEB95B70F00002BFD04D3040DA649A1187E0
              Function 0075B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0075B314: _memset.LIBCMT ref: 0075B321
                • Part of subcall function 00740940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0075B2F0,?,?,?,0072100A), ref: 00740945
              • IsDebuggerPresent.KERNEL32(?,?,?,0072100A), ref: 0075B2F4
              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0072100A), ref: 0075B303
              Strings
              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0075B2FE
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
              • API String ID: 3158253471-631824599
              • Opcode ID: 85d62b273589c8dd4f5ad9b9c722935b3dc53009663a350b624afa2a671318a3
              • Instruction ID: f47f5b126c4ed4b9b15e82e40918601c0a48e131faa7ca4b2ca7cfd240437820
              • Opcode Fuzzy Hash: 85d62b273589c8dd4f5ad9b9c722935b3dc53009663a350b624afa2a671318a3
              • Instruction Fuzzy Hash: 91E0C9B02007518AD7209F68E5087967BE8FF44715F008A6DE856D6652E7FCA449CBA1
              Function 007A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A596E
              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007A5981
                • Part of subcall function 00785244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: ca18f7154e6c89f4765eabcba2d4f5f5231103ac3431289f8a83295d0961eef0
              • Instruction ID: c8f2b1a32817fa13f18e120796a2d4ea8f4a8afdb1e3571235bb788be13dce67
              • Opcode Fuzzy Hash: ca18f7154e6c89f4765eabcba2d4f5f5231103ac3431289f8a83295d0961eef0
              • Instruction Fuzzy Hash: E9D0C975784311B6E6A4BBB0AC4FF966A64BB41B50F004825F24AAA1D0C9E89810C668
              Function 007A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
              Download Yara Rule
              APIs
              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A59AE
              • PostMessageW.USER32(00000000), ref: 007A59B5
                • Part of subcall function 00785244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007852BC
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1374907324.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true
              • Associated: 00000000.00000002.1374840238.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007AF000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375022514.00000000007D4000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375085589.00000000007DE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1375110266.00000000007E7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_720000_0Ie2kYdPTW.jbxd
              Similarity
              • API ID: FindMessagePostSleepWindow
              • String ID: Shell_TrayWnd
              • API String ID: 529655941-2988720461
              • Opcode ID: d60f2e7a7c3a78227c365101c86a3e9308eb4dc25d80b66055472354e549962f
              • Instruction ID: 9a0eb6bb43ab48a300b7ed1e21880a2d231199d1bfe1b3c66b731766666a5889
              • Opcode Fuzzy Hash: d60f2e7a7c3a78227c365101c86a3e9308eb4dc25d80b66055472354e549962f
              • Instruction Fuzzy Hash: 28D0C9717C0311BAE6A4BBB0AC4FF966664BB45B50F004825F246AA1D0C9E8A810C668